mirror of
https://gitlab.torproject.org/tpo/core/tor.git
synced 2024-11-27 22:03:31 +01:00
Merge branches 'server_ciphers' and 'ciphers.inc'
This commit is contained in:
Nick Mathewson
commit
67eb6470d7
5
changes/ciphers.inc
Normal file
5
changes/ciphers.inc
Normal file
@ -0,0 +1,5 @@
|
||||
o Minor features (ciphersuite selection):
|
||||
- Clients now advertise a list of ciphersuites closer to the ones
|
||||
preferred by Firefox. Closes ticket #15426.
|
||||
|
||||
|
||||
3
changes/server_cipher
Normal file
3
changes/server_cipher
Normal file
@ -0,0 +1,3 @@
|
||||
o Minor features (ciphersuite choices):
|
||||
- Allow servers to accept a wider range of ciphersuites, including
|
||||
chacha20-poly1305 and AES-CCM. Closes the other part of 15426.
|
||||
@ -13,13 +13,13 @@ import sys
|
||||
|
||||
EPHEMERAL_INDICATORS = [ "_EDH_", "_DHE_", "_ECDHE_" ]
|
||||
BAD_STUFF = [ "_DES_40_", "MD5", "_RC4_", "_DES_64_",
|
||||
"_SEED_", "_CAMELLIA_", "_NULL" ]
|
||||
"_SEED_", "_CAMELLIA_", "_NULL",
|
||||
"_CCM_8", "_DES_", ]
|
||||
|
||||
# these never get #ifdeffed.
|
||||
MANDATORY = [
|
||||
"TLS1_TXT_DHE_RSA_WITH_AES_256_SHA",
|
||||
"TLS1_TXT_DHE_RSA_WITH_AES_128_SHA",
|
||||
"SSL3_TXT_EDH_RSA_DES_192_CBC3_SHA",
|
||||
]
|
||||
|
||||
def find_ciphers(filename):
|
||||
@ -48,15 +48,23 @@ def usable_cipher(ciph):
|
||||
# All fields we sort on, in order of priority.
|
||||
FIELDS = [ 'cipher', 'fwsec', 'mode', 'digest', 'bitlength' ]
|
||||
# Map from sorted fields to recognized value in descending order of goodness
|
||||
FIELD_VALS = { 'cipher' : [ 'AES', 'DES'],
|
||||
FIELD_VALS = { 'cipher' : [ 'AES', 'CHACHA20' ],
|
||||
'fwsec' : [ 'ECDHE', 'DHE' ],
|
||||
'mode' : [ 'GCM', 'CBC' ],
|
||||
'digest' : [ 'SHA384', 'SHA256', 'SHA' ],
|
||||
'mode' : [ 'POLY1305', 'GCM', 'CCM', 'CBC', ],
|
||||
'digest' : [ 'n/a', 'SHA384', 'SHA256', 'SHA', ],
|
||||
'bitlength' : [ '256', '128', '192' ],
|
||||
}
|
||||
|
||||
class Ciphersuite(object):
|
||||
def __init__(self, name, fwsec, cipher, bitlength, mode, digest):
|
||||
if fwsec == 'EDH':
|
||||
fwsec = 'DHE'
|
||||
|
||||
if mode in [ '_CBC3', '_CBC', '' ]:
|
||||
mode = 'CBC'
|
||||
elif mode == '_GCM':
|
||||
mode = 'GCM'
|
||||
|
||||
self.name = name
|
||||
self.fwsec = fwsec
|
||||
self.cipher = cipher
|
||||
@ -74,42 +82,50 @@ class Ciphersuite(object):
|
||||
def parse_cipher(ciph):
|
||||
m = re.match('(?:TLS1|SSL3)_TXT_(EDH|DHE|ECDHE)_RSA(?:_WITH)?_(AES|DES)_(256|128|192)(|_CBC|_CBC3|_GCM)_(SHA|SHA256|SHA384)$', ciph)
|
||||
|
||||
if not m:
