September 2014 - jbossweb-commits

JBossWeb SVN: r2511 - in branches/7.5.x/src/main/java: org/apache/tomcat/util/security and 4 other directories.

by jbossweb-commits＠lists.jboss.org

Author: remy.maucherat(a)jboss.com Date: 2014-09-29 11:13:58 -0400 (Mon, 29 Sep 2014) New Revision: 2511 Added: branches/7.5.x/src/main/java/org/apache/tomcat/util/security/ConcurrentMessageDigest.java branches/7.5.x/src/main/java/org/apache/tomcat/websocket/MessagePart.java branches/7.5.x/src/main/java/org/apache/tomcat/websocket/PerMessageDeflate.java branches/7.5.x/src/main/java/org/apache/tomcat/websocket/Transformation.java branches/7.5.x/src/main/java/org/apache/tomcat/websocket/TransformationFactory.java branches/7.5.x/src/main/java/org/apache/tomcat/websocket/TransformationResult.java branches/7.5.x/src/main/java/org/apache/tomcat/websocket/WsExtension.java branches/7.5.x/src/main/java/org/apache/tomcat/websocket/WsExtensionParameter.java Modified: branches/7.5.x/src/main/java/javax/websocket/Session.java branches/7.5.x/src/main/java/org/apache/tomcat/websocket/AsyncChannelWrapperSecure.java branches/7.5.x/src/main/java/org/apache/tomcat/websocket/Constants.java branches/7.5.x/src/main/java/org/apache/tomcat/websocket/Util.java branches/7.5.x/src/main/java/org/apache/tomcat/websocket/WsFrameBase.java branches/7.5.x/src/main/java/org/apache/tomcat/websocket/WsFrameClient.java branches/7.5.x/src/main/java/org/apache/tomcat/websocket/WsRemoteEndpointImplBase.java branches/7.5.x/src/main/java/org/apache/tomcat/websocket/WsRemoteEndpointImplClient.java branches/7.5.x/src/main/java/org/apache/tomcat/websocket/WsSession.java branches/7.5.x/src/main/java/org/apache/tomcat/websocket/WsWebSocketContainer.java branches/7.5.x/src/main/java/org/apache/tomcat/websocket/pojo/PojoMessageHandlerBase.java branches/7.5.x/src/main/java/org/apache/tomcat/websocket/pojo/PojoMessageHandlerPartialBase.java branches/7.5.x/src/main/java/org/apache/tomcat/websocket/pojo/PojoMessageHandlerWholeBase.java branches/7.5.x/src/main/java/org/apache/tomcat/websocket/server/DefaultServerEndpointConfigurator.java branches/7.5.x/src/main/java/org/apache/tomcat/websocket/server/UpgradeUtil.java branches/7.5.x/src/main/java/org/apache/tomcat/websocket/server/WsFrameServer.java branches/7.5.x/src/main/java/org/apache/tomcat/websocket/server/WsHttpUpgradeHandler.java branches/7.5.x/src/main/java/org/apache/tomcat/websocket/server/WsRemoteEndpointImplServer.java branches/7.5.x/src/main/java/org/jboss/web/CoyoteMessages.java branches/7.5.x/src/main/java/org/jboss/web/WebsocketsMessages.java Log: Rebase on the Tomcat upstream websockets (1.1 + compression support). Modified: branches/7.5.x/src/main/java/javax/websocket/Session.java =================================================================== --- branches/7.5.x/src/main/java/javax/websocket/Session.java 2014-09-17 07:50:46 UTC (rev 2510) +++ branches/7.5.x/src/main/java/javax/websocket/Session.java 2014-09-29 15:13:58 UTC (rev 2511) @@ -31,8 +31,22 @@ */ WebSocketContainer getContainer(); - void addMessageHandler(MessageHandler listener) - throws IllegalStateException; + /** + * Registers a {@link MessageHandler} for incoming messages. Only one + * {@link MessageHandler} may be registered for each message type (text, + * binary, pong). The message type will be derived at runtime from the + * provided {@link MessageHandler} instance. It is not always possible to do + * this so it is better to use + * {@link #addMessageHandler(Class, javax.websocket.MessageHandler.Partial)} + * or + * {@link #addMessageHandler(Class, javax.websocket.MessageHandler.Whole)}. + * + * @param listener The message handler for a incoming message + * + * @throws IllegalStateException If a message handler has already been + * registered for the associated message type + */ + void addMessageHandler(MessageHandler listener) throws IllegalStateException; Set<MessageHandler> getMessageHandlers(); @@ -126,4 +140,34 @@ * this session is associated with. */ Set<Session> getOpenSessions(); + + /** + * Registers a {@link MessageHandler} for partial incoming messages. Only + * one {@link MessageHandler} may be registered for each message type (text + * or binary, pong messages are never presented as partial messages). + * + * @param clazz The type of message that the given handler is intended + * for + * @param listener The message handler for a incoming message + * + * @throws IllegalStateException If a message handler has already been + * registered for the associated message type + */ + <T> void addMessageHandler(Class<T> clazz, MessageHandler.Partial<T> handler) + throws IllegalStateException; + + /** + * Registers a {@link MessageHandler} for whole incoming messages. Only + * one {@link MessageHandler} may be registered for each message type (text, + * binary, pong). + * + * @param clazz The type of message that the given handler is intended + * for + * @param listener The message handler for a incoming message + * + * @throws IllegalStateException If a message handler has already been + * registered for the associated message type + */ + <T> void addMessageHandler(Class<T> clazz, MessageHandler.Whole<T> handler) + throws IllegalStateException; } Added: branches/7.5.x/src/main/java/org/apache/tomcat/util/security/ConcurrentMessageDigest.java =================================================================== --- branches/7.5.x/src/main/java/org/apache/tomcat/util/security/ConcurrentMessageDigest.java (rev 0) +++ branches/7.5.x/src/main/java/org/apache/tomcat/util/security/ConcurrentMessageDigest.java 2014-09-29 15:13:58 UTC (rev 2511) @@ -0,0 +1,113 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one or more + * contributor license agreements. See the NOTICE file distributed with + * this work for additional information regarding copyright ownership. + * The ASF licenses this file to You under the Apache License, Version 2.0 + * (the "License"); you may not use this file except in compliance with + * the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package org.apache.tomcat.util.security; + +import static org.jboss.web.CoyoteMessages.MESSAGES; + +import java.security.MessageDigest; +import java.security.NoSuchAlgorithmException; +import java.util.HashMap; +import java.util.Map; +import java.util.Queue; +import java.util.concurrent.ConcurrentLinkedQueue; + +/** + * A thread safe wrapper around {@link MessageDigest} that does not make use + * of ThreadLocal and - broadly - only creates enough MessageDigest objects + * to satisfy the concurrency requirements. + */ +public class ConcurrentMessageDigest { + + private static final String MD5 = "MD5"; + private static final String SHA1 = "SHA-1"; + + private static final Map<String,Queue<MessageDigest>> queues = + new HashMap<String,Queue<MessageDigest>>(); + + + private ConcurrentMessageDigest() { + // Hide default constructor for this utility class + } + + static { + try { + // Init commonly used algorithms + init(MD5); + init(SHA1); + } catch (NoSuchAlgorithmException e) { + throw new IllegalArgumentException(e); + } + } + + public static byte[] digestMD5(byte[]... input) { + return digest(MD5, input); + } + + public static byte[] digestSHA1(byte[]... input) { + return digest(SHA1, input); + } + + public static byte[] digest(String algorithm, byte[]... input) { + + Queue<MessageDigest> queue = queues.get(algorithm); + if (queue == null) { + throw MESSAGES.mustInitFirst(); + } + + MessageDigest md = queue.poll(); + if (md == null) { + try { + md = MessageDigest.getInstance(algorithm); + } catch (NoSuchAlgorithmException e) { + // Ignore. Impossible if init() has been successfully called + // first. + throw MESSAGES.mustInitFirst(); + } + } + + for (byte[] bytes : input) { + md.update(bytes); + } + byte[] result = md.digest(); + + queue.add(md); + + return result; + } + + + /** + * Ensures that {@link #digest(String, byte[][])} will support the specified + * algorithm. This method <b>must</b> be called and return successfully + * before using {@link #digest(String, byte[][])}. + * + * @param algorithm The message digest algorithm to be supported + * + * @throws NoSuchAlgorithmException If the algorithm is not supported by the + * JVM + */ + public static void init(String algorithm) throws NoSuchAlgorithmException { + synchronized (queues) { + if (!queues.containsKey(algorithm)) { + MessageDigest md = MessageDigest.getInstance(algorithm); + Queue<MessageDigest> queue = new ConcurrentLinkedQueue<MessageDigest>(); + queue.add(md); + queues.put(algorithm, queue); + } + } + } +} Modified: branches/7.5.x/src/main/java/org/apache/tomcat/websocket/AsyncChannelWrapperSecure.java =================================================================== --- branches/7.5.x/src/main/java/org/apache/tomcat/websocket/AsyncChannelWrapperSecure.java 2014-09-17 07:50:46 UTC (rev 2510) +++ branches/7.5.x/src/main/java/org/apache/tomcat/websocket/AsyncChannelWrapperSecure.java 2014-09-29 15:13:58 UTC (rev 2511) @@ -552,7 +552,8 @@ public Thread newThread(Runnable r) { Thread t = new Thread(r); t.setName("WebSocketClient-SecureIO-" + count.incrementAndGet()); - t.setContextClassLoader(this.getClass().getClassLoader()); + // No need to set the context class loader. The threads will be + // cleaned up when the connection is closed. t.setDaemon(true); return t; } Modified: branches/7.5.x/src/main/java/org/apache/tomcat/websocket/Constants.java =================================================================== --- branches/7.5.x/src/main/java/org/apache/tomcat/websocket/Constants.java 2014-09-17 07:50:46 UTC (rev 2510) +++ branches/7.5.x/src/main/java/org/apache/tomcat/websocket/Constants.java 2014-09-29 15:13:58 UTC (rev 2511) @@ -16,8 +16,13 @@ */ package org.apache.tomcat.websocket; +import java.util.ArrayList; +import java.util.Collections; +import java.util.List; import java.util.Locale; +import javax.websocket.Extension; + /** * Internal implementation constants. */ @@ -64,6 +69,14 @@ Boolean.getBoolean( "org.apache.tomcat.websocket.RELAXED_CLOSE_EVENT"); + public static final List<Extension> INSTALLED_EXTENSIONS; + + static { + List<Extension> installed = new ArrayList<Extension>(1); + installed.add(new WsExtension("permessage-deflate")); + INSTALLED_EXTENSIONS = Collections.unmodifiableList(installed); + } + private Constants() { // Hide default constructor } Added: branches/7.5.x/src/main/java/org/apache/tomcat/websocket/MessagePart.java =================================================================== --- branches/7.5.x/src/main/java/org/apache/tomcat/websocket/MessagePart.java (rev 0) +++ branches/7.5.x/src/main/java/org/apache/tomcat/websocket/MessagePart.java 2014-09-29 15:13:58 UTC (rev 2511) @@ -0,0 +1,76 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one or more + * contributor license agreements. See the NOTICE file distributed with + * this work for additional information regarding copyright ownership. + * The ASF licenses this file to You under the Apache License, Version 2.0 + * (the "License"); you may not use this file except in compliance with + * the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package org.apache.tomcat.websocket; + +import java.nio.ByteBuffer; + +import javax.websocket.SendHandler; + +class MessagePart { + private final boolean fin; + private final int rsv; + private final byte opCode; + private final ByteBuffer payload; + private final SendHandler intermediateHandler; + private volatile SendHandler endHandler; + + public MessagePart( boolean fin, int rsv, byte opCode, ByteBuffer payload, + SendHandler intermediateHandler, SendHandler endHandler) { + this.fin = fin; + this.rsv = rsv; + this.opCode = opCode; + this.payload = payload; + this.intermediateHandler = intermediateHandler; + this.endHandler = endHandler; + } + + + public boolean isFin() { + return fin; + } + + + public int getRsv() { + return rsv; + } + + + public byte getOpCode() { + return opCode; + } + + + public ByteBuffer getPayload() { + return payload; + } + + + public SendHandler getIntermediateHandler() { + return intermediateHandler; + } + + + public SendHandler getEndHandler() { + return endHandler; + } + + public void setEndHandler(SendHandler endHandler) { + this.endHandler = endHandler; + } +} + + Added: branches/7.5.x/src/main/java/org/apache/tomcat/websocket/PerMessageDeflate.java =================================================================== --- branches/7.5.x/src/main/java/org/apache/tomcat/websocket/PerMessageDeflate.java (rev 0) +++ branches/7.5.x/src/main/java/org/apache/tomcat/websocket/PerMessageDeflate.java 2014-09-29 15:13:58 UTC (rev 2511) @@ -0,0 +1,424 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one or more + * contributor license agreements. See the NOTICE file distributed with + * this work for additional information regarding copyright ownership. + * The ASF licenses this file to You under the Apache License, Version 2.0 + * (the "License"); you may not use this file except in compliance with + * the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package org.apache.tomcat.websocket; + +import static org.jboss.web.WebsocketsMessages.MESSAGES; + +import java.io.IOException; +import java.nio.ByteBuffer; +import java.util.ArrayList; +import java.util.List; +import java.util.zip.DataFormatException; +import java.util.zip.Deflater; +import java.util.zip.Inflater; + +import javax.websocket.Extension; +import javax.websocket.Extension.Parameter; +import javax.websocket.SendHandler; + +public class PerMessageDeflate implements Transformation { + + private static final String SERVER_NO_CONTEXT_TAKEOVER = "server_no_context_takeover"; + private static final String CLIENT_NO_CONTEXT_TAKEOVER = "client_no_context_takeover"; + private static final String SERVER_MAX_WINDOW_BITS = "server_max_window_bits"; + private static final String CLIENT_MAX_WINDOW_BITS = "client_max_window_bits"; + + private static final int RSV_BITMASK = 0x4; + private static final byte[] EOM_BYTES = new byte[] {0, 0, -1, -1}; + + public static final String NAME = "permessage-deflate"; + + private final boolean serverContextTakeover; + private final int serverMaxWindowBits; + private final boolean clientContextTakeover; + private final int clientMaxWindowBits; + private final Inflater inflater = new Inflater(true); + private final ByteBuffer readBuffer = ByteBuffer.allocate(Constants.DEFAULT_BUFFER_SIZE); + private final Deflater deflater = new Deflater(Deflater.DEFAULT_COMPRESSION, true); + private final byte[] EOM_BUFFER = new byte[EOM_BYTES.length + 1]; + + private volatile Transformation next; + private volatile boolean skipDecompression = false; + private volatile ByteBuffer writeBuffer = ByteBuffer.allocate(Constants.DEFAULT_BUFFER_SIZE); + private volatile boolean firstCompressedFrameWritten = false; + + static PerMessageDeflate negotiate(List<List<Parameter>> preferences) { + // Accept the first preference that the server is able to support + for (List<Parameter> preference : preferences) { + boolean ok = true; + boolean serverContextTakeover = true; + int serverMaxWindowBits = -1; + boolean clientContextTakeover = true; + int clientMaxWindowBits = -1; + + for (Parameter param : preference) { + if (SERVER_NO_CONTEXT_TAKEOVER.equals(param.getName())) { + if (serverContextTakeover) { + serverContextTakeover = false; + } else { + // Duplicate definition + throw MESSAGES.duplicateDeflateParameter(SERVER_NO_CONTEXT_TAKEOVER); + } + } else if (CLIENT_NO_CONTEXT_TAKEOVER.equals(param.getName())) { + if (clientContextTakeover) { + clientContextTakeover = false; + } else { + // Duplicate definition + throw MESSAGES.duplicateDeflateParameter(CLIENT_NO_CONTEXT_TAKEOVER ); + } + } else if (SERVER_MAX_WINDOW_BITS.equals(param.getName())) { + if (serverMaxWindowBits == -1) { + serverMaxWindowBits = Integer.parseInt(param.getValue()); + if (serverMaxWindowBits < 8 || serverMaxWindowBits > 15) { + throw MESSAGES.invalidDeflateWindowSize(SERVER_MAX_WINDOW_BITS, + Integer.valueOf(serverMaxWindowBits)); + } + // Java SE API (as of Java 8) does not expose the API to + // control the Window size. It is effectively hard-coded + // to 15 + if (serverMaxWindowBits != 15) { + ok = false; + break; + } + } else { + // Duplicate definition + throw MESSAGES.duplicateDeflateParameter(SERVER_MAX_WINDOW_BITS ); + } + } else if (CLIENT_MAX_WINDOW_BITS.equals(param.getName())) { + if (clientMaxWindowBits == -1) { + if (param.getValue() == null) { + // Hint to server that the client supports this + // option. Java SE API (as of Java 8) does not + // expose the API to control the Window size. It is + // effectively hard-coded to 15 + clientMaxWindowBits = 15; + } else { + clientMaxWindowBits = Integer.parseInt(param.getValue()); + if (clientMaxWindowBits < 8 || clientMaxWindowBits > 15) { + throw MESSAGES.invalidDeflateWindowSize(CLIENT_MAX_WINDOW_BITS, + Integer.valueOf(clientMaxWindowBits)); + } + } + // Not a problem is client specified a window size less + // than 15 since the server will always use a larger + // window it will still work. + } else { + // Duplicate definition + throw MESSAGES.duplicateDeflateParameter(CLIENT_MAX_WINDOW_BITS); + } + } else { + // Unknown parameter + throw MESSAGES.unkownDeflateParameter(param.getName()); + } + } + if (ok) { + return new PerMessageDeflate(serverContextTakeover, serverMaxWindowBits, + clientContextTakeover, clientMaxWindowBits); + } + } + // Failed to negotiate agreeable terms + return null; + } + + + private PerMessageDeflate(boolean serverContextTakeover, int serverMaxWindowBits, + boolean clientContextTakeover, int clientMaxWindowBits) { + this.serverContextTakeover = serverContextTakeover; + this.serverMaxWindowBits = serverMaxWindowBits; + this.clientContextTakeover = clientContextTakeover; + this.clientMaxWindowBits = clientMaxWindowBits; + } + + + @Override + public TransformationResult getMoreData(byte opCode, boolean fin, int rsv, ByteBuffer dest) + throws IOException { + // Control frames are never compressed and may appear in the middle of + // a WebSocket method. Pass them straight through. + if (Util.isControl(opCode)) { + return next.getMoreData(opCode, fin, rsv, dest); + } + + if (!Util.isContinuation(opCode)) { + // First frame in new message + skipDecompression = (rsv & RSV_BITMASK) == 0; + } + + // Pass uncompressed frames straight through. + if (skipDecompression) { + return next.getMoreData(opCode, fin, rsv, dest); + } + + int written; + boolean usedEomBytes = false; + + while (dest.remaining() > 0) { + // Space available in destination. Try and fill it. + try { + written = inflater.inflate( + dest.array(), dest.arrayOffset() + dest.position(), dest.remaining()); + } catch (DataFormatException e) { + throw new IOException(MESSAGES.deflateFailure(), e); + } + dest.position(dest.position() + written); + + if (inflater.needsInput() && !usedEomBytes ) { + if (dest.hasRemaining()) { + readBuffer.clear(); + TransformationResult nextResult = + next.getMoreData(opCode, fin, (rsv ^ RSV_BITMASK), readBuffer); + inflater.setInput( + readBuffer.array(), readBuffer.arrayOffset(), readBuffer.position()); + if (TransformationResult.UNDERFLOW.equals(nextResult)) { + return nextResult; + } else if (TransformationResult.END_OF_FRAME.equals(nextResult) && + readBuffer.position() == 0) { + if (fin) { + inflater.setInput(EOM_BYTES); + usedEomBytes = true; + } else { + return TransformationResult.END_OF_FRAME; + } + } + } + } else if (written == 0) { + if (fin && !serverContextTakeover) { + inflater.reset(); + } + return TransformationResult.END_OF_FRAME; + } + } + + return TransformationResult.OVERFLOW; + } + + + @Override + public boolean validateRsv(int rsv, byte opCode) { + if (Util.isControl(opCode)) { + if ((rsv & RSV_BITMASK) > 0) { + return false; + } else { + if (next == null) { + return true; + } else { + return next.validateRsv(rsv, opCode); + } + } + } else { + int rsvNext = rsv; + if ((rsv & RSV_BITMASK) > 0) { + rsvNext = rsv ^ RSV_BITMASK; + } + if (next == null) { + return true; + } else { + return next.validateRsv(rsvNext, opCode); + } + } + } + + + @Override + public Extension getExtensionResponse() { + Extension result = new WsExtension(NAME); + + List<Extension.Parameter> params = result.getParameters(); + + if (!serverContextTakeover) { + params.add(new WsExtensionParameter(SERVER_NO_CONTEXT_TAKEOVER, null)); + } + if (serverMaxWindowBits != -1) { + params.add(new WsExtensionParameter(SERVER_MAX_WINDOW_BITS, + Integer.toString(serverMaxWindowBits))); + } + if (!clientContextTakeover) { + params.add(new WsExtensionParameter(CLIENT_NO_CONTEXT_TAKEOVER, null)); + } + if (clientMaxWindowBits != -1) { + params.add(new WsExtensionParameter(CLIENT_MAX_WINDOW_BITS, + Integer.toString(clientMaxWindowBits))); + } + + return result; + } + + + @Override + public void setNext(Transformation t) { + if (next == null) { + this.next = t; + } else { + next.setNext(t); + } + } + + + @Override + public boolean validateRsvBits(int i) { + if ((i & RSV_BITMASK) > 0) { + return false; + } + if (next == null) { + return true; + } else { + return next.validateRsvBits(i | RSV_BITMASK); + } + } + + + @Override + public List<MessagePart> sendMessagePart(List<MessagePart> uncompressedParts) { + List<MessagePart> allCompressedParts = new ArrayList<MessagePart>(); + + for (MessagePart uncompressedPart : uncompressedParts) { + byte opCode = uncompressedPart.getOpCode(); + if (Util.isControl(opCode)) { + // Control messages can appear in the middle of other messages + // and must not be compressed. Pass it straight through + allCompressedParts.add(uncompressedPart); + } else { + List<MessagePart> compressedParts = new ArrayList<MessagePart>(); + ByteBuffer uncompressedPayload = uncompressedPart.getPayload(); + SendHandler uncompressedIntermediateHandler = + uncompressedPart.getIntermediateHandler(); + + deflater.setInput(uncompressedPayload.array(), + uncompressedPayload.arrayOffset() + uncompressedPayload.position(), + uncompressedPayload.remaining()); + + int flush = (uncompressedPart.isFin() ? Deflater.SYNC_FLUSH : Deflater.NO_FLUSH); + boolean deflateRequired = true; + + while(deflateRequired) { + ByteBuffer compressedPayload = writeBuffer; + + int written = deflater.deflate(compressedPayload.array(), + compressedPayload.arrayOffset() + compressedPayload.position(), + compressedPayload.remaining(), flush); + compressedPayload.position(compressedPayload.position() + written); + + if (!uncompressedPart.isFin() && compressedPayload.hasRemaining() && deflater.needsInput()) { + // This message part has been fully processed by the + // deflater. Fire the send handler for this message part + // and move on to the next message part. + break; + } + + // If this point is reached, a new compressed message part + // will be created... + MessagePart compressedPart; + + // .. and a new writeBuffer will be required. + writeBuffer = ByteBuffer.allocate(Constants.DEFAULT_BUFFER_SIZE); + + // Flip the compressed payload ready for writing + compressedPayload.flip(); + + boolean fin = uncompressedPart.isFin(); + boolean full = compressedPayload.limit() == compressedPayload.capacity(); + boolean needsInput = deflater.needsInput(); + + if (fin && !full && needsInput) { + // End of compressed message. Drop EOM bytes and output. + compressedPayload.limit(compressedPayload.limit() - EOM_BYTES.length); + compressedPart = new MessagePart(true, getRsv(uncompressedPart), + opCode, compressedPayload, uncompressedIntermediateHandler, + uncompressedIntermediateHandler); + deflateRequired = false; + startNewMessage(); + } else if (full && !needsInput) { + // Write buffer full and input message not fully read. + // Output and start new compressed part. + compressedPart = new MessagePart(false, getRsv(uncompressedPart), + opCode, compressedPayload, uncompressedIntermediateHandler, + uncompressedIntermediateHandler); + } else if (!fin && full && needsInput) { + // Write buffer full and input message not fully read. + // Output and get more data. + compressedPart = new MessagePart(false, getRsv(uncompressedPart), + opCode, compressedPayload, uncompressedIntermediateHandler, + uncompressedIntermediateHandler); + deflateRequired = false; + } else if (fin && full && needsInput) { + // Write buffer full. Input fully read. Deflater may be + // in one of four states: + // - output complete (just happened to align with end of + // buffer + // - in middle of EOM bytes + // - about to write EOM bytes + // - more data to write + int eomBufferWritten = deflater.deflate(EOM_BUFFER, 0, EOM_BUFFER.length, Deflater.SYNC_FLUSH); + if (eomBufferWritten < EOM_BUFFER.length) { + // EOM has just been completed + compressedPayload.limit(compressedPayload.limit() - EOM_BYTES.length + eomBufferWritten); + compressedPart = new MessagePart(true, + getRsv(uncompressedPart), opCode, compressedPayload, + uncompressedIntermediateHandler, uncompressedIntermediateHandler); + deflateRequired = false; + startNewMessage(); + } else { + // More data to write + // Copy bytes to new write buffer + writeBuffer.put(EOM_BUFFER, 0, eomBufferWritten); + compressedPart = new MessagePart(false, + getRsv(uncompressedPart), opCode, compressedPayload, + uncompressedIntermediateHandler, uncompressedIntermediateHandler); + } + } else { + throw new IllegalStateException("Should never happen"); + } + + // Add the newly created compressed part to the set of parts + // to pass on to the next transformation. + compressedParts.add(compressedPart); + } + + SendHandler uncompressedEndHandler = uncompressedPart.getEndHandler(); + int size = compressedParts.size(); + if (size > 0) { + compressedParts.get(size - 1).setEndHandler(uncompressedEndHandler); + } + + allCompressedParts.addAll(compressedParts); + } + } + + if (next == null) { + return allCompressedParts; + } else { + return next.sendMessagePart(allCompressedParts); + } + } + + + private void startNewMessage() { + firstCompressedFrameWritten = false; + if (!clientContextTakeover) { + deflater.reset(); + } + } + + private int getRsv(MessagePart uncompressedMessagePart) { + int result = uncompressedMessagePart.getRsv(); + if (!firstCompressedFrameWritten) { + result += RSV_BITMASK; + firstCompressedFrameWritten = true; + } + return result; + } +} Added: branches/7.5.x/src/main/java/org/apache/tomcat/websocket/Transformation.java =================================================================== --- branches/7.5.x/src/main/java/org/apache/tomcat/websocket/Transformation.java (rev 0) +++ branches/7.5.x/src/main/java/org/apache/tomcat/websocket/Transformation.java 2014-09-29 15:13:58 UTC (rev 2511) @@ -0,0 +1,97 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one or more + * contributor license agreements. See the NOTICE file distributed with + * this work for additional information regarding copyright ownership. + * The ASF licenses this file to You under the Apache License, Version 2.0 + * (the "License"); you may not use this file except in compliance with + * the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package org.apache.tomcat.websocket; + +import java.io.IOException; +import java.nio.ByteBuffer; +import java.util.List; + +import javax.websocket.Extension; + +/** + * The internal representation of the transformation that a WebSocket extension + * performs on a message. + */ +public interface Transformation { + + /** + * Sets the next transformation in the pipeline. + */ + void setNext(Transformation t); + + /** + * Validate that the RSV bit(s) required by this transformation are not + * being used by another extension. The implementation is expected to set + * any bits it requires before passing the set of in-use bits to the next + * transformation. + * + * @param i The RSV bits marked as in use so far as an int in the + * range zero to seven with RSV1 as the MSB and RSV3 as the + * LSB + * + * @return <code>true</code> if the combination of RSV bits used by the + * transformations in the pipeline do not conflict otherwise + * <code>false</code> + */ + boolean validateRsvBits(int i); + + /** + * Obtain the extension that describes the information to be returned to the + * client. + */ + Extension getExtensionResponse(); + + /** + * Obtain more input data. + * + * @param opCode The opcode for the frame currently being processed + * @param fin Is this the final frame in this WebSocket message? + * @param rsv The reserved bits for the frame currently being + * processed + * @param dest The buffer in which the data is to be written + */ + TransformationResult getMoreData(byte opCode, boolean fin, int rsv, ByteBuffer dest) throws IOException; + + /** + * Validates the RSV and opcode combination (assumed to have been extracted + * from a WebSocket Frame) for this extension. The implementation is + * expected to unset any RSV bits it has validated before passing the + * remaining RSV bits to the next transformation in the pipeline. + * + * @param rsv The RSV bits received as an int in the range zero to + * seven with RSV1 as the MSB and RSV3 as the LSB + * @param opCode The opCode received + * + * @return <code>true</code> if the RSV is valid otherwise + * <code>false</code> + */ + boolean validateRsv(int rsv, byte opCode); + + /** + * Takes the provided list of messages, transforms them, passes the + * transformed list on to the next transformation (if any) and then returns + * the resulting list of message parts after all of the transformations have + * been applied. + * + * @param messageParts The list of messages to be transformed + * + * @return The list of messages after this any any subsequent + * transformations have been applied. The size of the returned list + * may be bigger or smaller than the size of the input list + */ + List<MessagePart> sendMessagePart(List<MessagePart> messageParts); +} Added: branches/7.5.x/src/main/java/org/apache/tomcat/websocket/TransformationFactory.java =================================================================== --- branches/7.5.x/src/main/java/org/apache/tomcat/websocket/TransformationFactory.java (rev 0) +++ branches/7.5.x/src/main/java/org/apache/tomcat/websocket/TransformationFactory.java 2014-09-29 15:13:58 UTC (rev 2511) @@ -0,0 +1,43 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one or more + * contributor license agreements. See the NOTICE file distributed with + * this work for additional information regarding copyright ownership. + * The ASF licenses this file to You under the Apache License, Version 2.0 + * (the "License"); you may not use this file except in compliance with + * the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package org.apache.tomcat.websocket; + +import static org.jboss.web.WebsocketsMessages.MESSAGES; + +import java.util.List; + +import javax.websocket.Extension; + +public class TransformationFactory { + + private static final TransformationFactory factory = new TransformationFactory(); + + private TransformationFactory() { + // Hide default constructor + } + + public static TransformationFactory getInstance() { + return factory; + } + + public Transformation create(String name, List<List<Extension.Parameter>> preferences) { + if (PerMessageDeflate.NAME.equals(name)) { + return PerMessageDeflate.negotiate(preferences); + } + throw MESSAGES.unsupportedExtension(name); + } +} Added: branches/7.5.x/src/main/java/org/apache/tomcat/websocket/TransformationResult.java =================================================================== --- branches/7.5.x/src/main/java/org/apache/tomcat/websocket/TransformationResult.java (rev 0) +++ branches/7.5.x/src/main/java/org/apache/tomcat/websocket/TransformationResult.java 2014-09-29 15:13:58 UTC (rev 2511) @@ -0,0 +1,37 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one or more + * contributor license agreements. See the NOTICE file distributed with + * this work for additional information regarding copyright ownership. + * The ASF licenses this file to You under the Apache License, Version 2.0 + * (the "License"); you may not use this file except in compliance with + * the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package org.apache.tomcat.websocket; + +public enum TransformationResult { + /** + * The end of the available data was reached before the WebSocket frame was + * completely read. + */ + UNDERFLOW, + + /** + * The provided destination buffer was filled before all of the available + * data from the WebSocket frame could be processed. + */ + OVERFLOW, + + /** + * The end of the WebSocket frame was reached and all the data from that + * frame processed into the provided destination buffer. + */ + END_OF_FRAME +} Modified: branches/7.5.x/src/main/java/org/apache/tomcat/websocket/Util.java =================================================================== --- branches/7.5.x/src/main/java/org/apache/tomcat/websocket/Util.java 2014-09-17 07:50:46 UTC (rev 2510) +++ branches/7.5.x/src/main/java/org/apache/tomcat/websocket/Util.java 2014-09-29 15:13:58 UTC (rev 2511) @@ -45,6 +45,7 @@ import javax.websocket.DeploymentException; import javax.websocket.Encoder; import javax.websocket.EndpointConfig; +import javax.websocket.Extension; import javax.websocket.MessageHandler; import javax.websocket.PongMessage; import javax.websocket.Session; @@ -76,6 +77,11 @@ } + static boolean isContinuation(byte opCode) { + return opCode == Constants.OPCODE_CONTINUATION; + } + + static CloseCode getCloseCode(int code) { if (code > 2999 && code < 5000) { return CloseCodes.NORMAL_CLOSURE; @@ -165,7 +171,7 @@ } - public static Class<?> getDecoderType(Class<? extends Decoder> decoder) { + private static Class<?> getDecoderType(Class<? extends Decoder> decoder) { return Util.getGenericType(Decoder.class, decoder).getClazz(); } @@ -346,13 +352,10 @@ } - - public static Set<MessageHandlerResult> getMessageHandlers( + static Set<MessageHandlerResult> getMessageHandlers(Class<?> target, MessageHandler listener, EndpointConfig endpointConfig, Session session) { - Class<?> target = Util.getMessageType(listener); - // Will never be more than 2 types Set<MessageHandlerResult> results = new HashSet<MessageHandlerResult>(2); @@ -441,6 +444,84 @@ } + public static void parseExtensionHeader(List<Extension> extensions, + String header) { + // The relevant ABNF for the Sec-WebSocket-Extensions is as follows: + // extension-list = 1#extension + // extension = extension-token *( ";" extension-param ) + // extension-token = registered-token + // registered-token = token + // extension-param = token [ "=" (token | quoted-string) ] + // ; When using the quoted-string syntax variant, the value + // ; after quoted-string unescaping MUST conform to the + // ; 'token' ABNF. + // + // The limiting of parameter values to tokens or "quoted tokens" makes + // the parsing of the header significantly simpler and allows a number + // of short-cuts to be taken. + + // Step one, split the header into individual extensions using ',' as a + // separator + String unparsedExtensions[] = header.split(","); + for (String unparsedExtension : unparsedExtensions) { + // Step two, split the extension into the registered name and + // parameter/value pairs using ';' as a separator + String unparsedParameters[] = unparsedExtension.split(";"); + WsExtension extension = new WsExtension(unparsedParameters[0].trim()); + + for (int i = 1; i < unparsedParameters.length; i++) { + int equalsPos = unparsedParameters[i].indexOf('='); + String name; + String value; + if (equalsPos == -1) { + name = unparsedParameters[i].trim(); + value = null; + } else { + name = unparsedParameters[i].substring(0, equalsPos).trim(); + value = unparsedParameters[i].substring(equalsPos + 1).trim(); + int len = value.length(); + if (len > 1) { + if (value.charAt(0) == '\"' && value.charAt(len - 1) == '\"') { + value = value.substring(1, value.length() - 1); + } + } + } + // Make sure value doesn't contain any of the delimiters since + // that would indicate something went wrong + if (containsDelims(name) || containsDelims(value)) { + throw MESSAGES.invalidToken(name, value); + } + if (value != null && + (value.indexOf(',') > -1 || value.indexOf(';') > -1 || + value.indexOf('\"') > -1 || value.indexOf('=') > -1)) { + throw MESSAGES.invalidTokenValue(value); + } + extension.addParameter(new WsExtensionParameter(name, value)); + } + extensions.add(extension); + } + } + + + private static boolean containsDelims(String input) { + if (input == null || input.length() == 0) { + return false; + } + for (char c : input.toCharArray()) { + switch (c) { + case ',': + case ';': + case '\"': + case '=': + return true; + default: + // NO_OP + } + + } + return false; + } + private static Method getOnMessageMethod(MessageHandler listener) { try { return listener.getClass().getMethod("onMessage", Object.class); @@ -451,6 +532,7 @@ } } + public static class DecoderMatch { private final List<Class<? extends Decoder>> textDecoders = Added: branches/7.5.x/src/main/java/org/apache/tomcat/websocket/WsExtension.java =================================================================== --- branches/7.5.x/src/main/java/org/apache/tomcat/websocket/WsExtension.java (rev 0) +++ branches/7.5.x/src/main/java/org/apache/tomcat/websocket/WsExtension.java 2014-09-29 15:13:58 UTC (rev 2511) @@ -0,0 +1,46 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one or more + * contributor license agreements. See the NOTICE file distributed with + * this work for additional information regarding copyright ownership. + * The ASF licenses this file to You under the Apache License, Version 2.0 + * (the "License"); you may not use this file except in compliance with + * the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package org.apache.tomcat.websocket; + +import java.util.ArrayList; +import java.util.List; + +import javax.websocket.Extension; + +public class WsExtension implements Extension { + + private final String name; + private final List<Parameter> parameters = new ArrayList<Parameter>(); + + WsExtension(String name) { + this.name = name; + } + + void addParameter(Parameter parameter) { + parameters.add(parameter); + } + + @Override + public String getName() { + return name; + } + + @Override + public List<Parameter> getParameters() { + return parameters; + } +} Added: branches/7.5.x/src/main/java/org/apache/tomcat/websocket/WsExtensionParameter.java =================================================================== --- branches/7.5.x/src/main/java/org/apache/tomcat/websocket/WsExtensionParameter.java (rev 0) +++ branches/7.5.x/src/main/java/org/apache/tomcat/websocket/WsExtensionParameter.java 2014-09-29 15:13:58 UTC (rev 2511) @@ -0,0 +1,40 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one or more + * contributor license agreements. See the NOTICE file distributed with + * this work for additional information regarding copyright ownership. + * The ASF licenses this file to You under the Apache License, Version 2.0 + * (the "License"); you may not use this file except in compliance with + * the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package org.apache.tomcat.websocket; + +import javax.websocket.Extension.Parameter; + +public class WsExtensionParameter implements Parameter { + + private final String name; + private final String value; + + WsExtensionParameter(String name, String value) { + this.name = name; + this.value = value; + } + + @Override + public String getName() { + return name; + } + + @Override + public String getValue() { + return value; + } +} Modified: branches/7.5.x/src/main/java/org/apache/tomcat/websocket/WsFrameBase.java =================================================================== --- branches/7.5.x/src/main/java/org/apache/tomcat/websocket/WsFrameBase.java 2014-09-17 07:50:46 UTC (rev 2510) +++ branches/7.5.x/src/main/java/org/apache/tomcat/websocket/WsFrameBase.java 2014-09-29 15:13:58 UTC (rev 2511) @@ -24,9 +24,11 @@ import java.nio.charset.CharsetDecoder; import java.nio.charset.CoderResult; import java.nio.charset.CodingErrorAction; +import java.util.List; import javax.websocket.CloseReason; import javax.websocket.CloseReason.CloseCodes; +import javax.websocket.Extension; import javax.websocket.MessageHandler; import javax.websocket.PongMessage; @@ -43,6 +45,7 @@ // Connection level attributes protected final WsSession wsSession; protected final byte[] inputBuffer; + private final Transformation transformation; // Attributes for control messages // Control messages can appear in the middle of other messages so need @@ -81,21 +84,31 @@ private int readPos = 0; protected int writePos = 0; - public WsFrameBase(WsSession wsSession) { - + public WsFrameBase(WsSession wsSession, Transformation transformation) { inputBuffer = new byte[Constants.DEFAULT_BUFFER_SIZE]; messageBufferBinary = ByteBuffer.allocate(wsSession.getMaxBinaryMessageBufferSize()); messageBufferText = CharBuffer.allocate(wsSession.getMaxTextMessageBufferSize()); this.wsSession = wsSession; + Transformation finalTransformation; + if (isMasked()) { + finalTransformation = new UnmaskTransformation(); + } else { + finalTransformation = new NoopTransformation(); + } + if (transformation == null) { + this.transformation = finalTransformation; + } else { + transformation.setNext(finalTransformation); + this.transformation = transformation; + } } protected void processInputBuffer() throws IOException { while (true) { wsSession.updateLastActive(); - if (state == State.NEW_FRAME) { if (!processInitialHeader()) { break; @@ -132,14 +145,13 @@ int b = inputBuffer[readPos++]; fin = (b & 0x80) > 0; rsv = (b & 0x70) >>> 4; - if (rsv != 0) { - // Note extensions may use rsv bits but currently no extensions are - // supported + opCode = (byte) (b & 0x0F); + if (!transformation.validateRsv(rsv, opCode)) { throw new WsIOException(new CloseReason( CloseCodes.PROTOCOL_ERROR, MESSAGES.unsupportedReservedBitsSet(Integer.valueOf(rsv)))); } - opCode = (byte) (b & 0x0F); + if (Util.isControl(opCode)) { if (!fin) { throw new WsIOException(new CloseReason( @@ -155,7 +167,7 @@ } } else { if (continuationExpected) { - if (opCode != Constants.OPCODE_CONTINUATION) { + if (!Util.isContinuation(opCode)) { throw new WsIOException(new CloseReason( CloseCodes.PROTOCOL_ERROR, MESSAGES.noContinuationFrame())); @@ -283,9 +295,13 @@ private boolean processDataControl() throws IOException { - if (!appendPayloadToMessage(controlBufferBinary)) { + TransformationResult tr = transformation.getMoreData(opCode, fin, rsv, controlBufferBinary); + if (TransformationResult.UNDERFLOW.equals(tr)) { return false; } + // Control messages have fixed message size so + // TransformationResult.OVERFLOW is not possible here + controlBufferBinary.flip(); if (opCode == Constants.OPCODE_CLOSE) { open = false; @@ -379,7 +395,8 @@ private boolean processDataText() throws IOException { // Copy the available data to the buffer - while (!appendPayloadToMessage(messageBufferBinary)) { + TransformationResult tr = transformation.getMoreData(opCode, fin, rsv, messageBufferBinary); + while (!TransformationResult.END_OF_FRAME.equals(tr)) { // Frame not complete - we ran out of something // Convert bytes to UTF-8 messageBufferBinary.flip(); @@ -402,21 +419,24 @@ MESSAGES.textMessageTooLarge())); } } else if (cr.isUnderflow()) { - // Need more input // Compact what we have to create as much space as possible messageBufferBinary.compact(); + // Need more input // What did we run out of? - if (readPos == writePos) { - // Ran out of input data - get some more - return false; - } else { + if (TransformationResult.OVERFLOW.equals(tr)) { // Ran out of message buffer - exit inner loop and // refill break; + } else { + // TransformationResult.UNDERFLOW + // Ran out of input data - get some more + return false; } } } + // Read more input data + tr = transformation.getMoreData(opCode, fin, rsv, messageBufferBinary); } messageBufferBinary.flip(); @@ -474,27 +494,30 @@ private boolean processDataBinary() throws IOException { // Copy the available data to the buffer - while (!appendPayloadToMessage(messageBufferBinary)) { + TransformationResult tr = transformation.getMoreData(opCode, fin, rsv, messageBufferBinary); + while (!TransformationResult.END_OF_FRAME.equals(tr)) { // Frame not complete - what did we run out of? - if (readPos == writePos) { + if (TransformationResult.UNDERFLOW.equals(tr)) { // Ran out of input data - get some more return false; - } else { - // Ran out of message buffer - flush it - if (!usePartial()) { - CloseReason cr = new CloseReason(CloseCodes.TOO_BIG, + } + + // Ran out of message buffer - flush it + if (!usePartial()) { + CloseReason cr = new CloseReason(CloseCodes.TOO_BIG, MESSAGES.bufferTooSmall(Integer.valueOf(messageBufferBinary.capacity()), - Long.valueOf(payloadLength))); - throw new WsIOException(cr); - } - messageBufferBinary.flip(); - ByteBuffer copy = - ByteBuffer.allocate(messageBufferBinary.limit()); - copy.put(messageBufferBinary); - copy.flip(); - sendMessageBinary(copy, false); - messageBufferBinary.clear(); + Long.valueOf(payloadLength))); + throw new WsIOException(cr); } + messageBufferBinary.flip(); + ByteBuffer copy = + ByteBuffer.allocate(messageBufferBinary.limit()); + copy.put(messageBufferBinary); + copy.flip(); + sendMessageBinary(copy, false); + messageBufferBinary.clear(); + // Read more data + tr = transformation.getMoreData(opCode, fin, rsv, messageBufferBinary); } // Frame is fully received @@ -621,34 +644,6 @@ } - private boolean appendPayloadToMessage(ByteBuffer dest) { - if (isMasked()) { - while (payloadWritten < payloadLength && readPos < writePos && - dest.hasRemaining()) { - byte b = (byte) ((inputBuffer[readPos] ^ mask[maskIndex]) & 0xFF); - maskIndex++; - if (maskIndex == 4) { - maskIndex = 0; - } - readPos++; - payloadWritten++; - dest.put(b); - } - return (payloadWritten == payloadLength); - } else { - long toWrite = Math.min( - payloadLength - payloadWritten, writePos - readPos); - toWrite = Math.min(toWrite, dest.remaining()); - - dest.put(inputBuffer, readPos, (int) toWrite); - readPos += toWrite; - payloadWritten += toWrite; - return (payloadWritten == payloadLength); - - } - } - - private boolean swallowInput() { long toSkip = Math.min(payloadLength - payloadWritten, writePos - readPos); readPos += toSkip; @@ -686,7 +681,125 @@ } + protected Transformation getTransformation() { + return transformation; + } + + private static enum State { NEW_FRAME, PARTIAL_HEADER, DATA } + + + private abstract class TerminalTransformation implements Transformation { + + @Override + public boolean validateRsvBits(int i) { + // Terminal transformations don't use RSV bits and there is no next + // transformation so always return true. + return true; + } + + @Override + public Extension getExtensionResponse() { + // Return null since terminal transformations are not extensions + return null; + } + + @Override + public void setNext(Transformation t) { + // NO-OP since this is the terminal transformation + } + + /** + * {@inheritDoc} + * <p> + * Anything other than a value of zero for rsv is invalid. + */ + @Override + public boolean validateRsv(int rsv, byte opCode) { + return rsv == 0; + } + } + + + /** + * For use by the client implementation that needs to obtain payload data + * without the need for unmasking. + */ + private final class NoopTransformation extends TerminalTransformation { + + @Override + public TransformationResult getMoreData(byte opCode, boolean fin, int rsv, + ByteBuffer dest) { + // opCode is ignored as the transformation is the same for all + // opCodes + // rsv is ignored as it known to be zero at this point + long toWrite = Math.min( + payloadLength - payloadWritten, writePos - readPos); + toWrite = Math.min(toWrite, dest.remaining()); + + dest.put(inputBuffer, readPos, (int) toWrite); + readPos += toWrite; + payloadWritten += toWrite; + + if (payloadWritten == payloadLength) { + return TransformationResult.END_OF_FRAME; + } else if (readPos == writePos) { + return TransformationResult.UNDERFLOW; + } else { + // !dest.hasRemaining() + return TransformationResult.OVERFLOW; + } + } + + + @Override + public List<MessagePart> sendMessagePart(List<MessagePart> messageParts) { + // TODO Masking should move to this method + // NO-OP send so simply return the message unchanged. + return messageParts; + } + } + + + /** + * For use by the server implementation that needs to obtain payload data + * and unmask it before any further processing. + */ + private final class UnmaskTransformation extends TerminalTransformation { + + @Override + public TransformationResult getMoreData(byte opCode, boolean fin, int rsv, + ByteBuffer dest) { + // opCode is ignored as the transformation is the same for all + // opCodes + // rsv is ignored as it known to be zero at this point + while (payloadWritten < payloadLength && readPos < writePos && + dest.hasRemaining()) { + byte b = (byte) ((inputBuffer[readPos] ^ mask[maskIndex]) & 0xFF); + maskIndex++; + if (maskIndex == 4) { + maskIndex = 0; + } + readPos++; + payloadWritten++; + dest.put(b); + } + if (payloadWritten == payloadLength) { + return TransformationResult.END_OF_FRAME; + } else if (readPos == writePos) { + return TransformationResult.UNDERFLOW; + } else { + // !dest.hasRemaining() + return TransformationResult.OVERFLOW; + } + } + + @Override + public List<MessagePart> sendMessagePart(List<MessagePart> messageParts) { + // NO-OP send so simply return the message unchanged. + return messageParts; + } + } } Modified: branches/7.5.x/src/main/java/org/apache/tomcat/websocket/WsFrameClient.java =================================================================== --- branches/7.5.x/src/main/java/org/apache/tomcat/websocket/WsFrameClient.java 2014-09-17 07:50:46 UTC (rev 2510) +++ branches/7.5.x/src/main/java/org/apache/tomcat/websocket/WsFrameClient.java 2014-09-29 15:13:58 UTC (rev 2511) @@ -32,11 +32,15 @@ public WsFrameClient(ByteBuffer response, AsyncChannelWrapper channel, WsSession wsSession) { - super(wsSession); + // TODO Add support for extensions to the client side code + super(wsSession, null); this.response = response; this.channel = channel; this.handler = new WsFrameClientCompletionHandler(); + } + + void startInputProcessing() { try { processSocketRead(); } catch (IOException e) { Modified: branches/7.5.x/src/main/java/org/apache/tomcat/websocket/WsRemoteEndpointImplBase.java =================================================================== --- branches/7.5.x/src/main/java/org/apache/tomcat/websocket/WsRemoteEndpointImplBase.java 2014-09-17 07:50:46 UTC (rev 2510) +++ branches/7.5.x/src/main/java/org/apache/tomcat/websocket/WsRemoteEndpointImplBase.java 2014-09-29 15:13:58 UTC (rev 2511) @@ -56,6 +56,10 @@ private final StateMachine stateMachine = new StateMachine(); + private final IntermediateMessageHandler intermediateMessageHandler = + new IntermediateMessageHandler(this); + + private Transformation transformation = null; private boolean messagePartInProgress = false; private final Queue<MessagePart> messagePartQueue = new ArrayDeque<MessagePart>(); private final Object messagePartLock = new Object(); @@ -77,6 +81,12 @@ private WsSession wsSession; private List<EncoderEntry> encoderEntries = new ArrayList<EncoderEntry>(); + + protected void setTransformation(Transformation transformation) { + this.transformation = transformation; + } + + public long getSendTimeout() { return sendTimeout; } @@ -232,6 +242,7 @@ } else { f2sh.get(timeout, TimeUnit.MILLISECONDS); } + // FIXME: maybe not needed if (payload != null) { payload.clear(); } @@ -250,8 +261,23 @@ wsSession.updateLastActive(); - MessagePart mp = new MessagePart(opCode, payload, last, handler, this); + List<MessagePart> messageParts = new ArrayList<MessagePart>(); + messageParts.add(new MessagePart(last, 0, opCode, payload, + intermediateMessageHandler, + new EndMessageHandler(this, handler))); + messageParts = transformation.sendMessagePart(messageParts); + + // Some extensions/transformations may buffer messages so it is possible + // that no message parts will be returned. If this is the case the + // trigger the suppler SendHandler + if (messageParts.size() == 0) { + handler.onResult(new SendResult()); + return; + } + + MessagePart mp = messageParts.remove(0); + boolean doWrite = false; synchronized (messagePartLock) { if (Constants.OPCODE_CLOSE == mp.getOpCode()) { @@ -276,6 +302,8 @@ messagePartInProgress = true; doWrite = true; } + // Add any remaining messages to the queue + messagePartQueue.addAll(messageParts); } if (doWrite) { // Actual write has to be outside sync block to avoid possible @@ -314,12 +342,15 @@ wsSession.updateLastActive(); - handler.onResult(result); + // Some handlers, such as the IntermediateMessageHandler, do not have a + // nested handler so handler may be null. + if (handler != null) { + handler.onResult(result); + } } void writeMessagePart(MessagePart mp) { - if (closed) { throw MESSAGES.messageSessionClosed(); } @@ -327,7 +358,7 @@ if (Constants.INTERNAL_OPCODE_FLUSH == mp.getOpCode()) { nextFragmented = fragmented; nextText = text; - doWrite(mp.getHandler(), outputBuffer); + doWrite(mp.getEndHandler(), outputBuffer); return; } @@ -350,11 +381,11 @@ throw MESSAGES.messageFragmentTypeChange(); } nextText = text; - nextFragmented = !mp.isLast(); + nextFragmented = !mp.isFin(); first = false; } else { // Wasn't fragmented. Might be now - if (mp.isLast()) { + if (mp.isFin()) { nextFragmented = false; } else { nextFragmented = true; @@ -373,21 +404,20 @@ } headerBuffer.clear(); - writeHeader(headerBuffer, mp.getOpCode(), mp.getPayload(), first, - mp.isLast(), isMasked(), mask); + writeHeader(headerBuffer, mp.isFin(), mp.getRsv(), mp.getOpCode(), + isMasked(), mp.getPayload(), mask, first); headerBuffer.flip(); if (getBatchingAllowed() || isMasked()) { // Need to write via output buffer OutputBufferSendHandler obsh = new OutputBufferSendHandler( - mp.getHandler(), headerBuffer, mp.getPayload(), mask, + mp.getEndHandler(), headerBuffer, mp.getPayload(), mask, outputBuffer, !getBatchingAllowed(), this); obsh.write(); } else { // Can write directly - doWrite(mp.getHandler(), headerBuffer, mp.getPayload()); + doWrite(mp.getEndHandler(), headerBuffer, mp.getPayload()); } - } @@ -406,61 +436,50 @@ } - private static class MessagePart { - private final byte opCode; - private final ByteBuffer payload; - private final boolean last; + /** + * Wraps the user provided handler so that the end point is notified when + * the message is complete. + */ + private static class EndMessageHandler implements SendHandler { + + private final WsRemoteEndpointImplBase endpoint; private final SendHandler handler; - public MessagePart(byte opCode, ByteBuffer payload, boolean last, - SendHandler handler, WsRemoteEndpointImplBase endpoint) { - this.opCode = opCode; - this.payload = payload; - this.last = last; - this.handler = new EndMessageHandler(endpoint, handler); + public EndMessageHandler(WsRemoteEndpointImplBase endpoint, + SendHandler handler) { + this.endpoint = endpoint; + this.handler = handler; } - public byte getOpCode() { - return opCode; + @Override + public void onResult(SendResult result) { + endpoint.endMessage(handler, result); } - - - public ByteBuffer getPayload() { - return payload; - } - - - public boolean isLast() { - return last; - } - - - public SendHandler getHandler() { - return handler; - } } /** - * Wraps the user provided handler so that the end point is notified when - * the message is complete. + * If a transformation needs to split a {@link MessagePart} into multiple + * {@link MessagePart}s, it uses this handler as the end handler for each of + * the additional {@link MessagePart}s. This handler notifies this this + * class that the {@link MessagePart} has been processed and that the next + * {@link MessagePart} in the queue should be started. The final + * {@link MessagePart} will use the {@link EndMessageHandler} provided with + * the original {@link MessagePart}. */ - private static class EndMessageHandler implements SendHandler { + private static class IntermediateMessageHandler implements SendHandler { private final WsRemoteEndpointImplBase endpoint; - private final SendHandler handler; - public EndMessageHandler(WsRemoteEndpointImplBase endpoint, - SendHandler handler) { + public IntermediateMessageHandler(WsRemoteEndpointImplBase endpoint) { this.endpoint = endpoint; - this.handler = handler; } @Override public void onResult(SendResult result) { - endpoint.endMessage(handler, result); + endpoint.endMessage(null, result); } } @@ -594,20 +613,22 @@ protected abstract boolean isMasked(); protected abstract void doClose(); - private static void writeHeader(ByteBuffer headerBuffer, byte opCode, - ByteBuffer payload, boolean first, boolean last, boolean masked, - byte[] mask) { + private static void writeHeader(ByteBuffer headerBuffer, boolean fin, + int rsv, byte opCode, boolean masked, ByteBuffer payload, + byte[] mask, boolean first) { byte b = 0; - if (last) { + if (fin) { // Set the fin bit - b = -128; + b -= 128; } + b += (rsv << 4); + if (first) { // This is the first fragment of this message - b = (byte) (b + opCode); + b += opCode; } // If not the first fragment, it is a continuation with opCode of zero @@ -669,6 +690,7 @@ } public void write() { + // FIXME: maybe not needed synchronized (buffer) { buffer.clear(); CoderResult cr = encoder.encode(message, buffer, true); Modified: branches/7.5.x/src/main/java/org/apache/tomcat/websocket/WsRemoteEndpointImplClient.java =================================================================== --- branches/7.5.x/src/main/java/org/apache/tomcat/websocket/WsRemoteEndpointImplClient.java 2014-09-17 07:50:46 UTC (rev 2510) +++ branches/7.5.x/src/main/java/org/apache/tomcat/websocket/WsRemoteEndpointImplClient.java 2014-09-29 15:13:58 UTC (rev 2511) @@ -41,6 +41,7 @@ long timeout = getSendTimeout(); if (timeout < 1) { timeout = Long.MAX_VALUE; + } SendHandlerToCompletionHandler sh2ch = new SendHandlerToCompletionHandler(handler); Modified: branches/7.5.x/src/main/java/org/apache/tomcat/websocket/WsSession.java =================================================================== --- branches/7.5.x/src/main/java/org/apache/tomcat/websocket/WsSession.java 2014-09-17 07:50:46 UTC (rev 2510) +++ branches/7.5.x/src/main/java/org/apache/tomcat/websocket/WsSession.java 2014-09-29 15:13:58 UTC (rev 2511) @@ -39,6 +39,8 @@ import javax.websocket.EndpointConfig; import javax.websocket.Extension; import javax.websocket.MessageHandler; +import javax.websocket.MessageHandler.Partial; +import javax.websocket.MessageHandler.Whole; import javax.websocket.PongMessage; import javax.websocket.RemoteEndpoint; import javax.websocket.SendResult; @@ -72,6 +74,7 @@ private final Principal userPrincipal; private final EndpointConfig endpointConfig; + private final List<Extension> negotiatedExtensions; private final String subProtocol; private final Map<String,String> pathParameters; private final boolean secure; @@ -103,6 +106,7 @@ * * @param localEndpoint * @param wsRemoteEndpoint + * @param negotiatedExtensions * @throws DeploymentException */ public WsSession(Endpoint localEndpoint, @@ -110,9 +114,8 @@ WsWebSocketContainer wsWebSocketContainer, URI requestUri, Map<String,List<String>> requestParameterMap, String queryString, Principal userPrincipal, String httpSessionId, - String subProtocol, Map<String,String> pathParameters, - boolean secure, EndpointConfig endpointConfig) - throws DeploymentException { + List<Extension> negotiatedExtensions, String subProtocol, Map<String,String> pathParameters, + boolean secure, EndpointConfig endpointConfig) throws DeploymentException { this.localEndpoint = localEndpoint; this.wsRemoteEndpoint = wsRemoteEndpoint; this.wsRemoteEndpoint.setSession(this); @@ -137,6 +140,7 @@ this.queryString = queryString; this.userPrincipal = userPrincipal; this.httpSessionId = httpSessionId; + this.negotiatedExtensions = negotiatedExtensions; if (subProtocol == null) { this.subProtocol = ""; } else { @@ -159,10 +163,29 @@ } - @SuppressWarnings("unchecked") @Override public void addMessageHandler(MessageHandler listener) { + Class<?> target = Util.getMessageType(listener); + doAddMessageHandler(target, listener); + } + + @Override + public <T> void addMessageHandler(Class<T> clazz, Partial<T> handler) + throws IllegalStateException { + doAddMessageHandler(clazz, handler); + } + + + @Override + public <T> void addMessageHandler(Class<T> clazz, Whole<T> handler) + throws IllegalStateException { + doAddMessageHandler(clazz, handler); + } + + + @SuppressWarnings("unchecked") + private void doAddMessageHandler(Class<?> target, MessageHandler listener) { checkState(); // Message handlers that require decoders may map to text messages, @@ -176,7 +199,7 @@ // just as easily. Set<MessageHandlerResult> mhResults = - Util.getMessageHandlers(listener, endpointConfig, this); + Util.getMessageHandlers(target, listener, endpointConfig, this); for (MessageHandlerResult mhResult : mhResults) { switch (mhResult.getType()) { @@ -295,7 +318,7 @@ @Override public List<Extension> getNegotiatedExtensions() { checkState(); - return Collections.emptyList(); + return negotiatedExtensions; } @@ -449,6 +472,7 @@ } } + private void fireEndpointOnClose(CloseReason closeReason) { // Fire the onClose event Modified: branches/7.5.x/src/main/java/org/apache/tomcat/websocket/WsWebSocketContainer.java =================================================================== --- branches/7.5.x/src/main/java/org/apache/tomcat/websocket/WsWebSocketContainer.java 2014-09-17 07:50:46 UTC (rev 2510) +++ branches/7.5.x/src/main/java/org/apache/tomcat/websocket/WsWebSocketContainer.java 2014-09-29 15:13:58 UTC (rev 2511) @@ -326,21 +326,24 @@ } // Switch to WebSocket - WsRemoteEndpointImplClient wsRemoteEndpointClient = - new WsRemoteEndpointImplClient(channel); + WsRemoteEndpointImplClient wsRemoteEndpointClient = new WsRemoteEndpointImplClient(channel); WsSession wsSession = new WsSession(endpoint, wsRemoteEndpointClient, - this, null, null, null, null, null, subProtocol, - Collections.<String, String> emptyMap(), secure, + this, null, null, null, null, null, Collections.<Extension>emptyList(), + subProtocol, Collections.