Merge remote-tracking branch 'public/update_ciphers_ff28'

This commit is contained in:
Nick Mathewson 2014-04-08 20:43:21 -04:00
commit 88179bd9b6
3 changed files with 90 additions and 127 deletions

6
changes/ff28_ciphers Normal file
View File

@ -0,0 +1,6 @@
o Minor features (performance, compatibility):
- Update the list of TLS cipehrsuites that a client advertises
to match those advertised by Firefox 28. This enables selection of
(fast) GCM ciphersuites, disables some strange old ciphers, and
disables the ECDH (not to be confused with ECDHE) ciphersuites.
Resolves ticket 11438.

View File

@ -4,85 +4,50 @@
*
* This file was automatically generated by get_mozilla_ciphers.py.
*/
#ifdef TLS1_TXT_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
CIPHER(0xc02b, TLS1_TXT_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256)
#else
XCIPHER(0xc02b, TLS1_TXT_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256)
#endif
#ifdef TLS1_TXT_ECDHE_RSA_WITH_AES_128_GCM_SHA256
CIPHER(0xc02f, TLS1_TXT_ECDHE_RSA_WITH_AES_128_GCM_SHA256)
#else
XCIPHER(0xc02f, TLS1_TXT_ECDHE_RSA_WITH_AES_128_GCM_SHA256)
#endif
#ifdef TLS1_TXT_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
CIPHER(0xc00a, TLS1_TXT_ECDHE_ECDSA_WITH_AES_256_CBC_SHA)
#else
XCIPHER(0xc00a, TLS1_TXT_ECDHE_ECDSA_WITH_AES_256_CBC_SHA)
#endif
#ifdef TLS1_TXT_ECDHE_RSA_WITH_AES_256_CBC_SHA
CIPHER(0xc014, TLS1_TXT_ECDHE_RSA_WITH_AES_256_CBC_SHA)
#else
XCIPHER(0xc014, TLS1_TXT_ECDHE_RSA_WITH_AES_256_CBC_SHA)
#endif
#ifdef TLS1_TXT_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA
CIPHER(0x0088, TLS1_TXT_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA)
#else
XCIPHER(0x0088, TLS1_TXT_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA)
#endif
#ifdef TLS1_TXT_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA
CIPHER(0x0087, TLS1_TXT_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA)
#else
XCIPHER(0x0087, TLS1_TXT_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA)
#endif
#ifdef TLS1_TXT_DHE_RSA_WITH_AES_256_SHA
CIPHER(0x0039, TLS1_TXT_DHE_RSA_WITH_AES_256_SHA)
#else
XCIPHER(0x0039, TLS1_TXT_DHE_RSA_WITH_AES_256_SHA)
#endif
#ifdef TLS1_TXT_DHE_DSS_WITH_AES_256_SHA
CIPHER(0x0038, TLS1_TXT_DHE_DSS_WITH_AES_256_SHA)
#else
XCIPHER(0x0038, TLS1_TXT_DHE_DSS_WITH_AES_256_SHA)
#endif
#ifdef TLS1_TXT_ECDH_RSA_WITH_AES_256_CBC_SHA
CIPHER(0xc00f, TLS1_TXT_ECDH_RSA_WITH_AES_256_CBC_SHA)
#else
XCIPHER(0xc00f, TLS1_TXT_ECDH_RSA_WITH_AES_256_CBC_SHA)
#endif
#ifdef TLS1_TXT_ECDH_ECDSA_WITH_AES_256_CBC_SHA
CIPHER(0xc005, TLS1_TXT_ECDH_ECDSA_WITH_AES_256_CBC_SHA)
#else
XCIPHER(0xc005, TLS1_TXT_ECDH_ECDSA_WITH_AES_256_CBC_SHA)
#endif
#ifdef TLS1_TXT_RSA_WITH_CAMELLIA_256_CBC_SHA
CIPHER(0x0084, TLS1_TXT_RSA_WITH_CAMELLIA_256_CBC_SHA)
#else
XCIPHER(0x0084, TLS1_TXT_RSA_WITH_CAMELLIA_256_CBC_SHA)
#endif
#ifdef TLS1_TXT_RSA_WITH_AES_256_SHA
CIPHER(0x0035, TLS1_TXT_RSA_WITH_AES_256_SHA)
#else
XCIPHER(0x0035, TLS1_TXT_RSA_WITH_AES_256_SHA)
#endif
#ifdef TLS1_TXT_ECDHE_ECDSA_WITH_RC4_128_SHA
CIPHER(0xc007, TLS1_TXT_ECDHE_ECDSA_WITH_RC4_128_SHA)
#else
XCIPHER(0xc007, TLS1_TXT_ECDHE_ECDSA_WITH_RC4_128_SHA)