|
||||
print "/* Couldn't parse %s ! */"%ciph
|
||||
return None
|
||||
if m:
|
||||
fwsec, cipher, bits, mode, digest = m.groups()
|
||||
return Ciphersuite(ciph, fwsec, cipher, bits, mode, digest)
|
||||
|
||||
fwsec, cipher, bits, mode, digest = m.groups()
|
||||
if fwsec == 'EDH':
|
||||
fwsec = 'DHE'
|
||||
m = re.match('(?:TLS1|SSL3)_TXT_(EDH|DHE|ECDHE)_RSA(?:_WITH)?_(AES|DES)_(256|128|192)_CCM', ciph)
|
||||
if m:
|
||||
fwsec, cipher, bits = m.groups()
|
||||
return Ciphersuite(ciph, fwsec, cipher, bits, "CCM", "n/a")
|
||||
|
||||
if mode in [ '_CBC3', '_CBC', '' ]:
|
||||
mode = 'CBC'
|
||||
elif mode == '_GCM':
|
||||
mode = 'GCM'
|
||||
m = re.match('(?:TLS1|SSL3)_TXT_(EDH|DHE|ECDHE)_RSA(?:_WITH)?_CHACHA20_POLY1305', ciph)
|
||||
if m:
|
||||
fwsec, = m.groups()
|
||||
return Ciphersuite(ciph, fwsec, "CHACHA20", "256", "POLY1305", "n/a")
|
||||
|
||||
print "/* Couldn't parse %s ! */"%ciph
|
||||
return None
|
||||
|
||||
return Ciphersuite(ciph, fwsec, cipher, bits, mode, digest)
|
||||
|
||||
ALL_CIPHERS = []
|
||||
|
||||
for fname in sys.argv[1:]:
|
||||
ALL_CIPHERS += (parse_cipher(c)
|
||||
for c in find_ciphers(fname)
|
||||
if usable_cipher(c) )
|
||||
for c in find_ciphers(fname):
|
||||
if usable_cipher(c):
|
||||
parsed = parse_cipher(c)
|
||||
if parsed != None:
|
||||
ALL_CIPHERS.append(parsed)
|
||||
|
||||
ALL_CIPHERS.sort(key=Ciphersuite.sort_key)
|
||||
|
||||
indent = " "*7
|
||||
|
||||
for c in ALL_CIPHERS:
|
||||
if c is ALL_CIPHERS[-1]:
|
||||
colon = ';'
|
||||
colon = ''
|
||||
else:
|
||||
colon = ' ":"'
|
||||
|
||||
if c.name in MANDATORY:
|
||||
print " /* Required */"
|
||||
print ' %s%s'%(c.name,colon)
|
||||
print "%s/* Required */"%indent
|
||||
print '%s%s%s'%(indent,c.name,colon)
|
||||
else:
|
||||
print "#ifdef %s"%c.name
|
||||
print ' %s%s'%(c.name,colon)
|
||||
print '%s%s%s'%(indent,c.name,colon)
|
||||
print "#endif"
|
||||
|
||||
print '%s;'%indent
|
||||
|
||||
|
||||
13
scripts/codegen/get_mozilla_ciphers.py
Normal file → Executable file
13
scripts/codegen/get_mozilla_ciphers.py
Normal file → Executable file
@ -127,9 +127,9 @@ for k, v in enabled_ciphers.items():
|
||||
#oSSLinclude = ('/usr/include/openssl/ssl3.h', '/usr/include/openssl/ssl.h',
|
||||
# '/usr/include/openssl/ssl2.h', '/usr/include/openssl/ssl23.h',
|
||||
# '/usr/include/openssl/tls1.h')
|
||||
oSSLinclude = ('ssl/ssl3.h', 'ssl/ssl.h',
|
||||
'ssl/ssl2.h', 'ssl/ssl23.h',
|
||||
'ssl/tls1.h')
|
||||
oSSLinclude = ['ssl3.h', 'ssl.h'
|
||||
'ssl2.h', 'ssl23.h',
|
||||
'tls1.h']