<String,String>emptyMap(), secure, clientEndpointConfiguration); - endpoint.onOpen(wsSession, clientEndpointConfiguration); - registerSession(endpoint, wsSession); - // Object creation will trigger input processing - @SuppressWarnings("unused") WsFrameClient wsFrameClient = new WsFrameClient(response, channel, wsSession); + // WsFrame adds the necessary final transformations. Copy the + // completed transformation chain to the remote end point. + wsRemoteEndpointClient.setTransformation(wsFrameClient.getTransformation()); + endpoint.onOpen(wsSession, clientEndpointConfiguration); + registerSession(endpoint, wsSession); + + wsFrameClient.startInputProcessing(); + return wsSession; } @@ -533,6 +536,7 @@ * @throws DeploymentException * @throws TimeoutException */ + @SuppressWarnings("null") // line is not null in line.endsWith() call private HandshakeResponse processResponse(ByteBuffer response, AsyncChannelWrapper channel, long timeout) throws InterruptedException, ExecutionException, DeploymentException, EOFException, @@ -644,7 +648,7 @@ if (sslTrustStorePwdValue == null) { sslTrustStorePwdValue = SSL_TRUSTSTORE_PWD_DEFAULT; } - + File keyStoreFile = new File(sslTrustStoreValue); KeyStore ks = KeyStore.getInstance("JKS"); InputStream is = null; @@ -656,7 +660,7 @@ try { is.close(); } catch (IOException ioe) { - // Ignore + // Ignore } } } Modified: branches/7.5.x/src/main/java/org/apache/tomcat/websocket/pojo/PojoMessageHandlerBase.java =================================================================== --- branches/7.5.x/src/main/java/org/apache/tomcat/websocket/pojo/PojoMessageHandlerBase.java 2014-09-17 07:50:46 UTC (rev 2510) +++ branches/7.5.x/src/main/java/org/apache/tomcat/websocket/pojo/PojoMessageHandlerBase.java 2014-09-29 15:13:58 UTC (rev 2511) @@ -25,6 +25,7 @@ import javax.websocket.RemoteEndpoint; import javax.websocket.Session; +import org.apache.tomcat.util.ExceptionUtils; import org.apache.tomcat.websocket.WrappedMessageHandler; /** @@ -49,6 +50,8 @@ int indexSession, long maxMessageSize) { this.pojo = pojo; this.method = method; + // TODO: The method should already be accessible here but the following + // code seems to be necessary in some as yet not fully understood cases. try { this.method.setAccessible(true); } catch (Exception e) { @@ -107,4 +110,15 @@ public final long getMaxMessageSize() { return maxMessageSize; } + + + protected final void handlePojoMethodException(Throwable t) { + t = ExceptionUtils.unwrapInvocationTargetException(t); + ExceptionUtils.handleThrowable(t); + if (t instanceof RuntimeException) { + throw (RuntimeException) t; + } else { + throw new RuntimeException(t); + } + } } Modified: branches/7.5.x/src/main/java/org/apache/tomcat/websocket/pojo/PojoMessageHandlerPartialBase.java =================================================================== --- branches/7.5.x/src/main/java/org/apache/tomcat/websocket/pojo/PojoMessageHandlerPartialBase.java 2014-09-17 07:50:46 UTC (rev 2510) +++ branches/7.5.x/src/main/java/org/apache/tomcat/websocket/pojo/PojoMessageHandlerPartialBase.java 2014-09-29 15:13:58 UTC (rev 2511) @@ -67,7 +67,7 @@ } else { parameters[indexPayload] = message; } - Object result; + Object result = null; ThreadBindingListener tbl = ((WsSession) session).getThreadBindingListener(); ClassLoader old = Thread.currentThread().getContextClassLoader(); try { @@ -75,9 +75,9 @@ tbl.bind(); result = method.invoke(pojo, parameters); } catch (IllegalAccessException e) { - throw new IllegalArgumentException(e); + handlePojoMethodException(e); } catch (InvocationTargetException e) { - throw new IllegalArgumentException(e); + handlePojoMethodException(e); } finally { try { tbl.unbind(); Modified: branches/7.5.x/src/main/java/org/apache/tomcat/websocket/pojo/PojoMessageHandlerWholeBase.java =================================================================== --- branches/7.5.x/src/main/java/org/apache/tomcat/websocket/pojo/PojoMessageHandlerWholeBase.java 2014-09-17 07:50:46 UTC (rev 2510) +++ branches/7.5.x/src/main/java/org/apache/tomcat/websocket/pojo/PojoMessageHandlerWholeBase.java 2014-09-29 15:13:58 UTC (rev 2511) @@ -76,7 +76,7 @@ } parameters[indexPayload] = payload; - Object result; + Object result = null; ThreadBindingListener tbl = ((WsSession) session).getThreadBindingListener(); ClassLoader old = Thread.currentThread().getContextClassLoader(); try { @@ -84,9 +84,9 @@ tbl.bind(); result = method.invoke(pojo, parameters); } catch (IllegalAccessException e) { - throw new IllegalArgumentException(e); + handlePojoMethodException(e); } catch (InvocationTargetException e) { - throw new IllegalArgumentException(e); + handlePojoMethodException(e); } finally { try { tbl.unbind(); Modified: branches/7.5.x/src/main/java/org/apache/tomcat/websocket/server/DefaultServerEndpointConfigurator.java =================================================================== --- branches/7.5.x/src/main/java/org/apache/tomcat/websocket/server/DefaultServerEndpointConfigurator.java 2014-09-17 07:50:46 UTC (rev 2510) +++ branches/7.5.x/src/main/java/org/apache/tomcat/websocket/server/DefaultServerEndpointConfigurator.java 2014-09-29 15:13:58 UTC (rev 2511) @@ -17,7 +17,9 @@ package org.apache.tomcat.websocket.server; import java.util.ArrayList; +import java.util.HashSet; import java.util.List; +import java.util.Set; import javax.websocket.Extension; import javax.websocket.HandshakeResponse; @@ -56,10 +58,13 @@ @Override public List<Extension> getNegotiatedExtensions(List<Extension> installed, List<Extension> requested) { - + Set<String> installedNames = new HashSet<String>(); + for (Extension e : installed) { + installedNames.add(e.getName()); + } List<Extension> result = new ArrayList<Extension>(); for (Extension request : requested) { - if (installed.contains(request)) { + if (installedNames.contains(request.getName())) { result.add(request); } } Modified: branches/7.5.x/src/main/java/org/apache/tomcat/websocket/server/UpgradeUtil.java =================================================================== --- branches/7.5.x/src/main/java/org/apache/tomcat/websocket/server/UpgradeUtil.java 2014-09-17 07:50:46 UTC (rev 2510) +++ branches/7.5.x/src/main/java/org/apache/tomcat/websocket/server/UpgradeUtil.java 2014-09-29 15:13:58 UTC (rev 2511) @@ -20,17 +20,13 @@ import java.io.IOException; import java.nio.charset.StandardCharsets; -import java.security.MessageDigest; -import java.security.NoSuchAlgorithmException; import java.util.ArrayList; import java.util.Collections; import java.util.Enumeration; -import java.util.Iterator; +import java.util.LinkedHashMap; import java.util.List; import java.util.Map; import java.util.Map.Entry; -import java.util.Queue; -import java.util.concurrent.ConcurrentLinkedQueue; import javax.servlet.ServletException; import javax.servlet.ServletRequest; @@ -45,7 +41,11 @@ import org.apache.catalina.connector.RequestFacade; import org.apache.tomcat.util.codec.binary.Base64; +import org.apache.tomcat.util.security.ConcurrentMessageDigest; import org.apache.tomcat.websocket.Constants; +import org.apache.tomcat.websocket.Transformation; +import org.apache.tomcat.websocket.TransformationFactory; +import org.apache.tomcat.websocket.Util; import org.apache.tomcat.websocket.WsHandshakeResponse; import org.apache.tomcat.websocket.pojo.PojoEndpointServer; @@ -54,8 +54,6 @@ private static final byte[] WS_ACCEPT = "258EAFA5-E914-47DA-95CA-C5AB0DC85B11".getBytes( StandardCharsets.ISO_8859_1); - private static final Queue<MessageDigest> sha1Helpers = - new ConcurrentLinkedQueue<MessageDigest>(); private UpgradeUtil() { // Utility class. Hide default constructor. @@ -90,7 +88,6 @@ // validation fails String key; String subProtocol = null; - List<Extension> extensions = Collections.emptyList(); if (!headerContainsToken(req, Constants.CONNECTION_HEADER_NAME, Constants.CONNECTION_HEADER_VALUE)) { resp.sendError(HttpServletResponse.SC_BAD_REQUEST); @@ -123,8 +120,59 @@ sec.getSubprotocols(), subProtocols); // Extensions - // Currently no extensions are supported by this implementation + // Should normally only be one header but handle the case of multiple + // headers + List<Extension> extensionsRequested = new ArrayList<Extension>(); + Enumeration<String> extHeaders = req.getHeaders("Sec-WebSocket-Extensions"); + while (extHeaders.hasMoreElements()) { + Util.parseExtensionHeader(extensionsRequested, extHeaders.nextElement()); + } + // Negotiation phase 1. By default this simply filters out the + // extensions that the server does not support but applications could + // use a custom configurator to do more than this. + List<Extension> negotiatedExtensionsPhase1 = sec.getConfigurator().getNegotiatedExtensions( + Constants.INSTALLED_EXTENSIONS, extensionsRequested); + // Negotiation phase 2. Create the Transformations that will be applied + // to this connection. Note than an extension may be dropped at this + // point if the client has requested a configuration that the server is + // unable to support. + List<Transformation> transformations = createTransformations(negotiatedExtensionsPhase1); + + List<Extension> negotiatedExtensionsPhase2; + if (transformations.isEmpty()) { + negotiatedExtensionsPhase2 = Collections.emptyList(); + } else { + negotiatedExtensionsPhase2 = new ArrayList<Extension>(transformations.size()); + for (Transformation t : transformations) { + negotiatedExtensionsPhase2.add(t.getExtensionResponse()); + } + } + + // Build the transformation pipeline + Transformation transformation = null; + StringBuilder responseHeaderExtensions = new StringBuilder(); + boolean first = true; + for (Transformation t : transformations) { + if (first) { + first = false; + } else { + responseHeaderExtensions.append(','); + } + append(responseHeaderExtensions, t.getExtensionResponse()); + if (transformation == null) { + transformation = t; + } else { + transformation.setNext(t); + } + } + + // Now we have the full pipeline, validate the use of the RSV bits. + if (transformation != null && !transformation.validateRsvBits(0)) { + // TODO i18n + throw new ServletException("Incompatible RSV bit usage"); + } + // If we got this far, all is good. Accept the connection. resp.setHeader(Constants.UPGRADE_HEADER_NAME, Constants.UPGRADE_HEADER_VALUE); @@ -136,16 +184,8 @@ // RFC6455 4.2.2 explicitly states "" is not valid here resp.setHeader("Sec-WebSocket-Protocol", subProtocol); } - if (!extensions.isEmpty()) { - StringBuilder sb = new StringBuilder(); - Iterator<Extension> iter = extensions.iterator(); - // There must be at least one - sb.append(iter.next()); - while (iter.hasNext()) { - sb.append(','); - sb.append(iter.next().getName()); - } - resp.setHeader("Sec-WebSocket-Extensions", sb.toString()); + if (!transformations.isEmpty()) { + resp.setHeader("Sec-WebSocket-Extensions", responseHeaderExtensions.toString()); } WsHandshakeRequest wsRequest = new WsHandshakeRequest(req); @@ -187,13 +227,65 @@ WsHttpUpgradeHandler wsHandler = ((RequestFacade) inner).upgrade(WsHttpUpgradeHandler.class); wsHandler.preInit(ep, perSessionServerEndpointConfig, sc, wsRequest, - subProtocol, pathParams, req.isSecure()); + negotiatedExtensionsPhase2, subProtocol, transformation, pathParams, + req.isSecure()); } else { throw new ServletException(MESSAGES.upgradeFailed()); } } + private static List<Transformation> createTransformations( + List<Extension> negotiatedExtensions) { + + TransformationFactory factory = TransformationFactory.getInstance(); + + LinkedHashMap<String,List<List<Extension.Parameter>>> extensionPreferences = + new LinkedHashMap<String,List<List<Extension.Parameter>>>(); + + // Result will likely be smaller than this + List<Transformation> result = new ArrayList<Transformation>(negotiatedExtensions.size()); + + for (Extension extension : negotiatedExtensions) { + List<List<Extension.Parameter>> preferences = + extensionPreferences.get(extension.getName()); + + if (preferences == null) { + preferences = new ArrayList<List<Extension.Parameter>>(); + extensionPreferences.put(extension.getName(), preferences); + } + + preferences.add(extension.getParameters()); + } + + for (Map.Entry<String,List<List<Extension.Parameter>>> entry : + extensionPreferences.entrySet()) { + Transformation transformation = factory.create(entry.getKey(), entry.getValue()); + if (transformation != null) { + result.add(transformation); + } + } + return result; + } + + private static void append(StringBuilder sb, Extension extension) { + if (extension == null || extension.getName() == null || extension.getName().length() == 0) { + return; + } + + sb.append(extension.getName()); + + for (Extension.Parameter p : extension.getParameters()) { + sb.append(';'); + sb.append(p.getName()); + if (p.getValue() != null) { + sb.append('='); + sb.append(p.getValue()); + } + } + } + + /* * This only works for tokens. Quoted strings need more sophisticated * parsing. @@ -233,19 +325,9 @@ } - private static String getWebSocketAccept(String key) throws ServletException { - MessageDigest sha1Helper = sha1Helpers.poll(); - if (sha1Helper == null) { - try { - sha1Helper = MessageDigest.getInstance("SHA1"); - } catch (NoSuchAlgorithmException e) { - throw new ServletException(e); - } - } - sha1Helper.reset(); - sha1Helper.update(key.getBytes(StandardCharsets.ISO_8859_1)); - String result = Base64.encodeBase64String(sha1Helper.digest(WS_ACCEPT)); - sha1Helpers.add(sha1Helper); - return result; + private static String getWebSocketAccept(String key) { + byte[] digest = ConcurrentMessageDigest.digestSHA1( + key.getBytes(StandardCharsets.ISO_8859_1), WS_ACCEPT); + return Base64.encodeBase64String(digest); } } Modified: branches/7.5.x/src/main/java/org/apache/tomcat/websocket/server/WsFrameServer.java =================================================================== --- branches/7.5.x/src/main/java/org/apache/tomcat/websocket/server/WsFrameServer.java 2014-09-17 07:50:46 UTC (rev 2510) +++ branches/7.5.x/src/main/java/org/apache/tomcat/websocket/server/WsFrameServer.java 2014-09-29 15:13:58 UTC (rev 2511) @@ -20,6 +20,7 @@ import java.io.IOException; import org.apache.coyote.http11.upgrade.AbstractServletInputStream; +import org.apache.tomcat.websocket.Transformation; import org.apache.tomcat.websocket.WsFrameBase; import org.apache.tomcat.websocket.WsSession; @@ -29,8 +30,9 @@ private final Object connectionReadLock = new Object(); - public WsFrameServer(AbstractServletInputStream sis, WsSession wsSession) { - super(wsSession); + public WsFrameServer(AbstractServletInputStream sis, WsSession wsSession, + Transformation transformation) { + super(wsSession, transformation); this.sis = sis; } @@ -62,4 +64,11 @@ // Data is from the client so it should be masked return true; } + + + @Override + protected Transformation getTransformation() { + // Overridden to make it visible to other classes in this package + return super.getTransformation(); + } } Modified: branches/7.5.x/src/main/java/org/apache/tomcat/websocket/server/WsHttpUpgradeHandler.java =================================================================== --- branches/7.5.x/src/main/java/org/apache/tomcat/websocket/server/WsHttpUpgradeHandler.java 2014-09-17 07:50:46 UTC (rev 2510) +++ branches/7.5.x/src/main/java/org/apache/tomcat/websocket/server/WsHttpUpgradeHandler.java 2014-09-29 15:13:58 UTC (rev 2511) @@ -20,6 +20,7 @@ import java.io.EOFException; import java.io.IOException; +import java.util.List; import java.util.Map; import javax.servlet.http.HttpSession; @@ -28,6 +29,7 @@ import javax.websocket.DeploymentException; import javax.websocket.Endpoint; import javax.websocket.EndpointConfig; +import javax.websocket.Extension; import org.apache.coyote.http11.upgrade.AbstractServletInputStream; import org.apache.coyote.http11.upgrade.AbstractServletOutputStream; @@ -35,6 +37,7 @@ import org.apache.coyote.http11.upgrade.servlet31.ReadListener; import org.apache.coyote.http11.upgrade.servlet31.WebConnection; import org.apache.coyote.http11.upgrade.servlet31.WriteListener; +import org.apache.tomcat.websocket.Transformation; import org.apache.tomcat.websocket.WsIOException; import org.apache.tomcat.websocket.WsSession; import org.jboss.web.WebsocketsLogger; @@ -50,7 +53,9 @@ private EndpointConfig endpointConfig; private WsServerContainer webSocketContainer; private WsHandshakeRequest handshakeRequest; + private List<Extension> negotiatedExtensions; private String subProtocol; + private Transformation transformation; private Map<String,String> pathParameters; private boolean secure; private WebConnection connection; @@ -65,13 +70,16 @@ public void preInit(Endpoint ep, EndpointConfig endpointConfig, WsServerContainer wsc, WsHandshakeRequest handshakeRequest, - String subProtocol, Map<String,String> pathParameters, + List<Extension> negotiatedExtensionsPhase2, String subProtocol, + Transformation transformation, Map<String,String> pathParameters, boolean secure) { this.ep = ep; this.endpointConfig = endpointConfig; this.webSocketContainer = wsc; this.handshakeRequest = handshakeRequest; + this.negotiatedExtensions = negotiatedExtensionsPhase2; this.subProtocol = subProtocol; + this.transformation = transformation; this.pathParameters = pathParameters; this.secure = secure; } @@ -100,6 +108,12 @@ httpSessionId = ((HttpSession) session).getId(); } + // Need to call onOpen using the web application's class loader + // Create the frame using the application's class loader so it can pick + // up application specific config from the ServerContainerImpl + Thread t = Thread.currentThread(); + ClassLoader cl = t.getContextClassLoader(); + t.setContextClassLoader(applicationClassLoader); try { WsRemoteEndpointImplServer wsRemoteEndpointServer = new WsRemoteEndpointImplServer(sos, webSocketContainer); @@ -108,17 +122,20 @@ handshakeRequest.getParameterMap(), handshakeRequest.getQueryString(), handshakeRequest.getUserPrincipal(), httpSessionId, - subProtocol, pathParameters, secure, endpointConfig); - WsFrameServer wsFrame = new WsFrameServer( - sis, - wsSession); - sos.setWriteListener( - new WsWriteListener(this, wsRemoteEndpointServer)); + negotiatedExtensions, subProtocol, pathParameters, secure, + endpointConfig); + WsFrameServer wsFrame = new WsFrameServer(sis, wsSession, transformation); + sos.setWriteListener(new WsWriteListener(this, wsRemoteEndpointServer)); + // WsFrame adds the necessary final transformations. Copy the + // completed transformation chain to the remote end point. + wsRemoteEndpointServer.setTransformation(wsFrame.getTransformation()); ep.onOpen(wsSession, endpointConfig); webSocketContainer.registerSession(ep, wsSession); sis.setReadListener(new WsReadListener(this, wsFrame)); } catch (DeploymentException e) { throw new IllegalArgumentException(e); + } finally { + t.setContextClassLoader(cl); } } @@ -136,7 +153,15 @@ private void onError(Throwable throwable) { - ep.onError(wsSession, throwable); + // Need to call onError using the web application's class loader + Thread t = Thread.currentThread(); + ClassLoader cl = t.getContextClassLoader(); + t.setContextClassLoader(applicationClassLoader); + try { + ep.onError(wsSession, throwable); + } finally { + t.setContextClassLoader(cl); + } } Modified: branches/7.5.x/src/main/java/org/apache/tomcat/websocket/server/WsRemoteEndpointImplServer.java =================================================================== --- branches/7.5.x/src/main/java/org/apache/tomcat/websocket/server/WsRemoteEndpointImplServer.java 2014-09-17 07:50:46 UTC (rev 2510) +++ branches/7.5.x/src/main/java/org/apache/tomcat/websocket/server/WsRemoteEndpointImplServer.java 2014-09-29 15:13:58 UTC (rev 2511) @@ -28,6 +28,7 @@ import javax.websocket.SendResult; import org.apache.coyote.http11.upgrade.AbstractServletOutputStream; +import org.apache.tomcat.websocket.Transformation; import org.apache.tomcat.websocket.WsRemoteEndpointImplBase; import org.jboss.web.WebsocketsLogger; @@ -87,6 +88,7 @@ while (sos.isReady()) { complete = true; for (ByteBuffer buffer : buffers) { + // FIXME: might not be needed synchronized (buffer) { if (buffer.hasRemaining()) { complete = false; @@ -116,6 +118,7 @@ } if (!complete) { // Async write is in progress + long timeout = getSendTimeout(); if (timeout > 0) { // Register with timeout thread @@ -130,7 +133,7 @@ protected void doClose() { if (handler != null) { // close() can be triggered by a wide range of scenarios. It is far - // simpler just to always use a dispatch that it is to try and track + // simpler just to always use a dispatch than it is to try and track // whether or not this method was called by the same thread that // triggered the write clearHandler(new EOFException(), true); @@ -164,6 +167,13 @@ } + @Override + protected void setTransformation(Transformation transformation) { + // Overridden purely so it is visible to other classes in this package + super.setTransformation(transformation); + } + + /** * * @param t The throwable associated with any error that @@ -181,6 +191,7 @@ // message. SendHandler sh = handler; handler = null; + buffers = null; if (sh != null) { if (useDispatch) { OnResultRunnable r = onResultRunnables.poll(); Modified: branches/7.5.x/src/main/java/org/jboss/web/CoyoteMessages.java =================================================================== --- branches/7.5.x/src/main/java/org/jboss/web/CoyoteMessages.java 2014-09-17 07:50:46 UTC (rev 2510) +++ branches/7.5.x/src/main/java/org/jboss/web/CoyoteMessages.java 2014-09-29 15:13:58 UTC (rev 2511) @@ -289,4 +289,7 @@ @Message(id = 2083, value = "Maximum extension size [%s] exceeded for this request") IOException maxExtensionSizeExceeded(int size); + @Message(id = 2084, value = "Must call init first") + IllegalStateException mustInitFirst(); + } Modified: branches/7.5.x/src/main/java/org/jboss/web/WebsocketsMessages.java =================================================================== --- branches/7.5.x/src/main/java/org/jboss/web/WebsocketsMessages.java 2014-09-17 07:50:46 UTC (rev 2510) +++ branches/7.5.x/src/main/java/org/jboss/web/WebsocketsMessages.java 2014-09-29 15:13:58 UTC (rev 2511) @@ -311,4 +311,25 @@ @Message(id = 8591, value = "Unknown scheme %s") IllegalArgumentException unknownScheme(String scheme); + @Message(id = 8592, value = "Duplicate deflate parameter %s") + IllegalArgumentException duplicateDeflateParameter(String parameter); + + @Message(id = 8593, value = "Invalid deflate window size %s maximum %s") + IllegalArgumentException invalidDeflateWindowSize(String parameter, int maximum); + + @Message(id = 8594, value = "Unknown deflate parameter %s") + IllegalArgumentException unkownDeflateParameter(String parameter); + + @Message(id = 8595, value = "Deflate failure") + String deflateFailure(); + + @Message(id = 8596, value = "Unsupported extension %s") + IllegalArgumentException unsupportedExtension(String name); + + @Message(id = 8597, value = "Invalid token %s value %s") + IllegalArgumentException invalidToken(String name, String value); + + @Message(id = 8598, value = "Invalid token value %s") + IllegalArgumentException invalidTokenValue(String value); + }

10 years, 3 months

1
0
0 / 0

JBossWeb SVN: r2510 - branches/7.5.x/src/main/java/org/apache/coyote/http11.