#endif
#ifdef TLS1_TXT_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
CIPHER(0xc009, TLS1_TXT_ECDHE_ECDSA_WITH_AES_128_CBC_SHA)
#else
XCIPHER(0xc009, TLS1_TXT_ECDHE_ECDSA_WITH_AES_128_CBC_SHA)
#endif
#ifdef TLS1_TXT_ECDHE_RSA_WITH_RC4_128_SHA
CIPHER(0xc011, TLS1_TXT_ECDHE_RSA_WITH_RC4_128_SHA)
#else
XCIPHER(0xc011, TLS1_TXT_ECDHE_RSA_WITH_RC4_128_SHA)
#endif
#ifdef TLS1_TXT_ECDHE_RSA_WITH_AES_128_CBC_SHA
CIPHER(0xc013, TLS1_TXT_ECDHE_RSA_WITH_AES_128_CBC_SHA)
#else
XCIPHER(0xc013, TLS1_TXT_ECDHE_RSA_WITH_AES_128_CBC_SHA)
#endif
#ifdef TLS1_TXT_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA
CIPHER(0x0045, TLS1_TXT_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA)
#ifdef TLS1_TXT_ECDHE_RSA_WITH_AES_256_CBC_SHA
CIPHER(0xc014, TLS1_TXT_ECDHE_RSA_WITH_AES_256_CBC_SHA)
#else
XCIPHER(0x0045, TLS1_TXT_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA)
XCIPHER(0xc014, TLS1_TXT_ECDHE_RSA_WITH_AES_256_CBC_SHA)
#endif
#ifdef TLS1_TXT_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA
CIPHER(0x0044, TLS1_TXT_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA)
#ifdef TLS1_TXT_ECDHE_RSA_WITH_DES_192_CBC3_SHA
CIPHER(0xc012, TLS1_TXT_ECDHE_RSA_WITH_DES_192_CBC3_SHA)
#else
XCIPHER(0x0044, TLS1_TXT_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA)
XCIPHER(0xc012, TLS1_TXT_ECDHE_RSA_WITH_DES_192_CBC3_SHA)
#endif
#ifdef TLS1_TXT_ECDHE_ECDSA_WITH_RC4_128_SHA
CIPHER(0xc007, TLS1_TXT_ECDHE_ECDSA_WITH_RC4_128_SHA)
#else
XCIPHER(0xc007, TLS1_TXT_ECDHE_ECDSA_WITH_RC4_128_SHA)
#endif
#ifdef TLS1_TXT_ECDHE_RSA_WITH_RC4_128_SHA
CIPHER(0xc011, TLS1_TXT_ECDHE_RSA_WITH_RC4_128_SHA)
#else
XCIPHER(0xc011, TLS1_TXT_ECDHE_RSA_WITH_RC4_128_SHA)
#endif
#ifdef TLS1_TXT_DHE_RSA_WITH_AES_128_SHA
CIPHER(0x0033, TLS1_TXT_DHE_RSA_WITH_AES_128_SHA)
@ -94,89 +59,63 @@
#else
XCIPHER(0x0032, TLS1_TXT_DHE_DSS_WITH_AES_128_SHA)
#endif
#ifdef TLS1_TXT_ECDH_RSA_WITH_RC4_128_SHA
CIPHER(0xc00c, TLS1_TXT_ECDH_RSA_WITH_RC4_128_SHA)
#ifdef TLS1_TXT_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA
CIPHER(0x0045, TLS1_TXT_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA)
#else
XCIPHER(0xc00c, TLS1_TXT_ECDH_RSA_WITH_RC4_128_SHA)
XCIPHER(0x0045, TLS1_TXT_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA)
#endif
#ifdef TLS1_TXT_ECDH_RSA_WITH_AES_128_CBC_SHA
CIPHER(0xc00e, TLS1_TXT_ECDH_RSA_WITH_AES_128_CBC_SHA)
#ifdef TLS1_TXT_DHE_RSA_WITH_AES_256_SHA
CIPHER(0x0039, TLS1_TXT_DHE_RSA_WITH_AES_256_SHA)
#else
XCIPHER(0xc00e, TLS1_TXT_ECDH_RSA_WITH_AES_128_CBC_SHA)
XCIPHER(0x0039, TLS1_TXT_DHE_RSA_WITH_AES_256_SHA)
#endif
#ifdef TLS1_TXT_ECDH_ECDSA_WITH_RC4_128_SHA
CIPHER(0xc002, TLS1_TXT_ECDH_ECDSA_WITH_RC4_128_SHA)
#ifdef TLS1_TXT_DHE_DSS_WITH_AES_256_SHA
CIPHER(0x0038, TLS1_TXT_DHE_DSS_WITH_AES_256_SHA)
#else
XCIPHER(0xc002, TLS1_TXT_ECDH_ECDSA_WITH_RC4_128_SHA)
XCIPHER(0x0038, TLS1_TXT_DHE_DSS_WITH_AES_256_SHA)
#endif
#ifdef TLS1_TXT_ECDH_ECDSA_WITH_AES_128_CBC_SHA
CIPHER(0xc004, TLS1_TXT_ECDH_ECDSA_WITH_AES_128_CBC_SHA)
#ifdef TLS1_TXT_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA
CIPHER(0x0088, TLS1_TXT_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA)