|
||||
|
||||
#####
|
||||
# This reads the hex code for the ciphers that are used by firefox.
|
||||
@ -155,9 +155,12 @@ for x in used_ciphers:
|
||||
openssl_macro_by_hex = {}
|
||||
all_openssl_macros = {}
|
||||
for fl in oSSLinclude:
|
||||
fp = open(ossl(fl), 'r')
|
||||
fname = ossl("include/openssl/"+fl)
|
||||
if not os.path.exists(fname):
|
||||
continue
|
||||
fp = open(fname, 'r')
|
||||
for line in fp.readlines():
|
||||
m = re.match('#define\s+(\S+)\s+(\S+)', line)
|
||||
m = re.match('# *define\s+(\S+)\s+(\S+)', line)
|
||||
if m:
|
||||
value,key = m.groups()
|
||||
if key.startswith('0x') and "_CK_" in value:
|
||||
|
||||
@ -14,6 +14,26 @@
|
||||
#else
|
||||
XCIPHER(0xc02f, TLS1_TXT_ECDHE_RSA_WITH_AES_128_GCM_SHA256)
|
||||
#endif
|
||||
#ifdef TLS1_TXT_ECDHE_ECDSA_WITH_CHACHA20_POLY1305
|
||||
CIPHER(0xcca9, TLS1_TXT_ECDHE_ECDSA_WITH_CHACHA20_POLY1305)
|
||||
#else
|
||||
XCIPHER(0xcca9, TLS1_TXT_ECDHE_ECDSA_WITH_CHACHA20_POLY1305)
|
||||
#endif
|
||||
#ifdef TLS1_TXT_ECDHE_RSA_WITH_CHACHA20_POLY1305
|
||||
CIPHER(0xcca8, TLS1_TXT_ECDHE_RSA_WITH_CHACHA20_POLY1305)
|
||||
#else
|
||||
XCIPHER(0xcca8, TLS1_TXT_ECDHE_RSA_WITH_CHACHA20_POLY1305)
|
||||
#endif
|
||||
#ifdef TLS1_TXT_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
|
||||
CIPHER(0xc02c, TLS1_TXT_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384)
|
||||
#else
|
||||
XCIPHER(0xc02c, TLS1_TXT_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384)
|
||||
#endif
|
||||
#ifdef TLS1_TXT_ECDHE_RSA_WITH_AES_256_GCM_SHA384
|
||||
CIPHER(0xc030, TLS1_TXT_ECDHE_RSA_WITH_AES_256_GCM_SHA384)
|
||||
#else
|
||||
XCIPHER(0xc030, TLS1_TXT_ECDHE_RSA_WITH_AES_256_GCM_SHA384)
|
||||
#endif
|
||||
#ifdef TLS1_TXT_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
|
||||
CIPHER(0xc00a, TLS1_TXT_ECDHE_ECDSA_WITH_AES_256_CBC_SHA)
|
||||
#else
|
||||
@ -34,88 +54,28 @@
|
||||
#else
|
||||
XCIPHER(0xc014, TLS1_TXT_ECDHE_RSA_WITH_AES_256_CBC_SHA)
|
||||
#endif
|
||||
#ifdef TLS1_TXT_ECDHE_RSA_WITH_DES_192_CBC3_SHA
|
||||
CIPHER(0xc012, TLS1_TXT_ECDHE_RSA_WITH_DES_192_CBC3_SHA)
|
||||
#else
|
||||
XCIPHER(0xc012, TLS1_TXT_ECDHE_RSA_WITH_DES_192_CBC3_SHA)
|
||||
#endif
|
||||