by jbossweb-commits＠lists.jboss.org

Author: remy.maucherat(a)jboss.com Date: 2014-09-17 03:50:46 -0400 (Wed, 17 Sep 2014) New Revision: 2510 Modified: branches/7.5.x/src/main/java/org/apache/coyote/http11/Http11Processor.java Log: Follow up for BZ1059511: Add an extra for java.io. This functionality is almost useless, however. Modified: branches/7.5.x/src/main/java/org/apache/coyote/http11/Http11Processor.java =================================================================== --- branches/7.5.x/src/main/java/org/apache/coyote/http11/Http11Processor.java 2014-09-11 15:09:44 UTC (rev 2509) +++ branches/7.5.x/src/main/java/org/apache/coyote/http11/Http11Processor.java 2014-09-17 07:50:46 UTC (rev 2510) @@ -809,7 +809,7 @@ // Parsing the request header try { - if (!disableUploadTimeout && keptAlive) { + if (keptAlive) { if (keepAliveTimeout > 0) { socket.setSoTimeout(keepAliveTimeout); }

10 years, 4 months

1
0
0 / 0

JBossWeb SVN: r2509 - branches/7.5.x/src/main/java/org/apache/tomcat/util/net/jsse/openssl.

by jbossweb-commits＠lists.jboss.org

Author: remy.maucherat(a)jboss.com Date: 2014-09-11 11:09:44 -0400 (Thu, 11 Sep 2014) New Revision: 2509 Added: branches/7.5.x/src/main/java/org/apache/tomcat/util/net/jsse/openssl/Cipher.java Removed: branches/7.5.x/src/main/java/org/apache/tomcat/util/net/jsse/openssl/Ciphers.java Modified: branches/7.5.x/src/main/java/org/apache/tomcat/util/net/jsse/openssl/Authentication.java branches/7.5.x/src/main/java/org/apache/tomcat/util/net/jsse/openssl/Encryption.java branches/7.5.x/src/main/java/org/apache/tomcat/util/net/jsse/openssl/EncryptionLevel.java branches/7.5.x/src/main/java/org/apache/tomcat/util/net/jsse/openssl/KeyExchange.java branches/7.5.x/src/main/java/org/apache/tomcat/util/net/jsse/openssl/MessageDigest.java branches/7.5.x/src/main/java/org/apache/tomcat/util/net/jsse/openssl/OpenSSLCipherConfigurationParser.java branches/7.5.x/src/main/java/org/apache/tomcat/util/net/jsse/openssl/Protocol.java Log: BZ1123342: Needs alias support so try to rebase on the Tomcat code which has support for that along with many other fixes. Modified: branches/7.5.x/src/main/java/org/apache/tomcat/util/net/jsse/openssl/Authentication.java =================================================================== --- branches/7.5.x/src/main/java/org/apache/tomcat/util/net/jsse/openssl/Authentication.java 2014-09-09 14:10:18 UTC (rev 2508) +++ branches/7.5.x/src/main/java/org/apache/tomcat/util/net/jsse/openssl/Authentication.java 2014-09-11 15:09:44 UTC (rev 2509) @@ -1,29 +1,22 @@ /* - * Copyright (C) 2014 Red Hat, inc., and individual contributors - * as indicated by the @author tags. See the copyright.txt file in the - * distribution for a full listing of individual contributors. + * Licensed to the Apache Software Foundation (ASF) under one or more + * contributor license agreements. See the NOTICE file distributed with + * this work for additional information regarding copyright ownership. + * The ASF licenses this file to You under the Apache License, Version 2.0 + * (the "License"); you may not use this file except in compliance with + * the License. You may obtain a copy of the License at * - * This library is free software; you can redistribute it and/or - * modify it under the terms of the GNU Lesser General Public - * License as published by the Free Software Foundation; either - * version 2.1 of the License, or (at your option) any later version. + * http://www.apache.org/licenses/LICENSE-2.0 * - * This library is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU - * Lesser General Public License for more details. - * - * You should have received a copy of the GNU Lesser General Public - * License along with this library; if not, write to the Free Software - * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, - * MA 02110-1301 USA + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. */ + package org.apache.tomcat.util.net.jsse.openssl; -/** - * - * @author <a href="mailto:ehugonne@redhat.com">Emmanuel Hugonnet</a> (c) 2014 Red Hat, inc. - */ enum Authentication { RSA /* RSA auth */, DSS /* DSS auth */, @@ -35,5 +28,6 @@ PSK /* PSK auth */, GOST94 /* GOST R 34.10-94 signature auth */, GOST01 /* GOST R 34.10-2001 */, - FZA /* Fortezza */; + FZA /* Fortezza */, + SRP } Added: branches/7.5.x/src/main/java/org/apache/tomcat/util/net/jsse/openssl/Cipher.java =================================================================== --- branches/7.5.x/src/main/java/org/apache/tomcat/util/net/jsse/openssl/Cipher.java (rev 0) +++ branches/7.5.x/src/main/java/org/apache/tomcat/util/net/jsse/openssl/Cipher.java 2014-09-11 15:09:44 UTC (rev 2509) @@ -0,0 +1,2645 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one or more + * contributor license agreements. See the NOTICE file distributed with + * this work for additional information regarding copyright ownership. + * The ASF licenses this file to You under the Apache License, Version 2.0 + * (the "License"); you may not use this file except in compliance with + * the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package org.apache.tomcat.util.net.jsse.openssl; + +import java.util.Arrays; +import java.util.Collections; +import java.util.HashSet; +import java.util.Set; + +/** + * All the standard cipher suites for SSL/TSL. + * + * @see <a href="http://www.iana.org/assignments/tls-parameters/tls-parameters.xhtml#tls-p..." + * >The cipher suite registry</a> + * @see <a href="https://www.thesprawl.org/research/tls-and-ssl-cipher-suites/" + * >Another list of cipher suites with some non-standard IDs</a> + * @see <a href="http://docs.oracle.com/javase/8/docs/technotes/guides/security/StandardNa..." + * >Oracle standard names for cipher suites</a> + * @see <a href="https://www.openssl.org/docs/apps/ciphers.html" + * >Mapping of OpenSSL cipher suites names to registry names</a> + */ +enum Cipher { + /* The RSA ciphers */ + // Cipher 01 + TLS_RSA_WITH_NULL_MD5( + "NULL-MD5", + KeyExchange.RSA, + Authentication.RSA, + Encryption.eNULL, + MessageDigest.MD5, + Protocol.SSLv3, + false, + EncryptionLevel.STRONG_NONE, + false, + 0, + 0, + "SSL_RSA_WITH_NULL_MD5" + ), + // Cipher 02 + TLS_RSA_WITH_NULL_SHA( + "NULL-SHA", + KeyExchange.RSA, + Authentication.RSA, + Encryption.eNULL, + MessageDigest.SHA1, + Protocol.SSLv3, + false, + EncryptionLevel.STRONG_NONE, + true, + 0, + 0, + "SSL_RSA_WITH_NULL_SHA" + ), + // Cipher 03 + TLS_RSA_EXPORT_WITH_RC4_40_MD5( + "EXP-RC4-MD5", + KeyExchange.RSA, + Authentication.RSA, + Encryption.RC4, + MessageDigest.MD5, + Protocol.SSLv3, + true, + EncryptionLevel.EXP40, + false, + 40, + 128, + "SSL_RSA_EXPORT_WITH_RC4_40_MD5" + ), + // Cipher 04 + TLS_RSA_WITH_RC4_128_MD5( + "RC4-MD5", + KeyExchange.RSA, + Authentication.RSA, + Encryption.RC4, + MessageDigest.MD5, + Protocol.SSLv3, + false, + EncryptionLevel.MEDIUM, + false, + 128, + 128, + "SSL_RSA_WITH_RC4_128_MD5" + ), + // Cipher 05 + TLS_RSA_WITH_RC4_128_SHA( + "RC4-SHA", + KeyExchange.RSA, + Authentication.RSA, + Encryption.RC4, + MessageDigest.SHA1, + Protocol.SSLv3, + false, + EncryptionLevel.MEDIUM, + false, + 128, + 128, + "SSL_RSA_WITH_RC4_128_SHA" + ), + // Cipher 06 + TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5( + "EXP-RC2-CBC-MD5", + KeyExchange.RSA, + Authentication.RSA, + Encryption.RC2, + MessageDigest.MD5, + Protocol.SSLv3, + true, + EncryptionLevel.EXP40, + false, + 40, + 128, + "SSL_RSA_EXPORT_WITH_RC2_CBC_40_MD5" + ), + // Cipher 07 + TLS_RSA_WITH_IDEA_CBC_SHA( + "IDEA-CBC-SHA", + KeyExchange.RSA, + Authentication.RSA, + Encryption.IDEA, + MessageDigest.SHA1, + Protocol.SSLv3, + false, + EncryptionLevel.MEDIUM, + false, + 128, + 128, + "SSL_RSA_WITH_IDEA_CBC_SHA" + ), + // Cipher 08 + TLS_RSA_EXPORT_WITH_DES40_CBC_SHA( + "EXP-DES-CBC-SHA", + KeyExchange.RSA, + Authentication.RSA, + Encryption.DES, + MessageDigest.SHA1, + Protocol.SSLv3, + true, + EncryptionLevel.EXP40, + false, + 40, + 56, + "SSL_RSA_EXPORT_WITH_DES40_CBC_SHA" + ), + // Cipher 09 + TLS_RSA_WITH_DES_CBC_SHA( + "DES-CBC-SHA", + KeyExchange.RSA, + Authentication.RSA, + Encryption.DES, + MessageDigest.SHA1, + Protocol.SSLv3, + false, + EncryptionLevel.LOW, + false, + 56, + 56, + "SSL_RSA_WITH_DES_CBC_SHA" + ), + // Cipher 0A + TLS_RSA_WITH_3DES_EDE_CBC_SHA( + "DES-CBC3-SHA", + KeyExchange.RSA, + Authentication.RSA, + Encryption.TRIPLE_DES, + MessageDigest.SHA1, + Protocol.SSLv3, + false, + EncryptionLevel.HIGH, + true, + 168, + 168, + "SSL_RSA_WITH_3DES_EDE_CBC_SHA" + ), + /* The DH ciphers */ + // Cipher 0B + TLS_DH_DSS_EXPORT_WITH_DES40_CBC_SHA( + "EXP-DH-DSS-DES-CBC-SHA", + KeyExchange.DHd, + Authentication.DH, + Encryption.DES, + MessageDigest.SHA1, + Protocol.SSLv3, + true, + EncryptionLevel.EXP40, + false, + 40, + 56, + "SSL_DH_DSS_EXPORT_WITH_DES40_CBC_SHA" + ), + // Cipher 0C + TLS_DH_DSS_WITH_DES_CBC_SHA( + "DH-DSS-DES-CBC-SHA", + KeyExchange.DHd, + Authentication.DH, + Encryption.DES, + MessageDigest.SHA1, + Protocol.SSLv3, + false, + EncryptionLevel.LOW, + false, + 56, + 56, + "SSL_DH_DSS_WITH_DES_CBC_SHA" + ), + // Cipher 0D + TLS_DH_DSS_WITH_3DES_EDE_CBC_SHA( + "DH-DSS-DES-CBC3-SHA", + KeyExchange.DHd, + Authentication.DH, + Encryption.TRIPLE_DES, + MessageDigest.SHA1, + Protocol.SSLv3, + false, + EncryptionLevel.HIGH, + true, + 168, + 168, + "SSL_DH_DSS_WITH_3DES_EDE_CBC_SHA" + ), + // Cipher 0E + TLS_DH_RSA_EXPORT_WITH_DES40_CBC_SHA( + "EXP-DH-RSA-DES-CBC-SHA", + KeyExchange.DHr, + Authentication.DH, + Encryption.DES, + MessageDigest.SHA1, + Protocol.SSLv3, + true, + EncryptionLevel.EXP40, + false, + 40, + 56, + "SSL_DH_RSA_EXPORT_WITH_DES40_CBC_SHA" + ), + // Cipher 0F + TLS_DH_RSA_WITH_DES_CBC_SHA( + "DH-RSA-DES-CBC-SHA", + KeyExchange.DHr, + Authentication.DH, + Encryption.DES, + MessageDigest.SHA1, + Protocol.SSLv3, + false, + EncryptionLevel.LOW, + false, + 56, + 56, + "SSL_DH_RSA_WITH_DES_CBC_SHA" + ), + // Cipher 10 + TLS_DH_RSA_WITH_3DES_EDE_CBC_SHA( + "DH-RSA-DES-CBC3-SHA", + KeyExchange.DHr, + Authentication.DH, + Encryption.TRIPLE_DES, + MessageDigest.SHA1, + Protocol.SSLv3, + false, + EncryptionLevel.HIGH, + true, + 168, + 168, + "SSL_DH_RSA_WITH_3DES_EDE_CBC_SHA" + ), + /* The Ephemeral DH ciphers */ + // Cipher 11 + TLS_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA( + "EXP-EDH-DSS-DES-CBC-SHA", + KeyExchange.EDH, + Authentication.DSS, + Encryption.DES, + MessageDigest.SHA1, + Protocol.SSLv3, + true, + EncryptionLevel.EXP40, + false, + 40, + 56, + "SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA" + ), + // Cipher 12 + TLS_DHE_DSS_WITH_DES_CBC_SHA( + "EDH-DSS-DES-CBC-SHA", + KeyExchange.EDH, + Authentication.DSS, + Encryption.DES, + MessageDigest.SHA1, + Protocol.SSLv3, + false, + EncryptionLevel.LOW, + false, + 56, + 56, + "SSL_DHE_DSS_WITH_DES_CBC_SHA" + ), + // Cipher 13 + TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA( + "EDH-DSS-DES-CBC3-SHA", + KeyExchange.EDH, + Authentication.DSS, + Encryption.TRIPLE_DES, + MessageDigest.SHA1, + Protocol.SSLv3, + false, + EncryptionLevel.HIGH, + true, + 168, + 168, + "SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA" + ), + // Cipher 14 + TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA( + "EXP-EDH-RSA-DES-CBC-SHA", + KeyExchange.EDH, + Authentication.RSA, + Encryption.DES, + MessageDigest.SHA1, + Protocol.SSLv3, + true, + EncryptionLevel.EXP40, + false, + 40, + 56, + "SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA" + ), + // Cipher 15 + TLS_DHE_RSA_WITH_DES_CBC_SHA( + "EDH-RSA-DES-CBC-SHA", + KeyExchange.EDH, + Authentication.RSA, + Encryption.DES, + MessageDigest.SHA1, + Protocol.SSLv3, + false, + EncryptionLevel.LOW, + false, + 56, + 56, + "SSL_DHE_RSA_WITH_DES_CBC_SHA" + ), + // Cipher 16 + TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA( + "EDH-RSA-DES-CBC3-SHA", + KeyExchange.EDH, + Authentication.RSA, + Encryption.TRIPLE_DES, + MessageDigest.SHA1, + Protocol.SSLv3, + false, + EncryptionLevel.HIGH, + true, + 168, + 168, + "SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA" + ), + // Cipher 17 + TLS_DH_anon_EXPORT_WITH_RC4_40_MD5( + "EXP-ADH-RC4-MD5", + KeyExchange.EDH, + Authentication.aNULL, + Encryption.RC4, + MessageDigest.MD5, + Protocol.SSLv3, + true, + EncryptionLevel.EXP40, + false, + 40, + 128, + "SSL_DH_anon_EXPORT_WITH_RC4_40_MD5" + ), + // Cipher 18 + TLS_DH_anon_WITH_RC4_128_MD5( + "ADH-RC4-MD5", + KeyExchange.EDH, + Authentication.aNULL, + Encryption.RC4, + MessageDigest.MD5, + Protocol.SSLv3, + false, + EncryptionLevel.MEDIUM, + false, + 128, + 128, + "SSL_DH_anon_WITH_RC4_128_MD5" + ), + // Cipher 19 + TLS_DH_anon_EXPORT_WITH_DES40_CBC_SHA( + "EXP-ADH-DES-CBC-SHA", + KeyExchange.EDH, + Authentication.aNULL, + Encryption.DES, + MessageDigest.SHA1, + Protocol.SSLv3, + true, + EncryptionLevel.EXP40, + false, + 40, + 128, + "SSL_DH_anon_EXPORT_WITH_DES40_CBC_SHA" + ), + // Cipher 1A + TLS_DH_anon_WITH_DES_CBC_SHA( + "ADH-DES-CBC-SHA", + KeyExchange.EDH, + Authentication.aNULL, + Encryption.DES, + MessageDigest.SHA1, + Protocol.SSLv3, + false, + EncryptionLevel.LOW, + false, + 56, + 56, + "SSL_DH_anon_WITH_DES_CBC_SHA" + ), + // Cipher 1B + TLS_DH_anon_WITH_3DES_EDE_CBC_SHA( + "ADH-DES-CBC3-SHA", + KeyExchange.EDH, + Authentication.aNULL, + Encryption.TRIPLE_DES, + MessageDigest.SHA1, + Protocol.SSLv3, + false, + EncryptionLevel.HIGH, + true, + 168, + 168, + "SSL_DH_anon_WITH_3DES_EDE_CBC_SHA" + ), + /* Fortezza ciphersuite from SSL 3.0 spec */ + SSL_FORTEZZA_DMS_WITH_NULL_SHA( + "FZA-NULL-SHA", + KeyExchange.FZA, + Authentication.FZA, + Encryption.eNULL, + MessageDigest.SHA1, + Protocol.SSLv3, + false, + EncryptionLevel.STRONG_NONE, + false, + 0, + 0 + ), + SSL_FORTEZZA_DMS_WITH_FORTEZZA_CBC_SHA( + "FZA-FZA-CBC-SHA", + KeyExchange.FZA, + Authentication.FZA, + Encryption.FZA, + MessageDigest.SHA1, + Protocol.SSLv3, + false, + EncryptionLevel.STRONG_NONE, + false, + 0, + 0 + ), + SSL_FORTEZZA_DMS_WITH_RC4_128_SHA( + "FZA-RC4-SHA", + KeyExchange.FZA, + Authentication.FZA, + Encryption.RC4, + MessageDigest.SHA1, + Protocol.SSLv3, + false, + EncryptionLevel.MEDIUM, + false, + 128, + 128 + ), + /* The Kerberos ciphers*/ + // Cipher 1E + /*TLS_KRB5_WITH_DES_CBC_SHA( + "KRB5-DES-CBC-SHA", + KeyExchange.KRB5, + Authentication.KRB5, + Encryption.DES, + MessageDigest.SHA1, + Protocol.SSLv3, + false, + EncryptionLevel.LOW, + false, + 56, + 56 + ), + // Cipher 1F + TLS_KRB5_WITH_3DES_EDE_CBC_SHA( + "KRB5-DES-CBC3-SHA", + KeyExchange.KRB5, + Authentication.KRB5, + Encryption.TRIPLE_DES, + MessageDigest.SHA1, + Protocol.SSLv3, + false, + EncryptionLevel.HIGH, + true, + 168, + 168 + ), + // Cipher 20 + TLS_KRB5_WITH_RC4_128_SHA( + "KRB5-RC4-SHA", + KeyExchange.KRB5, + Authentication.KRB5, + Encryption.RC4, + MessageDigest.SHA1, + Protocol.SSLv3, + false, + EncryptionLevel.MEDIUM, + false, + 128, + 128 + ), + // Cipher 21 + TLS_KRB5_WITH_IDEA_CBC_SHA( + "KRB5-IDEA-CBC-SHA", + KeyExchange.KRB5, + Authentication.KRB5, + Encryption.IDEA, + MessageDigest.SHA1, + Protocol.SSLv3, + false, + EncryptionLevel.MEDIUM, + false, + 128, + 128 + ), + // Cipher 22 + TLS_KRB5_WITH_DES_CBC_MD5( + "KRB5-DES-CBC-MD5", + KeyExchange.KRB5, + Authentication.KRB5, + Encryption.DES, + MessageDigest.MD5, + Protocol.SSLv3, + false, + EncryptionLevel.LOW, + false, + 56, + 56 + ), + // Cipher 23 + TLS_KRB5_WITH_3DES_EDE_CBC_MD5( + "KRB5-DES-CBC3-MD5", + KeyExchange.KRB5, + Authentication.KRB5, + Encryption.TRIPLE_DES, + MessageDigest.MD5, + Protocol.SSLv3, + false, + EncryptionLevel.HIGH, + false, + 168, + 168 + ), + // Cipher 24 + TLS_KRB5_WITH_RC4_128_MD5( + "KRB5-RC4-MD5", + KeyExchange.KRB5, + Authentication.KRB5, + Encryption.RC4, + MessageDigest.MD5, + Protocol.SSLv3, + false, + EncryptionLevel.MEDIUM, + false, + 128, + 128 + ), + // Cipher 25 + TLS_KRB5_WITH_IDEA_CBC_MD5( + "KRB5-IDEA-CBC-MD5", + KeyExchange.KRB5, + Authentication.KRB5, + Encryption.IDEA, + MessageDigest.MD5, + Protocol.SSLv3, + false, + EncryptionLevel.MEDIUM, + false, + 128, + 128 + ), + // Cipher 26 + TLS_KRB5_EXPORT_WITH_DES_CBC_40_SHA( + "EXP-KRB5-DES-CBC-SHA", + KeyExchange.KRB5, + Authentication.KRB5, + Encryption.DES, + MessageDigest.SHA1, + Protocol.SSLv3, + true, + EncryptionLevel.EXP40, + false, + 40, + 56 + ), + // Cipher 27 + TLS_KRB5_EXPORT_WITH_RC2_CBC_40_SHA( + "EXP-KRB5-RC2-CBC-SHA", + KeyExchange.KRB5, + Authentication.KRB5, + Encryption.RC2, + MessageDigest.SHA1, + Protocol.SSLv3, + true, + EncryptionLevel.EXP40, + false, + 40, + 128 + ), + // Cipher 28 + TLS_KRB5_EXPORT_WITH_RC4_40_SHA( + "EXP-KRB5-RC4-SHA", + KeyExchange.KRB5, + Authentication.KRB5, + Encryption.RC4, + MessageDigest.SHA1, + Protocol.SSLv3, + true, + EncryptionLevel.EXP40, + false, + 40, + 128 + ), + // Cipher 29 + TLS_KRB5_EXPORT_WITH_DES_CBC_40_MD5( + "EXP-KRB5-DES-CBC-MD5", + KeyExchange.KRB5, + Authentication.KRB5, + Encryption.DES, + MessageDigest.MD5, + Protocol.SSLv3, + true, + EncryptionLevel.EXP40, + false, + 40, + 56 + ), + // Cipher 2A + TLS_KRB5_EXPORT_WITH_RC2_CBC_40_MD5( + "EXP-KRB5-RC2-CBC-MD5", + KeyExchange.KRB5, + Authentication.KRB5, + Encryption.RC2, + MessageDigest.MD5, + Protocol.SSLv3, + true, + EncryptionLevel.EXP40, + false, + 40, + 128 + ), + // Cipher 2B + TLS_KRB5_EXPORT_WITH_RC4_40_MD5( + "EXP-KRB5-RC4-MD5", + KeyExchange.KRB5, + Authentication.KRB5, + Encryption.RC4, + MessageDigest.MD5, + Protocol.SSLv3, + true, + EncryptionLevel.EXP40, + false, + 40, + 128 + ),*/ + /* New AES ciphersuites */ + // Cipher 2F + TLS_RSA_WITH_AES_128_CBC_SHA( + "AES128-SHA", + KeyExchange.RSA, + Authentication.RSA, + Encryption.AES128, + MessageDigest.SHA1, + Protocol.TLSv1, + false, + EncryptionLevel.HIGH, + true, + 128, + 128 + ), + // Cipher 30 + TLS_DH_DSS_WITH_AES_128_CBC_SHA( + "DH-DSS-AES128-SHA", + KeyExchange.DHd, + Authentication.DH, + Encryption.AES128, + MessageDigest.SHA1, + Protocol.TLSv1, + false, + EncryptionLevel.HIGH, + true, + 128, + 128 + ), + // Cipher 31 + TLS_DH_RSA_WITH_AES_128_CBC_SHA( + "DH-RSA-AES128-SHA", + KeyExchange.DHr, + Authentication.DH, + Encryption.AES128, + MessageDigest.SHA1, + Protocol.TLSv1, + false, + EncryptionLevel.HIGH, + true, + 128, + 128 + ), + // Cipher 32 + TLS_DHE_DSS_WITH_AES_128_CBC_SHA( + "DHE-DSS-AES128-SHA", + KeyExchange.EDH, + Authentication.DSS, + Encryption.AES128, + MessageDigest.SHA1, + Protocol.TLSv1, + false, + EncryptionLevel.HIGH, + true, + 128, + 128 + ), + // Cipher 33 + TLS_DHE_RSA_WITH_AES_128_CBC_SHA( + "DHE-RSA-AES128-SHA", + KeyExchange.EDH, + Authentication.RSA, + Encryption.AES128, + MessageDigest.SHA1, + Protocol.TLSv1, + false, + EncryptionLevel.HIGH, + true, + 128, + 128 + ), + // Cipher 34 + TLS_DH_anon_WITH_AES_128_CBC_SHA( + "ADH-AES128-SHA", + KeyExchange.EDH, + Authentication.aNULL, + Encryption.AES128, + MessageDigest.SHA1, + Protocol.TLSv1, + false, + EncryptionLevel.HIGH, + true, + 128, + 128 + ), + // Cipher 35 + TLS_RSA_WITH_AES_256_CBC_SHA( + "AES256-SHA", + KeyExchange.RSA, + Authentication.RSA, + Encryption.AES256, + MessageDigest.SHA1, + Protocol.TLSv1, + false, + EncryptionLevel.HIGH, + true, + 256, + 256 + ), + // Cipher 36 + TLS_DH_DSS_WITH_AES_256_CBC_SHA( + "DH-DSS-AES256-SHA", + KeyExchange.DHd, + Authentication.DH, + Encryption.AES256, + MessageDigest.SHA1, + Protocol.TLSv1, + false, + EncryptionLevel.HIGH, + true, + 256, + 256 + ), + // Cipher 37 + TLS_DH_RSA_WITH_AES_256_CBC_SHA( + "DH-RSA-AES256-SHA", + KeyExchange.DHr, + Authentication.DH, + Encryption.AES256, + MessageDigest.SHA1, + Protocol.TLSv1, + false, + EncryptionLevel.HIGH, + true, + 256, + 256 + ), + // Cipher 38 + TLS_DHE_DSS_WITH_AES_256_CBC_SHA( + "DHE-DSS-AES256-SHA", + KeyExchange.EDH, + Authentication.DSS, + Encryption.AES256, + MessageDigest.SHA1, + Protocol.TLSv1, + false, + EncryptionLevel.HIGH, + true, + 256, + 256 + ), + // Cipher 39 + TLS_DHE_RSA_WITH_AES_256_CBC_SHA( + "DHE-RSA-AES256-SHA", + KeyExchange.EDH, + Authentication.RSA, + Encryption.AES256, + MessageDigest.SHA1, + Protocol.TLSv1, + false, + EncryptionLevel.HIGH, + true, + 256, + 256 + ), + // Cipher 3A + TLS_DH_anon_WITH_AES_256_CBC_SHA( + "ADH-AES256-SHA", + KeyExchange.EDH, + Authentication.aNULL, + Encryption.AES256, + MessageDigest.SHA1, + Protocol.TLSv1, + false, + EncryptionLevel.HIGH, + true, + 256, + 256 + ), + /* TLS v1.2 ciphersuites */ + // Cipher 3B + TLS_RSA_WITH_NULL_SHA256( + "NULL-SHA256", + KeyExchange.RSA, + Authentication.RSA, + Encryption.eNULL, + MessageDigest.SHA256, + Protocol.TLSv1_2, + false, + EncryptionLevel.STRONG_NONE, + true, + 0, + 0 + ), + // Cipher 3C + TLS_RSA_WITH_AES_128_CBC_SHA256( + "AES128-SHA256", + KeyExchange.RSA, + Authentication.RSA, + Encryption.AES128, + MessageDigest.SHA256, + Protocol.TLSv1_2, + false, + EncryptionLevel.HIGH, + true, + 128, + 128 + ), + // Cipher 3D + TLS_RSA_WITH_AES_256_CBC_SHA256( + "AES256-SHA256", + KeyExchange.RSA, + Authentication.RSA, + Encryption.AES256, + MessageDigest.SHA256, + Protocol.TLSv1_2, + false, + EncryptionLevel.HIGH, + true, + 256, + 256 + ), + // Cipher 3E + TLS_DH_DSS_WITH_AES_128_CBC_SHA256( + "DH-DSS-AES128-SHA256", + KeyExchange.DHd, + Authentication.DH, + Encryption.AES128, + MessageDigest.SHA256, + Protocol.TLSv1_2, + false, + EncryptionLevel.HIGH, + true, + 128, + 128 + ), + // Cipher 3F + TLS_DH_RSA_WITH_AES_128_CBC_SHA256( + "DH-RSA-AES128-SHA256", + KeyExchange.DHr, + Authentication.DH, + Encryption.AES128, + MessageDigest.SHA256, + Protocol.TLSv1_2, + false, + EncryptionLevel.HIGH, + true, + 128, + 128 + ), + // Cipher 40 + TLS_DHE_DSS_WITH_AES_128_CBC_SHA256( + "DHE-DSS-AES128-SHA256", + KeyExchange.EDH, + Authentication.DSS, + Encryption.AES128, + MessageDigest.SHA256, + Protocol.TLSv1_2, + false, + EncryptionLevel.HIGH, + true, + 128, + 128 + ), + /* Camellia ciphersuites from RFC4132 ( + 128-bit portion) */ + // Cipher 41 + TLS_RSA_WITH_CAMELLIA_128_CBC_SHA( + "CAMELLIA128-SHA", + KeyExchange.RSA, + Authentication.RSA, + Encryption.CAMELLIA128, + MessageDigest.SHA1, + Protocol.TLSv1, + false, + EncryptionLevel.HIGH, + false, + 128, + 128 + ), + // Cipher 42 + TLS_DH_DSS_WITH_CAMELLIA_128_CBC_SHA( + "DH-DSS-CAMELLIA128-SHA", + KeyExchange.DHd, + Authentication.DH, + Encryption.CAMELLIA128, + MessageDigest.SHA1, + Protocol.TLSv1, + false, + EncryptionLevel.HIGH, + false, + 128, + 128 + ), + // Cipher 43 + TLS_DH_RSA_WITH_CAMELLIA_128_CBC_SHA( + "DH-RSA-CAMELLIA128-SHA", + KeyExchange.DHr, + Authentication.DH, + Encryption.CAMELLIA128, + MessageDigest.SHA1, + Protocol.TLSv1, + false, + EncryptionLevel.HIGH, + false, + 128, + 128 + ), + // Cipher 44 + TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA( + "DHE-DSS-CAMELLIA128-SHA", + KeyExchange.EDH, + Authentication.DSS, + Encryption.CAMELLIA128, + MessageDigest.SHA1, + Protocol.TLSv1, + false, + EncryptionLevel.HIGH, + false, + 128, + 128 + ), + // Cipher 45 + TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA( + "DHE-RSA-CAMELLIA128-SHA", + KeyExchange.EDH, + Authentication.RSA, + Encryption.CAMELLIA128, + MessageDigest.SHA1, + Protocol.TLSv1, + false, + EncryptionLevel.HIGH, + false, + 128, + 128 + ), + // Cipher 46 + TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA( + "ADH-CAMELLIA128-SHA", + KeyExchange.EDH, + Authentication.aNULL, + Encryption.CAMELLIA128, + MessageDigest.SHA1, + Protocol.TLSv1, + false, + EncryptionLevel.HIGH, + false, + 128, + 128 + ), + /* New TLS Export CipherSuites from expired ID */ + // Cipher 60 + TLS_RSA_EXPORT1024_WITH_RC4_56_MD5( + "EXP1024-RC4-MD5", + KeyExchange.RSA, + Authentication.RSA, + Encryption.RC4, + MessageDigest.MD5, + Protocol.TLSv1, + true, + EncryptionLevel.EXP56, + false, + 56, + 128, + "SSL_RSA_EXPORT1024_WITH_RC4_56_MD5" + ), + // Cipher 61 + TLS_RSA_EXPORT1024_WITH_RC2_CBC_56_MD5( + "EXP1024-RC2-CBC-MD5", + KeyExchange.RSA, + Authentication.RSA, + Encryption.RC2, + MessageDigest.MD5, + Protocol.TLSv1, + true, + EncryptionLevel.EXP56, + false, + 56, + 128, + "SSL_RSA_EXPORT1024_WITH_RC2_CBC_56_MD" + ), + // Cipher 62 + TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA( + "EXP1024-DES-CBC-SHA", + KeyExchange.RSA, + Authentication.RSA, + Encryption.DES, + MessageDigest.SHA1, + Protocol.TLSv1, + true, + EncryptionLevel.EXP56, + false, + 56, + 56, + "SSL_RSA_EXPORT1024_WITH_DES_CBC_SHA" + ), + // Cipher 63 + TLS_DHE_DSS_EXPORT1024_WITH_DES_CBC_SHA( + "EXP1024-DHE-DSS-DES-CBC-SHA", + KeyExchange.EDH, + Authentication.DSS, + Encryption.DES, + MessageDigest.SHA1, + Protocol.TLSv1, + true, + EncryptionLevel.EXP56, + false, + 56, + 56, + "SSL_DHE_DSS_EXPORT1024_WITH_DES_CBC_SHA" + ), + // Cipher 64 + TLS_RSA_EXPORT1024_WITH_RC4_56_SHA( + "EXP1024-RC4-SHA", + KeyExchange.RSA, + Authentication.RSA, + Encryption.RC4, + MessageDigest.SHA1, + Protocol.TLSv1, + true, + EncryptionLevel.EXP56, + false, + 56, + 128, + "SSL_RSA_EXPORT1024_WITH_RC4_56_SHA" + ), + // Cipher 65 + TLS_DHE_DSS_EXPORT1024_WITH_RC4_56_SHA( + "EXP1024-DHE-DSS-RC4-SHA", + KeyExchange.EDH, + Authentication.DSS, + Encryption.RC4, + MessageDigest.SHA1, + Protocol.TLSv1, + true, + EncryptionLevel.EXP56, + false, + 56, + 128, + "SSL_DHE_DSS_EXPORT1024_WITH_RC4_56_SHA" + ), + // Cipher 66 + TLS_DHE_DSS_WITH_RC4_128_SHA( + "DHE-DSS-RC4-SHA", + KeyExchange.EDH, + Authentication.DSS, + Encryption.RC4, + MessageDigest.SHA1, + Protocol.TLSv1, + false, + EncryptionLevel.MEDIUM, + false, + 128, + 128, + "SSL_DHE_DSS_WITH_RC4_128_SHA" + ), + /* TLS v1.2 ciphersuites */ + // Cipher 67 + TLS_DHE_RSA_WITH_AES_128_CBC_SHA256( + "DHE-RSA-AES128-SHA256", + KeyExchange.EDH, + Authentication.RSA, + Encryption.AES128, + MessageDigest.SHA256, + Protocol.TLSv1_2, + false, + EncryptionLevel.HIGH, + true, + 128, + 128 + ), + // Cipher 68 + TLS_DH_DSS_WITH_AES_256_CBC_SHA256( + "DH-DSS-AES256-SHA256", + KeyExchange.DHd, + Authentication.DH, + Encryption.AES256, + MessageDigest.SHA256, + Protocol.TLSv1_2, + false, + EncryptionLevel.HIGH, + true, + 256, + 256 + ), + // Cipher 69 + TLS_DH_RSA_WITH_AES_256_CBC_SHA256( + "DH-RSA-AES256-SHA256", + KeyExchange.DHr, + Authentication.DH, + Encryption.AES256, + MessageDigest.SHA256, + Protocol.TLSv1_2, + false, + EncryptionLevel.HIGH, + true, + 256, + 256 + ), + // Cipher 6A + TLS_DHE_DSS_WITH_AES_256_CBC_SHA256( + "DHE-DSS-AES256-SHA256", + KeyExchange.EDH, + Authentication.DSS, + Encryption.AES256, + MessageDigest.SHA256, + Protocol.TLSv1_2, + false, + EncryptionLevel.HIGH, + true, + 256, + 256 + ), + // Cipher 6B + TLS_DHE_RSA_WITH_AES_256_CBC_SHA256( + "DHE-RSA-AES256-SHA256", + KeyExchange.EDH, + Authentication.RSA, + Encryption.AES256, + MessageDigest.SHA256, + Protocol.TLSv1_2, + false, + EncryptionLevel.HIGH, + true, + 256, + 256 + ), + // Cipher 6C + TLS_DH_anon_WITH_AES_128_CBC_SHA256( + "ADH-AES128-SHA256", + KeyExchange.EDH, + Authentication.aNULL, + Encryption.AES128, + MessageDigest.SHA256, + Protocol.TLSv1_2, + false, + EncryptionLevel.HIGH, + true, + 128, + 128 + ), + // Cipher 6D + TLS_DH_anon_WITH_AES_256_CBC_SHA256( + "ADH-AES256-SHA256", + KeyExchange.EDH, + Authentication.aNULL, + Encryption.AES256, + MessageDigest.SHA256, + Protocol.TLSv1_2, + false, + EncryptionLevel.HIGH, + true, + 256, + 256 + ), + /* GOST Ciphersuites */ + /* + TLS_GOSTR341094_WITH_28147_CNT_IMIT( + "GOST94-GOST89-GOST89", + KeyExchange.GOST, + Authentication.GOST94, + Encryption.eGOST2814789CNT, + MessageDigest.GOST89MAC, + Protocol.TLSv1, + false, + EncryptionLevel.HIGH, + false, + 256, + 256 + ), + TLS_GOSTR341001_WITH_28147_CNT_IMIT( + "GOST2001-GOST89-GOST89", + KeyExchange.GOST, + Authentication.GOST01, + Encryption.eGOST2814789CNT, + MessageDigest.GOST89MAC, + Protocol.TLSv1, + false, + EncryptionLevel.HIGH, + false, + 256, + 256 + ), + TLS_GOSTR341094_WITH_NULL_GOSTR3411( + "GOST94-NULL-GOST94", + KeyExchange.GOST, + Authentication.GOST94, + Encryption.eNULL, + MessageDigest.GOST94, + Protocol.TLSv1, + false, + EncryptionLevel.STRONG_NONE, + false, + 0, + 0 + ), + TLS_GOSTR341001_WITH_NULL_GOSTR3411( + "GOST2001-NULL-GOST94", + KeyExchange.GOST, + Authentication.GOST01, + Encryption.eNULL, + MessageDigest.GOST94, + Protocol.TLSv1, + false, + EncryptionLevel.STRONG_NONE, + false, + 0, + 0 + ),*/ + /* Camellia ciphersuites from RFC4132 ( + 256-bit portion) */ + // Cipher 84 + TLS_RSA_WITH_CAMELLIA_256_CBC_SHA( + "CAMELLIA256-SHA", + KeyExchange.RSA, + Authentication.RSA, + Encryption.CAMELLIA256, + MessageDigest.SHA1, + Protocol.TLSv1, + false, + EncryptionLevel.HIGH, + false, + 256, + 256 + ), + // Cipher 85 + TLS_DH_DSS_WITH_CAMELLIA_256_CBC_SHA( + "DH-DSS-CAMELLIA256-SHA", + KeyExchange.DHd, + Authentication.DH, + Encryption.CAMELLIA256, + MessageDigest.SHA1, + Protocol.TLSv1, + false, + EncryptionLevel.HIGH, + false, + 256, + 256 + ), + // Cipher 86 + TLS_DH_RSA_WITH_CAMELLIA_256_CBC_SHA( + "DH-RSA-CAMELLIA256-SHA", + KeyExchange.DHr, + Authentication.DH, + Encryption.CAMELLIA256, + MessageDigest.SHA1, + Protocol.TLSv1, + false, + EncryptionLevel.HIGH, + false, + 256, + 256 + ), + // Cipher 87 + TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA( + "DHE-DSS-CAMELLIA256-SHA", + KeyExchange.EDH, + Authentication.DSS, + Encryption.CAMELLIA256, + MessageDigest.SHA1, + Protocol.TLSv1, + false, + EncryptionLevel.HIGH, + false, + 256, + 256 + ), + // Cipher 88 + TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA( + "DHE-RSA-CAMELLIA256-SHA", + KeyExchange.EDH, + Authentication.RSA, + Encryption.CAMELLIA256, + MessageDigest.SHA1, + Protocol.TLSv1, + false, + EncryptionLevel.HIGH, + false, + 256, + 256 + ), + // Cipher 89 + TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA( + "ADH-CAMELLIA256-SHA", + KeyExchange.EDH, + Authentication.aNULL, + Encryption.CAMELLIA256, + MessageDigest.SHA1, + Protocol.TLSv1, + false, + EncryptionLevel.HIGH, + false, + 256, + 256 + ), + // Cipher 8A + TLS_PSK_WITH_RC4_128_SHA( + "PSK-RC4-SHA", + KeyExchange.PSK, + Authentication.PSK, + Encryption.RC4, + MessageDigest.SHA1, + Protocol.TLSv1, + false, + EncryptionLevel.MEDIUM, + false, + 128, + 128 + ), + // Cipher 8B + TLS_PSK_WITH_3DES_EDE_CBC_SHA( + "PSK-3DES-EDE-CBC-SHA", + KeyExchange.PSK, + Authentication.PSK, + Encryption.TRIPLE_DES, + MessageDigest.SHA1, + Protocol.TLSv1, + false, + EncryptionLevel.HIGH, + true, + 168, + 168 + ), + // Cipher 8C + TLS_PSK_WITH_AES_128_CBC_SHA( + "PSK-AES128-CBC-SHA", + KeyExchange.PSK, + Authentication.PSK, + Encryption.AES128, + MessageDigest.SHA1, + Protocol.TLSv1, + false, + EncryptionLevel.HIGH, + true, + 128, + 128 + ), + // Cipher 8D + TLS_PSK_WITH_AES_256_CBC_SHA( + "PSK-AES256-CBC-SHA", + KeyExchange.PSK, + Authentication.PSK, + Encryption.AES256, + MessageDigest.SHA1, + Protocol.TLSv1, + false, + EncryptionLevel.HIGH, + true, + 256, + 256 + ), + /* SEED ciphersuites from RFC4162 */ + // Cipher 96 + TLS_RSA_WITH_SEED_CBC_SHA( + "SEED-SHA", + KeyExchange.RSA, + Authentication.RSA, + Encryption.SEED, + MessageDigest.SHA1, + Protocol.TLSv1, + false, + EncryptionLevel.MEDIUM, + false, + 128, + 128 + ), + // Cipher 97 + TLS_DH_DSS_WITH_SEED_CBC_SHA( + "DH-DSS-SEED-SHA", + KeyExchange.DHd, + Authentication.DH, + Encryption.SEED, + MessageDigest.SHA1, + Protocol.TLSv1, + false, + EncryptionLevel.MEDIUM, + false, + 128, + 128 + ), + // Cipher 98 + TLS_DH_RSA_WITH_SEED_CBC_SHA( + "DH-RSA-SEED-SHA", + KeyExchange.DHr, + Authentication.DH, + Encryption.SEED, + MessageDigest.SHA1, + Protocol.TLSv1, + false, + EncryptionLevel.MEDIUM, + false, + 128, + 128 + ), + // Cipher 99 + TLS_DHE_DSS_WITH_SEED_CBC_SHA( + "DHE-DSS-SEED-SHA", + KeyExchange.EDH, + Authentication.DSS, + Encryption.SEED, + MessageDigest.SHA1, + Protocol.TLSv1, + false, + EncryptionLevel.MEDIUM, + false, + 