#else
XCIPHER(0xc004, TLS1_TXT_ECDH_ECDSA_WITH_AES_128_CBC_SHA)
#endif
#ifdef TLS1_TXT_RSA_WITH_SEED_SHA
CIPHER(0x0096, TLS1_TXT_RSA_WITH_SEED_SHA)
#else
XCIPHER(0x0096, TLS1_TXT_RSA_WITH_SEED_SHA)
#endif
#ifdef TLS1_TXT_RSA_WITH_CAMELLIA_128_CBC_SHA
CIPHER(0x0041, TLS1_TXT_RSA_WITH_CAMELLIA_128_CBC_SHA)
#else
XCIPHER(0x0041, TLS1_TXT_RSA_WITH_CAMELLIA_128_CBC_SHA)
#endif
#ifdef SSL3_TXT_RSA_RC4_128_MD5
CIPHER(0x0004, SSL3_TXT_RSA_RC4_128_MD5)
#else
XCIPHER(0x0004, SSL3_TXT_RSA_RC4_128_MD5)
#endif
#ifdef SSL3_TXT_RSA_RC4_128_SHA
CIPHER(0x0005, SSL3_TXT_RSA_RC4_128_SHA)
#else
XCIPHER(0x0005, SSL3_TXT_RSA_RC4_128_SHA)
#endif
#ifdef TLS1_TXT_RSA_WITH_AES_128_SHA
CIPHER(0x002f, TLS1_TXT_RSA_WITH_AES_128_SHA)
#else
XCIPHER(0x002f, TLS1_TXT_RSA_WITH_AES_128_SHA)
#endif
#ifdef TLS1_TXT_ECDHE_ECDSA_WITH_DES_192_CBC3_SHA
CIPHER(0xc008, TLS1_TXT_ECDHE_ECDSA_WITH_DES_192_CBC3_SHA)
#else
XCIPHER(0xc008, TLS1_TXT_ECDHE_ECDSA_WITH_DES_192_CBC3_SHA)
#endif
#ifdef TLS1_TXT_ECDHE_RSA_WITH_DES_192_CBC3_SHA
CIPHER(0xc012, TLS1_TXT_ECDHE_RSA_WITH_DES_192_CBC3_SHA)
#else
XCIPHER(0xc012, TLS1_TXT_ECDHE_RSA_WITH_DES_192_CBC3_SHA)
XCIPHER(0x0088, TLS1_TXT_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA)
#endif
#ifdef SSL3_TXT_EDH_RSA_DES_192_CBC3_SHA
CIPHER(0x0016, SSL3_TXT_EDH_RSA_DES_192_CBC3_SHA)
#else
XCIPHER(0x0016, SSL3_TXT_EDH_RSA_DES_192_CBC3_SHA)
#endif
#ifdef SSL3_TXT_EDH_DSS_DES_192_CBC3_SHA
CIPHER(0x0013, SSL3_TXT_EDH_DSS_DES_192_CBC3_SHA)
#ifdef TLS1_TXT_RSA_WITH_AES_128_SHA
CIPHER(0x002f, TLS1_TXT_RSA_WITH_AES_128_SHA)
#else
XCIPHER(0x0013, SSL3_TXT_EDH_DSS_DES_192_CBC3_SHA)
XCIPHER(0x002f, TLS1_TXT_RSA_WITH_AES_128_SHA)
#endif
#ifdef TLS1_TXT_ECDH_RSA_WITH_DES_192_CBC3_SHA
CIPHER(0xc00d, TLS1_TXT_ECDH_RSA_WITH_DES_192_CBC3_SHA)
#ifdef TLS1_TXT_RSA_WITH_CAMELLIA_128_CBC_SHA
CIPHER(0x0041, TLS1_TXT_RSA_WITH_CAMELLIA_128_CBC_SHA)
#else
XCIPHER(0xc00d, TLS1_TXT_ECDH_RSA_WITH_DES_192_CBC3_SHA)
XCIPHER(0x0041, TLS1_TXT_RSA_WITH_CAMELLIA_128_CBC_SHA)
#endif
#ifdef TLS1_TXT_ECDH_ECDSA_WITH_DES_192_CBC3_SHA
CIPHER(0xc003, TLS1_TXT_ECDH_ECDSA_WITH_DES_192_CBC3_SHA)
#ifdef TLS1_TXT_RSA_WITH_AES_256_SHA
CIPHER(0x0035, TLS1_TXT_RSA_WITH_AES_256_SHA)
#else
XCIPHER(0xc003, TLS1_TXT_ECDH_ECDSA_WITH_DES_192_CBC3_SHA)
XCIPHER(0x0035, TLS1_TXT_RSA_WITH_AES_256_SHA)
#endif
/* No openssl macro found for 0xfeff */
#ifdef SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA
CIPHER(0xfeff, SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA)
#ifdef TLS1_TXT_RSA_WITH_CAMELLIA_256_CBC_SHA
CIPHER(0x0084, TLS1_TXT_RSA_WITH_CAMELLIA_256_CBC_SHA)
#else
XCIPHER(0xfeff, SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA)
XCIPHER(0x0084, TLS1_TXT_RSA_WITH_CAMELLIA_256_CBC_SHA)
#endif
#ifdef SSL3_TXT_RSA_DES_192_CBC3_SHA
CIPHER(0x000a, SSL3_TXT_RSA_DES_192_CBC3_SHA)
#else
XCIPHER(0x000a, SSL3_TXT_RSA_DES_192_CBC3_SHA)
#endif
#ifdef SSL3_TXT_RSA_RC4_128_SHA
CIPHER(0x0005, SSL3_TXT_RSA_RC4_128_SHA)
#else
XCIPHER(0x0005, SSL3_TXT_RSA_RC4_128_SHA)
#endif
#ifdef SSL3_TXT_RSA_RC4_128_MD5
CIPHER(0x0004, SSL3_TXT_RSA_RC4_128_MD5)
#else
XCIPHER(0x0004, SSL3_TXT_RSA_RC4_128_MD5)
#endif