#ifdef TLS1_TXT_ECDHE_ECDSA_WITH_RC4_128_SHA
|
||||
CIPHER(0xc007, TLS1_TXT_ECDHE_ECDSA_WITH_RC4_128_SHA)
|
||||
#else
|
||||
XCIPHER(0xc007, TLS1_TXT_ECDHE_ECDSA_WITH_RC4_128_SHA)
|
||||
#endif
|
||||
#ifdef TLS1_TXT_ECDHE_RSA_WITH_RC4_128_SHA
|
||||
CIPHER(0xc011, TLS1_TXT_ECDHE_RSA_WITH_RC4_128_SHA)
|
||||
#else
|
||||
XCIPHER(0xc011, TLS1_TXT_ECDHE_RSA_WITH_RC4_128_SHA)
|
||||
#endif
|
||||
#ifdef TLS1_TXT_DHE_RSA_WITH_AES_128_SHA
|
||||
CIPHER(0x0033, TLS1_TXT_DHE_RSA_WITH_AES_128_SHA)
|
||||
#else
|
||||
XCIPHER(0x0033, TLS1_TXT_DHE_RSA_WITH_AES_128_SHA)
|
||||
#endif
|
||||
#ifdef TLS1_TXT_DHE_DSS_WITH_AES_128_SHA
|
||||
CIPHER(0x0032, TLS1_TXT_DHE_DSS_WITH_AES_128_SHA)
|
||||
#else
|
||||
XCIPHER(0x0032, TLS1_TXT_DHE_DSS_WITH_AES_128_SHA)
|
||||
#endif
|
||||
#ifdef TLS1_TXT_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA
|
||||
CIPHER(0x0045, TLS1_TXT_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA)
|
||||
#else
|
||||
XCIPHER(0x0045, TLS1_TXT_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA)
|
||||
#endif
|
||||
#ifdef TLS1_TXT_DHE_RSA_WITH_AES_256_SHA
|
||||
CIPHER(0x0039, TLS1_TXT_DHE_RSA_WITH_AES_256_SHA)
|
||||
#else
|
||||
XCIPHER(0x0039, TLS1_TXT_DHE_RSA_WITH_AES_256_SHA)
|
||||
#endif
|
||||
#ifdef TLS1_TXT_DHE_DSS_WITH_AES_256_SHA
|
||||
CIPHER(0x0038, TLS1_TXT_DHE_DSS_WITH_AES_256_SHA)
|
||||
#else
|
||||
XCIPHER(0x0038, TLS1_TXT_DHE_DSS_WITH_AES_256_SHA)
|
||||
#endif
|
||||
#ifdef TLS1_TXT_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA
|
||||
CIPHER(0x0088, TLS1_TXT_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA)
|
||||
#else
|
||||
XCIPHER(0x0088, TLS1_TXT_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA)
|
||||
#endif
|
||||
#ifdef SSL3_TXT_EDH_RSA_DES_192_CBC3_SHA
|
||||
CIPHER(0x0016, SSL3_TXT_EDH_RSA_DES_192_CBC3_SHA)
|
||||
#else
|
||||
XCIPHER(0x0016, SSL3_TXT_EDH_RSA_DES_192_CBC3_SHA)
|
||||
#endif
|
||||
#ifdef TLS1_TXT_RSA_WITH_AES_128_SHA
|
||||
CIPHER(0x002f, TLS1_TXT_RSA_WITH_AES_128_SHA)
|
||||
#else
|
||||
XCIPHER(0x002f, TLS1_TXT_RSA_WITH_AES_128_SHA)
|
||||
#endif
|
||||
#ifdef TLS1_TXT_RSA_WITH_CAMELLIA_128_CBC_SHA
|
||||
CIPHER(0x0041, TLS1_TXT_RSA_WITH_CAMELLIA_128_CBC_SHA)
|
||||
#else
|