128, + 128 + ), + // Cipher 9A + TLS_DHE_RSA_WITH_SEED_CBC_SHA( + "DHE-RSA-SEED-SHA", + KeyExchange.EDH, + Authentication.RSA, + Encryption.SEED, + MessageDigest.SHA1, + Protocol.TLSv1, + false, + EncryptionLevel.MEDIUM, + false, + 128, + 128 + ), + // Cipher 9B + TLS_DH_anon_WITH_SEED_CBC_SHA( + "ADH-SEED-SHA", + KeyExchange.EDH, + Authentication.aNULL, + Encryption.SEED, + MessageDigest.SHA1, + Protocol.TLSv1, + false, + EncryptionLevel.MEDIUM, + false, + 128, + 128 + ), + /* GCM ciphersuites from RFC5288 */ + // Cipher 9C + TLS_RSA_WITH_AES_128_GCM_SHA256( + "AES128-GCM-SHA256", + KeyExchange.RSA, + Authentication.RSA, + Encryption.AES128GCM, + MessageDigest.AEAD, + Protocol.TLSv1_2, + false, + EncryptionLevel.HIGH, + true, + 128, + 128 + ), + // Cipher 9D + TLS_RSA_WITH_AES_256_GCM_SHA384( + "AES256-GCM-SHA384", + KeyExchange.RSA, + Authentication.RSA, + Encryption.AES256GCM, + MessageDigest.AEAD, + Protocol.TLSv1_2, + false, + EncryptionLevel.HIGH, + true, + 256, + 256 + ), + // Cipher 9E + TLS_DHE_RSA_WITH_AES_128_GCM_SHA256( + "DHE-RSA-AES128-GCM-SHA256", + KeyExchange.EDH, + Authentication.RSA, + Encryption.AES128GCM, + MessageDigest.AEAD, + Protocol.TLSv1_2, + false, + EncryptionLevel.HIGH, + true, + 128, + 128 + ), + // Cipher 9F + TLS_DHE_RSA_WITH_AES_256_GCM_SHA384( + "DHE-RSA-AES256-GCM-SHA384", + KeyExchange.EDH, + Authentication.RSA, + Encryption.AES256GCM, + MessageDigest.AEAD, + Protocol.TLSv1_2, + false, + EncryptionLevel.HIGH, + true, + 256, + 256 + ), + // Cipher A0 + TLS_DH_RSA_WITH_AES_128_GCM_SHA256( + "DH-RSA-AES128-GCM-SHA256", + KeyExchange.DHr, + Authentication.DH, + Encryption.AES128GCM, + MessageDigest.AEAD, + Protocol.TLSv1_2, + false, + EncryptionLevel.HIGH, + true, + 128, + 128 + ), + // Cipher A1 + TLS_DH_RSA_WITH_AES_256_GCM_SHA384( + "DH-RSA-AES256-GCM-SHA384", + KeyExchange.DHr, + Authentication.DH, + Encryption.AES256GCM, + MessageDigest.AEAD, + Protocol.TLSv1_2, + false, + EncryptionLevel.HIGH, + true, + 256, + 256 + ), + // Cipher A2 + TLS_DHE_DSS_WITH_AES_128_GCM_SHA256( + "DHE-DSS-AES128-GCM-SHA256", + KeyExchange.EDH, + Authentication.DSS, + Encryption.AES128GCM, + MessageDigest.AEAD, + Protocol.TLSv1_2, + false, + EncryptionLevel.HIGH, + true, + 128, + 128 + ), + // Cipher A3 + TLS_DHE_DSS_WITH_AES_256_GCM_SHA384( + "DHE-DSS-AES256-GCM-SHA384", + KeyExchange.EDH, + Authentication.DSS, + Encryption.AES256GCM, + MessageDigest.AEAD, + Protocol.TLSv1_2, + false, + EncryptionLevel.HIGH, + true, + 256, + 256 + ), + // Cipher A4 + TLS_DH_DSS_WITH_AES_128_GCM_SHA256( + "DH-DSS-AES128-GCM-SHA256", + KeyExchange.DHd, + Authentication.DH, + Encryption.AES128GCM, + MessageDigest.AEAD, + Protocol.TLSv1_2, + false, + EncryptionLevel.HIGH, + true, + 128, + 128 + ), + // Cipher A5 + TLS_DH_DSS_WITH_AES_256_GCM_SHA384( + "DH-DSS-AES256-GCM-SHA384", + KeyExchange.DHd, + Authentication.DH, + Encryption.AES256GCM, + MessageDigest.AEAD, + Protocol.TLSv1_2, + false, + EncryptionLevel.HIGH, + true, + 256, + 256 + ), + // Cipher A6 + TLS_DH_anon_WITH_AES_128_GCM_SHA256( + "ADH-AES128-GCM-SHA256", + KeyExchange.EDH, + Authentication.aNULL, + Encryption.AES128GCM, + MessageDigest.AEAD, + Protocol.TLSv1_2, + false, + EncryptionLevel.HIGH, + true, + 128, + 128 + ), + // Cipher A7 + TLS_DH_anon_WITH_AES_256_GCM_SHA384( + "ADH-AES256-GCM-SHA384", + KeyExchange.EDH, + Authentication.aNULL, + Encryption.AES256GCM, + MessageDigest.AEAD, + Protocol.TLSv1_2, + false, + EncryptionLevel.HIGH, + true, + 256, + 256 + ), + /* ECC ciphersuites from draft-ietf-tls-ecc-01.txt ( + Mar 15, 2001) */ + // Cipher C001 + TLS_ECDH_ECDSA_WITH_NULL_SHA( + "ECDH-ECDSA-NULL-SHA", + KeyExchange.ECDHe, + Authentication.ECDH, + Encryption.eNULL, + MessageDigest.SHA1, + Protocol.TLSv1, + false, + EncryptionLevel.STRONG_NONE, + true, + 0, + 0 + ), + // Cipher C002 + TLS_ECDH_ECDSA_WITH_RC4_128_SHA( + "ECDH-ECDSA-RC4-SHA", + KeyExchange.ECDHe, + Authentication.ECDH, + Encryption.RC4, + MessageDigest.SHA1, + Protocol.TLSv1, + false, + EncryptionLevel.MEDIUM, + false, + 128, + 128 + ), + // Cipher C003 + TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA( + "ECDH-ECDSA-DES-CBC3-SHA", + KeyExchange.ECDHe, + Authentication.ECDH, + Encryption.TRIPLE_DES, + MessageDigest.SHA1, + Protocol.TLSv1, + false, + EncryptionLevel.HIGH, + true, + 168, + 168 + ), + // Cipher C004 + TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA( + "ECDH-ECDSA-AES128-SHA", + KeyExchange.ECDHe, + Authentication.ECDH, + Encryption.AES128, + MessageDigest.SHA1, + Protocol.TLSv1, + false, + EncryptionLevel.HIGH, + true, + 128, + 128 + ), + // Cipher C005 + TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA( + "ECDH-ECDSA-AES256-SHA", + KeyExchange.ECDHe, + Authentication.ECDH, + Encryption.AES256, + MessageDigest.SHA1, + Protocol.TLSv1, + false, + EncryptionLevel.HIGH, + true, + 256, + 256 + ), + // Cipher C006 + TLS_ECDHE_ECDSA_WITH_NULL_SHA( + "ECDHE-ECDSA-NULL-SHA", + KeyExchange.EECDH, + Authentication.ECDSA, + Encryption.eNULL, + MessageDigest.SHA1, + Protocol.TLSv1, + false, + EncryptionLevel.STRONG_NONE, + true, + 0, + 0 + ), + // Cipher C007 + TLS_ECDHE_ECDSA_WITH_RC4_128_SHA( + "ECDHE-ECDSA-RC4-SHA", + KeyExchange.EECDH, + Authentication.ECDSA, + Encryption.RC4, + MessageDigest.SHA1, + Protocol.TLSv1, + false, + EncryptionLevel.MEDIUM, + false, + 128, + 128 + ), + // Cipher C008 + TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA( + "ECDHE-ECDSA-DES-CBC3-SHA", + KeyExchange.EECDH, + Authentication.ECDSA, + Encryption.TRIPLE_DES, + MessageDigest.SHA1, + Protocol.TLSv1, + false, + EncryptionLevel.HIGH, + true, + 168, + 168 + ), + // Cipher C009 + TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA( + "ECDHE-ECDSA-AES128-SHA", + KeyExchange.EECDH, + Authentication.ECDSA, + Encryption.AES128, + MessageDigest.SHA1, + Protocol.TLSv1, + false, + EncryptionLevel.HIGH, + true, + 128, + 128 + ), + // Cipher C00A + TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA( + "ECDHE-ECDSA-AES256-SHA", + KeyExchange.EECDH, + Authentication.ECDSA, + Encryption.AES256, + MessageDigest.SHA1, + Protocol.TLSv1, + false, + EncryptionLevel.HIGH, + true, + 256, + 256 + ), + // Cipher C00B + TLS_ECDH_RSA_WITH_NULL_SHA( + "ECDH-RSA-NULL-SHA", + KeyExchange.ECDHr, + Authentication.ECDH, + Encryption.eNULL, + MessageDigest.SHA1, + Protocol.TLSv1, + false, + EncryptionLevel.STRONG_NONE, + true, + 0, + 0 + ), + // Cipher C00C + TLS_ECDH_RSA_WITH_RC4_128_SHA( + "ECDH-RSA-RC4-SHA", + KeyExchange.ECDHr, + Authentication.ECDH, + Encryption.RC4, + MessageDigest.SHA1, + Protocol.TLSv1, + false, + EncryptionLevel.MEDIUM, + false, + 128, + 128 + ), + // Cipher C00D + TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA( + "ECDH-RSA-DES-CBC3-SHA", + KeyExchange.ECDHr, + Authentication.ECDH, + Encryption.TRIPLE_DES, + MessageDigest.SHA1, + Protocol.TLSv1, + false, + EncryptionLevel.HIGH, + true, + 168, + 168 + ), + // Cipher C00E + TLS_ECDH_RSA_WITH_AES_128_CBC_SHA( + "ECDH-RSA-AES128-SHA", + KeyExchange.ECDHr, + Authentication.ECDH, + Encryption.AES128, + MessageDigest.SHA1, + Protocol.TLSv1, + false, + EncryptionLevel.HIGH, + true, + 128, + 128 + ), + // Cipher C00F + TLS_ECDH_RSA_WITH_AES_256_CBC_SHA( + "ECDH-RSA-AES256-SHA", + KeyExchange.ECDHr, + Authentication.ECDH, + Encryption.AES256, + MessageDigest.SHA1, + Protocol.TLSv1, + false, + EncryptionLevel.HIGH, + true, + 256, + 256 + ), + TLS_ECDHE_RSA_WITH_NULL_SHA( + "ECDHE-RSA-NULL-SHA", + KeyExchange.EECDH, + Authentication.RSA, + Encryption.eNULL, + MessageDigest.SHA1, + Protocol.TLSv1, + false, + EncryptionLevel.STRONG_NONE, + true, + 0, + 0 + ), + // Cipher C011 + TLS_ECDHE_RSA_WITH_RC4_128_SHA( + "ECDHE-RSA-RC4-SHA", + KeyExchange.EECDH, + Authentication.RSA, + Encryption.RC4, + MessageDigest.SHA1, + Protocol.TLSv1, + false, + EncryptionLevel.MEDIUM, + false, + 128, + 128 + ), + // Cipher C012 + TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA( + "ECDHE-RSA-DES-CBC3-SHA", + KeyExchange.EECDH, + Authentication.RSA, + Encryption.TRIPLE_DES, + MessageDigest.SHA1, + Protocol.TLSv1, + false, + EncryptionLevel.HIGH, + true, + 168, + 168 + ), + // Cipher C013 + TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA( + "ECDHE-RSA-AES128-SHA", + KeyExchange.EECDH, + Authentication.RSA, + Encryption.AES128, + MessageDigest.SHA1, + Protocol.TLSv1, + false, + EncryptionLevel.HIGH, + true, + 128, + 128 + ), + // Cipher C014 + TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA( + "ECDHE-RSA-AES256-SHA", + KeyExchange.EECDH, + Authentication.RSA, + Encryption.AES256, + MessageDigest.SHA1, + Protocol.TLSv1, + false, + EncryptionLevel.HIGH, + true, + 256, + 256 + ), + // Cipher C015 + TLS_ECDH_anon_WITH_NULL_SHA( + "AECDH-NULL-SHA", + KeyExchange.EECDH, + Authentication.aNULL, + Encryption.eNULL, + MessageDigest.SHA1, + Protocol.TLSv1, + false, + EncryptionLevel.STRONG_NONE, + true, + 0, + 0 + ), + // Cipher C016 + TLS_ECDH_anon_WITH_RC4_128_SHA( + "AECDH-RC4-SHA", + KeyExchange.EECDH, + Authentication.aNULL, + Encryption.RC4, + MessageDigest.SHA1, + Protocol.TLSv1, + false, + EncryptionLevel.MEDIUM, + false, + 128, + 128 + ), + // Cipher C017 + TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA( + "AECDH-DES-CBC3-SHA", + KeyExchange.EECDH, + Authentication.aNULL, + Encryption.TRIPLE_DES, + MessageDigest.SHA1, + Protocol.TLSv1, + false, + EncryptionLevel.HIGH, + true, + 168, + 168 + ), + // Cipher C018 + TLS_ECDH_anon_WITH_AES_128_CBC_SHA( + "AECDH-AES128-SHA", + KeyExchange.EECDH, + Authentication.aNULL, + Encryption.AES128, + MessageDigest.SHA1, + Protocol.TLSv1, + false, + EncryptionLevel.HIGH, + true, + 128, + 128 + ), + // Cipher C019 + TLS_ECDH_anon_WITH_AES_256_CBC_SHA( + "AECDH-AES256-SHA", + KeyExchange.EECDH, + Authentication.aNULL, + Encryption.AES256, + MessageDigest.SHA1, + Protocol.TLSv1, + false, + EncryptionLevel.HIGH, + true, + 256, + 256 + ), + /* SRP ciphersuite from RFC 5054 */ + // Cipher C01A + TLS_SRP_SHA_WITH_3DES_EDE_CBC_SHA( + "SRP-3DES-EDE-CBC-SHA", + KeyExchange.SRP, + Authentication.SRP, + Encryption.TRIPLE_DES, + MessageDigest.SHA1, + Protocol.TLSv1, + false, + EncryptionLevel.HIGH, + false, + 168, + 168 + ), + // Cipher C01B + TLS_SRP_SHA_RSA_WITH_3DES_EDE_CBC_SHA( + "SRP-RSA-3DES-EDE-CBC-SHA", + KeyExchange.SRP, + Authentication.RSA, + Encryption.TRIPLE_DES, + MessageDigest.SHA1, + Protocol.TLSv1, + false, + EncryptionLevel.HIGH, + false, + 168, + 168 + ), + // Cipher C01C + TLS_SRP_SHA_DSS_WITH_3DES_EDE_CBC_SHA( + "SRP-DSS-3DES-EDE-CBC-SHA", + KeyExchange.SRP, + Authentication.DSS, + Encryption.TRIPLE_DES, + MessageDigest.SHA1, + Protocol.TLSv1, + false, + EncryptionLevel.HIGH, + false, + 168, + 168 + ), + // Cipher C01D + TLS_SRP_SHA_WITH_AES_128_CBC_SHA( + "SRP-AES-128-CBC-SHA", + KeyExchange.SRP, + Authentication.SRP, + Encryption.AES128, + MessageDigest.SHA1, + Protocol.TLSv1, + false, + EncryptionLevel.HIGH, + false, + 128, + 128 + ), + // Cipher C01E + TLS_SRP_SHA_RSA_WITH_AES_128_CBC_SHA( + "SRP-RSA-AES-128-CBC-SHA", + KeyExchange.SRP, + Authentication.RSA, + Encryption.AES128, + MessageDigest.SHA1, + Protocol.TLSv1, + false, + EncryptionLevel.HIGH, + false, + 128, + 128 + ), + // Cipher C01F + TLS_SRP_SHA_DSS_WITH_AES_128_CBC_SHA( + "SRP-DSS-AES-128-CBC-SHA", + KeyExchange.SRP, + Authentication.DSS, + Encryption.AES128, + MessageDigest.SHA1, + Protocol.TLSv1, + false, + EncryptionLevel.HIGH, + false, + 128, + 128 + ), + // Cipher C020 + TLS_SRP_SHA_WITH_AES_256_CBC_SHA( + "SRP-AES-256-CBC-SHA", + KeyExchange.SRP, + Authentication.SRP, + Encryption.AES256, + MessageDigest.SHA1, + Protocol.TLSv1, + false, + EncryptionLevel.HIGH, + false, + 256, + 256 + ), + // Cipher C021 + TLS_SRP_SHA_RSA_WITH_AES_256_CBC_SHA( + "SRP-RSA-AES-256-CBC-SHA", + KeyExchange.SRP, + Authentication.RSA, + Encryption.AES256, + MessageDigest.SHA1, + Protocol.TLSv1, + false, + EncryptionLevel.HIGH, + false, + 256, + 256 + ), + // Cipher C022 + TLS_SRP_SHA_DSS_WITH_AES_256_CBC_SHA( + "SRP-DSS-AES-256-CBC-SHA", + KeyExchange.SRP, + Authentication.DSS, + Encryption.AES256, + MessageDigest.SHA1, + Protocol.TLSv1, + false, + EncryptionLevel.HIGH, + false, + 256, + 256 + ), + /* HMAC based TLS v1.2 ciphersuites from RFC5289 */ + // Cipher C023 + TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256( + "ECDHE-ECDSA-AES128-SHA256", + KeyExchange.EECDH, + Authentication.ECDSA, + Encryption.AES128, + MessageDigest.SHA256, + Protocol.TLSv1_2, + false, + EncryptionLevel.HIGH, + true, + 128, + 128 + ), + // Cipher C024 + TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384( + "ECDHE-ECDSA-AES256-SHA384", + KeyExchange.EECDH, + Authentication.ECDSA, + Encryption.AES256, + MessageDigest.SHA384, + Protocol.TLSv1_2, + false, + EncryptionLevel.HIGH, + true, + 256, + 256 + ), + // Cipher C025 + TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256( + "ECDH-ECDSA-AES128-SHA256", + KeyExchange.ECDHe, + Authentication.ECDH, + Encryption.AES128, + MessageDigest.SHA256, + Protocol.TLSv1_2, + false, + EncryptionLevel.HIGH, + true, + 128, + 128 + ), + // Cipher C026 + TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384( + "ECDH-ECDSA-AES256-SHA384", + KeyExchange.ECDHe, + Authentication.ECDH, + Encryption.AES256, + MessageDigest.SHA384, + Protocol.TLSv1_2, + false, + EncryptionLevel.HIGH, + true, + 256, + 256 + ), + // Cipher C027 + TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256( + "ECDHE-RSA-AES128-SHA256", + KeyExchange.EECDH, + Authentication.RSA, + Encryption.AES128, + MessageDigest.SHA256, + Protocol.TLSv1_2, + false, + EncryptionLevel.HIGH, + true, + 128, + 128 + ), + // Cipher C028 + TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384( + "ECDHE-RSA-AES256-SHA384", + KeyExchange.EECDH, + Authentication.RSA, + Encryption.AES256, + MessageDigest.SHA384, + Protocol.TLSv1_2, + false, + EncryptionLevel.HIGH, + true, + 256, + 256 + ), + // Cipher C029 + TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256( + "ECDH-RSA-AES128-SHA256", + KeyExchange.ECDHr, + Authentication.ECDH, + Encryption.AES128, + MessageDigest.SHA256, + Protocol.TLSv1_2, + false, + EncryptionLevel.HIGH, + true, + 128, + 128 + ), + // Cipher C02A + TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384( + "ECDH-RSA-AES256-SHA384", + KeyExchange.ECDHr, + Authentication.ECDH, + Encryption.AES256, + MessageDigest.SHA384, + Protocol.TLSv1_2, + false, + EncryptionLevel.HIGH, + true, + 256, + 256 + ), + /* GCM based TLS v1.2 ciphersuites from RFC5289 */ + // Cipher C02B + TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256( + "ECDHE-ECDSA-AES128-GCM-SHA256", + KeyExchange.EECDH, + Authentication.ECDSA, + Encryption.AES128GCM, + MessageDigest.AEAD, + Protocol.TLSv1_2, + false, + EncryptionLevel.HIGH, + true, + 128, + 128 + ), + // Cipher C02C + TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384( + "ECDHE-ECDSA-AES256-GCM-SHA384", + KeyExchange.EECDH, + Authentication.ECDSA, + Encryption.AES256GCM, + MessageDigest.AEAD, + Protocol.TLSv1_2, + false, + EncryptionLevel.HIGH, + true, + 256, + 256 + ), + // Cipher C02D + TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256( + "ECDH-ECDSA-AES128-GCM-SHA256", + KeyExchange.ECDHe, + Authentication.ECDH, + Encryption.AES128GCM, + MessageDigest.AEAD, + Protocol.TLSv1_2, + false, + EncryptionLevel.HIGH, + true, + 128, + 128 + ), + // Cipher C02E + TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384( + "ECDH-ECDSA-AES256-GCM-SHA384", + KeyExchange.ECDHe, + Authentication.ECDH, + Encryption.AES256GCM, + MessageDigest.AEAD, + Protocol.TLSv1_2, + false, + EncryptionLevel.HIGH, + true, + 256, + 256 + ), + // Cipher C02F + TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256( + "ECDHE-RSA-AES128-GCM-SHA256", + KeyExchange.EECDH, + Authentication.RSA, + Encryption.AES128GCM, + MessageDigest.AEAD, + Protocol.TLSv1_2, + false, + EncryptionLevel.HIGH, + true, + 