View File

@ -41,12 +41,12 @@ fileA = open(ff('security/manager/ssl/src/nsNSSComponent.cpp'),'r')
inCipherSection = False
cipherLines = []
for line in fileA:
if line.startswith('static CipherPref CipherPrefs'):
if line.startswith('static const CipherPref sCipherPrefs[]'):
# Get the starting boundary of the Cipher Preferences
inCipherSection = True
elif inCipherSection:
line = line.strip()
if line.startswith('{NULL, 0}'):
if line.startswith('{ nullptr, 0}'):
# At the ending boundary of the Cipher Prefs
break
else:
@ -56,12 +56,30 @@ fileA.close()
# Parse the lines and put them into a dict
ciphers = {}
cipher_pref = {}
key_pending = None
for line in cipherLines:
m = re.search(r'^{\s*\"([^\"]+)\",\s*(\S*)\s*}', line)
m = re.search(r'^{\s*\"([^\"]+)\",\s*(\S+)\s*(?:,\s*(true|false))?\s*}', line)
if m:
key,value = m.groups()
ciphers[key] = value
cipher_pref[value] = key
assert not key_pending
key,value,enabled = m.groups()
if enabled == 'true':
ciphers[key] = value
cipher_pref[value] = key
continue
m = re.search(r'^{\s*\"([^\"]+)\",', line)
if m:
assert not key_pending
key_pending = m.group(1)
continue
m = re.search(r'^\s*(\S+)(?:,\s*(true|false))?\s*}', line)
if m:
assert key_pending
key = key_pending
value,enabled = m.groups()
key_pending = None
if enabled == 'true':
ciphers[key] = value
cipher_pref[value] = key
####
# Now find the correct order for the ciphers