||||
XCIPHER(0x0041, TLS1_TXT_RSA_WITH_CAMELLIA_128_CBC_SHA)
|
||||
#endif
|
||||
#ifdef TLS1_TXT_RSA_WITH_AES_256_SHA
|
||||
CIPHER(0x0035, TLS1_TXT_RSA_WITH_AES_256_SHA)
|
||||
#else
|
||||
XCIPHER(0x0035, TLS1_TXT_RSA_WITH_AES_256_SHA)
|
||||
#endif
|
||||
#ifdef TLS1_TXT_RSA_WITH_CAMELLIA_256_CBC_SHA
|
||||
CIPHER(0x0084, TLS1_TXT_RSA_WITH_CAMELLIA_256_CBC_SHA)
|
||||
#else
|
||||
XCIPHER(0x0084, TLS1_TXT_RSA_WITH_CAMELLIA_256_CBC_SHA)
|
||||
#endif
|
||||
#ifdef SSL3_TXT_RSA_DES_192_CBC3_SHA
|
||||
CIPHER(0x000a, SSL3_TXT_RSA_DES_192_CBC3_SHA)
|
||||
#else
|
||||
XCIPHER(0x000a, SSL3_TXT_RSA_DES_192_CBC3_SHA)
|
||||
#endif
|
||||
#ifdef SSL3_TXT_RSA_RC4_128_SHA
|
||||
CIPHER(0x0005, SSL3_TXT_RSA_RC4_128_SHA)
|
||||
#else
|
||||
XCIPHER(0x0005, SSL3_TXT_RSA_RC4_128_SHA)
|
||||
#endif
|
||||
#ifdef SSL3_TXT_RSA_RC4_128_MD5
|
||||
CIPHER(0x0004, SSL3_TXT_RSA_RC4_128_MD5)
|
||||
#else
|
||||
XCIPHER(0x0004, SSL3_TXT_RSA_RC4_128_MD5)
|
||||
#endif
|
||||
|
||||
@ -585,6 +585,12 @@ static const char UNRESTRICTED_SERVER_CIPHER_LIST[] =
|
||||
#ifdef TLS1_TXT_DHE_RSA_WITH_AES_128_GCM_SHA256
|
||||
TLS1_TXT_DHE_RSA_WITH_AES_128_GCM_SHA256 ":"
|
||||
#endif
|
||||
#ifdef TLS1_TXT_DHE_RSA_WITH_AES_256_CCM
|
||||
TLS1_TXT_DHE_RSA_WITH_AES_256_CCM ":"
|
||||
#endif
|
||||
#ifdef TLS1_TXT_DHE_RSA_WITH_AES_128_CCM
|
||||
TLS1_TXT_DHE_RSA_WITH_AES_128_CCM ":"
|
||||
#endif
|
||||
#ifdef TLS1_TXT_DHE_RSA_WITH_AES_256_SHA256
|
||||
TLS1_TXT_DHE_RSA_WITH_AES_256_SHA256 ":"
|
||||
#endif
|
||||
@ -594,8 +600,14 @@ static const char UNRESTRICTED_SERVER_CIPHER_LIST[] =
|
||||
/* Required */
|
||||
TLS1_TXT_DHE_RSA_WITH_AES_256_SHA ":"
|
||||
/* Required */
|
||||
TLS1_TXT_DHE_RSA_WITH_AES_128_SHA
|
||||
;
|
||||
TLS1_TXT_DHE_RSA_WITH_AES_128_SHA ":"
|
||||
#ifdef TLS1_TXT_ECDHE_RSA_WITH_CHACHA20_POLY1305
|
||||
TLS1_TXT_ECDHE_RSA_WITH_CHACHA20_POLY1305 ":"
|
||||
#endif
|
||||
#ifdef TLS1_TXT_DHE_RSA_WITH_CHACHA20_POLY1305
|
||||
TLS1_TXT_DHE_RSA_WITH_CHACHA20_POLY1305
|
||||
#endif
|
||||
;
|
||||
|
||||
/* Note: to set up your own private testing network with link crypto
|
||||
* disabled, set your Tors' cipher list to
|
||||
|
||||
Loading…
Reference in New Issue
Block a user