128, + 128 + ), + // Cipher C030 + TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384( + "ECDHE-RSA-AES256-GCM-SHA384", + KeyExchange.EECDH, + Authentication.RSA, + Encryption.AES256GCM, + MessageDigest.AEAD, + Protocol.TLSv1_2, + false, + EncryptionLevel.HIGH, + true, + 256, + 256 + ), + // Cipher C031 + TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256( + "ECDH-RSA-AES128-GCM-SHA256", + KeyExchange.ECDHr, + Authentication.ECDH, + Encryption.AES128GCM, + MessageDigest.AEAD, + Protocol.TLSv1_2, + false, + EncryptionLevel.HIGH, + true, + 128, + 128 + ), + // Cipher C032 + TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384( + "ECDH-RSA-AES256-GCM-SHA384", + KeyExchange.ECDHr, + Authentication.ECDH, + Encryption.AES256GCM, + MessageDigest.AEAD, + Protocol.TLSv1_2, + false, + EncryptionLevel.HIGH, + true, + 256, + 256 + ), + // RC4_128_WITH_MD5 + SSL_CK_RC4_128_WITH_MD5( + "RC4-MD5", + KeyExchange.RSA, + Authentication.RSA, + Encryption.RC4, + MessageDigest.MD5, + Protocol.SSLv2, + false, + EncryptionLevel.MEDIUM, + false, + 128, + 128 + ), + // RC2_128_CBC_WITH_MD5 + SSL_CK_RC2_128_CBC_WITH_MD5( + "RC2-MD5", + KeyExchange.RSA, + Authentication.RSA, + Encryption.RC2, + MessageDigest.MD5, + Protocol.SSLv2, + false, + EncryptionLevel.MEDIUM, + false, + 128, + 128 + ), + // RC2_128_CBC_EXPORT40_WITH_MD5 + SSL_CK_RC2_128_CBC_EXPORT40_WITH_MD5( + "EXP-RC2-CBC-MD5", + KeyExchange.RSA, + Authentication.RSA, + Encryption.RC2, + MessageDigest.MD5, + Protocol.SSLv2, + true, + EncryptionLevel.EXP40, + false, + 40, + 128 + ), + /* TEMP_GOST_TLS*/ + /* + // Cipher FF00 + TLS_GOSTR341094_RSA_WITH_28147_CNT_MD5( + "GOST-MD5", + KeyExchange.RSA, + Authentication.RSA, + Encryption.eGOST2814789CNT, + MessageDigest.MD5, + Protocol.TLSv1, + false, + EncryptionLevel.HIGH, + false, + 256, + 256 + ), + TLS_RSA_WITH_28147_CNT_GOST94( + "GOST-GOST94", + KeyExchange.RSA, + Authentication.RSA, + Encryption.eGOST2814789CNT, + MessageDigest.GOST94, + Protocol.TLSv1, + false, EncryptionLevel.HIGH,false, + 256, + 256 + ), + { + 1, + "GOST-GOST89MAC", + 0x0300ff02, + KeyExchange.RSA, + Authentication.RSA, + Encryption.eGOST2814789CNT, + MessageDigest.GOST89MAC, + Protocol.TLSv1, + false, EncryptionLevel.HIGH,false, + + 256, + 256 + ), + { + 1, + "GOST-GOST89STREAM", + 0x0300ff03, + KeyExchange.RSA, + Authentication.RSA, + Encryption.eGOST2814789CNT, + MessageDigest.GOST89MAC, + Protocol.TLSv1, + false, EncryptionLevel.HIGH,false, + 256, + 256 + },*/ + // Cipher 0x020080 + SSL2_RC4_128_EXPORT40_WITH_MD5( + "EXP-RC4-MD5", + KeyExchange.RSA, + Authentication.RSA, + Encryption.RC4, + MessageDigest.MD5, + Protocol.SSLv2, + true, + EncryptionLevel.EXP40, + false, + 40, + 128, + "SSL_RC4_128_EXPORT40_WITH_MD5" + ), + // Cipher 0x030080 / 0x040080 + SSL2_RC2_CBC_128_CBC_WITH_MD5( + "RC2-CBC-MD5", + KeyExchange.RSA, + Authentication.RSA, + Encryption.RC2, + MessageDigest.MD5, + Protocol.SSLv2, + false, + EncryptionLevel.MEDIUM, + true, + 128, + 128 + ), + // Cipher 0x050080 + // IDEA_128_CBC_WITH_MD5 + SSL2_IDEA_128_CBC_WITH_MD5( + "IDEA-CBC-MD5", + KeyExchange.RSA, + Authentication.RSA, + Encryption.IDEA, + MessageDigest.MD5, + Protocol.SSLv2, + false, EncryptionLevel.MEDIUM, + false, + 128, + 128, + "SSL_CK_IDEA_128_CBC_WITH_MD5" + ), + // Cipher 0x060040 + // DES_64_CBC_WITH_MD5 + SSL2_DES_64_CBC_WITH_MD5( + "DES-CBC-MD5", + KeyExchange.RSA, + Authentication.RSA, + Encryption.DES, + MessageDigest.MD5, + Protocol.SSLv2, + false, + EncryptionLevel.LOW, + false, + 56, + 56, + "SSL_CK_DES_64_CBC_WITH_MD5" + ), + // Cipher 0x0700C0 + // DES_192_EDE3_CBC_WITH_MD5 + SSL2_DES_192_EDE3_CBC_WITH_MD5( + "DES-CBC3-MD5", + KeyExchange.RSA, + Authentication.RSA, + Encryption.TRIPLE_DES, + MessageDigest.MD5, + Protocol.SSLv2, + false, + EncryptionLevel.HIGH, + false, + 168, + 168, + "SSL_CK_DES_192_EDE3_CBC_WITH_MD5" + ); + + + private final String openSSLAlias; + private final Set<String> jsseNames; + private final KeyExchange kx; + private final Authentication au; + private final Encryption enc; + private final MessageDigest mac; + private final Protocol protocol; + private final boolean export; + private final EncryptionLevel level; + private final boolean fipsCompatible; + /** + * Number of bits really used + */ + private final int strength_bits; + /** + * Number of bits for algorithm + */ + private final int alg_bits; + + private Cipher(String openSSLAlias, KeyExchange kx, Authentication au, Encryption enc, MessageDigest mac, + Protocol protocol, boolean export, EncryptionLevel level, boolean fipsCompatible, int strength_bits, + int alg_bits, String... jsseAltNames) { + this.openSSLAlias = openSSLAlias; + Set<String> names = new HashSet<String>(); + if (jsseAltNames != null) { + names.addAll(Arrays.asList(jsseAltNames)); + } + names.add(name()); + this.jsseNames = Collections.unmodifiableSet(names); + this.kx = kx; + this.au = au; + this.enc = enc; + this.mac = mac; + this.protocol = protocol; + this.export = export; + this.level = level; + this.fipsCompatible = fipsCompatible; + this.strength_bits = strength_bits; + this.alg_bits = alg_bits; + } + + public String getOpenSSLAlias() { + return openSSLAlias; + } + + public Set<String> getJsseNames() { + return jsseNames; + } + + public KeyExchange getKx() { + return kx; + } + + public Authentication getAu() { + return au; + } + + public Encryption getEnc() { + return enc; + } + + public MessageDigest getMac() { + return mac; + } + + public Protocol getProtocol() { + return protocol; + } + + public boolean isExport() { + return export; + } + + public EncryptionLevel getLevel() { + return level; + } + + public boolean isFipsCompatible() { + return fipsCompatible; + } + + public int getStrength_bits() { + return strength_bits; + } + + public int getAlg_bits() { + return alg_bits; + } + +} Deleted: branches/7.5.x/src/main/java/org/apache/tomcat/util/net/jsse/openssl/Ciphers.java =================================================================== --- branches/7.5.x/src/main/java/org/apache/tomcat/util/net/jsse/openssl/Ciphers.java 2014-09-09 14:10:18 UTC (rev 2508) +++ branches/7.5.x/src/main/java/org/apache/tomcat/util/net/jsse/openssl/Ciphers.java 2014-09-11 15:09:44 UTC (rev 2509) @@ -1,2304 +0,0 @@ -/* - * Copyright (C) 2014 Red Hat, inc., and individual contributors - * as indicated by the @author tags. See the copyright.txt file in the - * distribution for a full listing of individual contributors. - * - * This library is free software; you can redistribute it and/or - * modify it under the terms of the GNU Lesser General Public - * License as published by the Free Software Foundation; either - * version 2.1 of the License, or (at your option) any later version. - * - * This library is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU - * Lesser General Public License for more details. - * - * You should have received a copy of the GNU Lesser General Public - * License along with this library; if not, write to the Free Software - * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, - * MA 02110-1301 USA - */ -package org.apache.tomcat.util.net.jsse.openssl; - -/** - * All Ciphers for SSL/TSL. - * - * @author <a href="mailto:ehugonne@redhat.com">Emmanuel Hugonnet</a> (c) 2014 Red Hat, inc. - */ -enum Ciphers { - /* The RSA ciphers */ - // Cipher 01 - SSL_RSA_WITH_NULL_MD5("NULL-MD5", - KeyExchange.RSA, - Authentication.RSA, - Encryption.eNULL, - MessageDigest.MD5, - Protocol.SSLv3, - false, - EncryptionLevel.STRONG_NONE, - false, - 0, - 0), - // Cipher 02 - SSL_RSA_WITH_NULL_SHA("NULL-SHA", - KeyExchange.RSA, - Authentication.RSA, - Encryption.eNULL, - MessageDigest.SHA1, - Protocol.SSLv3, - false, - EncryptionLevel.STRONG_NONE, - true, - 0, - 0), - // Cipher 03 - SSL_RSA_EXPORT_WITH_RC4_40_MD5("EXP-RC4-MD5", - KeyExchange.RSA, - Authentication.RSA, - Encryption.RC4, - MessageDigest.MD5, - Protocol.SSLv3, - true, - EncryptionLevel.EXP40, - false, - 40, - 128), - // Cipher 04 - SSL_RSA_WITH_RC4_128_MD5("RC4-MD5", - KeyExchange.RSA, - Authentication.RSA, - Encryption.RC4, - MessageDigest.MD5, - Protocol.SSLv3, - false, - EncryptionLevel.MEDIUM, - false, - 128, - 128), - // Cipher 05 - SSL_RSA_WITH_RC4_128_SHA("RC4-SHA", - KeyExchange.RSA, - Authentication.RSA, - Encryption.RC4, - MessageDigest.SHA1, - Protocol.SSLv3, - false, - EncryptionLevel.MEDIUM, - false, - 128, - 128), - // Cipher 06 - SSL_RSA_EXPORT_WITH_RC2_CBC_40_MD5("EXP-RC2-CBC-MD5", - KeyExchange.RSA, - Authentication.RSA, - Encryption.RC2, - MessageDigest.MD5, - Protocol.SSLv3, - true, - EncryptionLevel.EXP40, - false, - 40, - 128), - // Cipher 07 - SSL_RSA_WITH_IDEA_CBC_SHA("IDEA-CBC-SHA", - KeyExchange.RSA, - Authentication.RSA, - Encryption.IDEA, - MessageDigest.SHA1, - Protocol.SSLv3, - false, - EncryptionLevel.MEDIUM, - false, - 128, - 128), - // Cipher 08 - SSL_RSA_EXPORT_WITH_DES40_CBC_SHA("EXP-DES-CBC-SHA", - KeyExchange.RSA, - Authentication.RSA, - Encryption.DES, - MessageDigest.SHA1, - Protocol.SSLv3, - true, - EncryptionLevel.EXP40, - false, - 40, - 56), - // Cipher 09 - SSL_RSA_WITH_DES_CBC_SHA("DES-CBC-SHA", - KeyExchange.RSA, - Authentication.RSA, - Encryption.DES, - MessageDigest.SHA1, - Protocol.SSLv3, - false, - EncryptionLevel.LOW, - false, - 56, - 56), - // Cipher 0A - SSL_RSA_WITH_3DES_EDE_CBC_SHA("DES-CBC3-SHA", - KeyExchange.RSA, - Authentication.RSA, - Encryption.TRIPLE_DES, - MessageDigest.SHA1, - Protocol.SSLv3, - false, - EncryptionLevel.HIGH, - true, - 168, - 168), - /* The DH ciphers */ - // Cipher 0B - SSL_DH_DSS_EXPORT_WITH_DES40_CBC_SHA("EXP-DH-DSS-DES-CBC-SHA", - KeyExchange.DHd, - Authentication.DH, - Encryption.DES, - MessageDigest.SHA1, - Protocol.SSLv3, - true, - EncryptionLevel.EXP40, - false, - 40, - 56), - // Cipher 0C - SSL_DH_DSS_WITH_DES_CBC_SHA("DH-DSS-DES-CBC-SHA", - KeyExchange.DHd, - Authentication.DH, - Encryption.DES, - MessageDigest.SHA1, - Protocol.SSLv3, - false, - EncryptionLevel.LOW, - false, - 56, - 56), - // Cipher 0D - SSL_DH_DSS_WITH_3DES_EDE_CBC_SHA("DH-DSS-DES-CBC3-SHA", - KeyExchange.DHd, - Authentication.DH, - Encryption.TRIPLE_DES, - MessageDigest.SHA1, - Protocol.SSLv3, - false, - EncryptionLevel.HIGH, - true, - 168, - 168), - // Cipher 0E - SSL_DH_RSA_EXPORT_WITH_DES40_CBC_SHA("EXP-DH-RSA-DES-CBC-SHA", - KeyExchange.DHr, - Authentication.DH, - Encryption.DES, - MessageDigest.SHA1, - Protocol.SSLv3, - true, - EncryptionLevel.EXP40, - false, - 40, - 56), - // Cipher 0F - SSL_DH_RSA_WITH_DES_CBC_SHA("DH-RSA-DES-CBC-SHA", - KeyExchange.DHr, - Authentication.DH, - Encryption.DES, - MessageDigest.SHA1, - Protocol.SSLv3, - false, - EncryptionLevel.LOW, - false, - 56, - 56), - // Cipher 10 - SSL_DH_RSA_WITH_3DES_EDE_CBC_SHA("DH-RSA-DES-CBC3-SHA", - KeyExchange.DHr, - Authentication.DH, - Encryption.TRIPLE_DES, - MessageDigest.SHA1, - Protocol.SSLv3, - false, - EncryptionLevel.HIGH, - true, - 168, - 168), - /* The Ephemeral DH ciphers */ - // Cipher 11 - SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA("EXP-EDH-DSS-DES-CBC-SHA", - KeyExchange.EDH, - Authentication.DSS, - Encryption.DES, - MessageDigest.SHA1, - Protocol.SSLv3, - true, - EncryptionLevel.EXP40, - false, - 40, - 56), - // Cipher 12 - SSL_DHE_DSS_WITH_DES_CBC_SHA("EDH-DSS-DES-CBC-SHA", - KeyExchange.EDH, - Authentication.DSS, - Encryption.DES, - MessageDigest.SHA1, - Protocol.SSLv3, - false, - EncryptionLevel.LOW, - false, - 56, - 56), - // Cipher 13 - SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA("EDH-DSS-DES-CBC3-SHA", - KeyExchange.EDH, - Authentication.DSS, - Encryption.TRIPLE_DES, - MessageDigest.SHA1, - Protocol.SSLv3, - false, - EncryptionLevel.HIGH, - true, - 168, - 168), - // Cipher 14 - TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA("EXP-EDH-RSA-DES-CBC-SHA", - KeyExchange.EDH, - Authentication.RSA, - Encryption.DES, - MessageDigest.SHA1, - Protocol.SSLv3, - true, - EncryptionLevel.EXP40, - false, - 40, - 56), - // Cipher 15 - TLS_DHE_RSA_WITH_DES_CBC_SHA("EDH-RSA-DES-CBC-SHA", - KeyExchange.EDH, - Authentication.RSA, - Encryption.DES, - MessageDigest.SHA1, - Protocol.SSLv3, - false, - EncryptionLevel.LOW, - false, - 56, - 56), - // Cipher 16 - TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA("EDH-RSA-DES-CBC3-SHA", - KeyExchange.EDH, - Authentication.RSA, - Encryption.TRIPLE_DES, - MessageDigest.SHA1, - Protocol.SSLv3, - false, - EncryptionLevel.HIGH, - true, - 168, - 168), - // Cipher 17 - TLS_DH_anon_EXPORT_WITH_RC4_40_MD5("EXP-ADH-RC4-MD5", - KeyExchange.EDH, - Authentication.aNULL, - Encryption.RC4, - MessageDigest.MD5, - Protocol.SSLv3, - true, - EncryptionLevel.EXP40, - false, - 40, - 128), - // Cipher 18 - TLS_DH_anon_WITH_RC4_128_MD5("ADH-RC4-MD5", - KeyExchange.EDH, - Authentication.aNULL, - Encryption.RC4, - MessageDigest.MD5, - Protocol.SSLv3, - false, - EncryptionLevel.MEDIUM, - false, - 128, - 128), - // Cipher 19 - TLS_DH_anon_EXPORT_WITH_DES40_CBC_SHA("EXP-ADH-DES-CBC-SHA", - KeyExchange.EDH, - Authentication.aNULL, - Encryption.DES, - MessageDigest.SHA1, - Protocol.SSLv3, - true, - EncryptionLevel.EXP40, - false, - 40, - 128), - // Cipher 1A - TLS_DH_anon_WITH_DES_CBC_SHA("ADH-DES-CBC-SHA", - KeyExchange.EDH, - Authentication.aNULL, - Encryption.DES, - MessageDigest.SHA1, - Protocol.SSLv3, - false, - EncryptionLevel.LOW, - false, - 56, - 56), - // Cipher 1B - TLS_DH_anon_WITH_3DES_EDE_CBC_SHA("ADH-DES-CBC3-SHA", - KeyExchange.EDH, - Authentication.aNULL, - Encryption.TRIPLE_DES, - MessageDigest.SHA1, - Protocol.SSLv3, - false, - EncryptionLevel.HIGH, - true, - 168, - 168), - /* Fortezza ciphersuite from SSL 3.0 spec */ - // Cipher 1C - SSL_FORTEZZA_DMS_WITH_NULL_SHA("FZA-NULL-SHA", - KeyExchange.FZA, - Authentication.FZA, - Encryption.eNULL, - MessageDigest.SHA1, - Protocol.SSLv3, - false, - EncryptionLevel.STRONG_NONE, - false, - 0, - 0), - // Cipher 1D - SSL_FORTEZZA_DMS_WITH_FORTEZZA_CBC_SHA("FZA-FZA-CBC-SHA", - KeyExchange.FZA, - Authentication.FZA, - Encryption.FZA, - MessageDigest.SHA1, - Protocol.SSLv3, - false, - EncryptionLevel.STRONG_NONE, - false, - 0, - 0), - // Cipher 1E - SSL_FORTEZZA_DMS_WITH_RC4_128_SHA("FZA-RC4-SHA", - KeyExchange.FZA, - Authentication.FZA, - Encryption.RC4, - MessageDigest.SHA1, - Protocol.SSLv3, - false, - EncryptionLevel.MEDIUM, - false, - 128, - 128), - /* The Kerberos ciphers*/ - // Cipher 1E - /*TLS_KRB5_WITH_DES_CBC_SHA("KRB5-DES-CBC-SHA", - KeyExchange.KRB5, - Authentication.KRB5, - Encryption.DES, - MessageDigest.SHA1, - Protocol.SSLv3, - false, - EncryptionLevel.LOW, - false, - 56, - 56), - // Cipher 1F - TLS_KRB5_WITH_3DES_EDE_CBC_SHA("KRB5-DES-CBC3-SHA", - KeyExchange.KRB5, - Authentication.KRB5, - Encryption.TRIPLE_DES, - MessageDigest.SHA1, - Protocol.SSLv3, - false, - EncryptionLevel.HIGH, - true, - 168, - 168), - // Cipher 20 - TLS_KRB5_WITH_RC4_128_SHA("KRB5-RC4-SHA", - KeyExchange.KRB5, - Authentication.KRB5, - Encryption.RC4, - MessageDigest.SHA1, - Protocol.SSLv3, - false, - EncryptionLevel.MEDIUM, - false, - 128, - 128), - // Cipher 21 - TLS_KRB5_WITH_IDEA_CBC_SHA("KRB5-IDEA-CBC-SHA", - KeyExchange.KRB5, - Authentication.KRB5, - Encryption.IDEA, - MessageDigest.SHA1, - Protocol.SSLv3, - false, - EncryptionLevel.MEDIUM, - false, - 128, - 128), - // Cipher 22 - TLS_KRB5_WITH_DES_CBC_MD5("KRB5-DES-CBC-MD5", - KeyExchange.KRB5, - Authentication.KRB5, - Encryption.DES, - MessageDigest.MD5, - Protocol.SSLv3, - false, - EncryptionLevel.LOW, - false, - 56, - 56), - // Cipher 23 - TLS_KRB5_WITH_3DES_EDE_CBC_MD5("KRB5-DES-CBC3-MD5", - KeyExchange.KRB5, - Authentication.KRB5, - Encryption.TRIPLE_DES, - MessageDigest.MD5, - Protocol.SSLv3, - false, - EncryptionLevel.HIGH, - false, - 168, - 168), - // Cipher 24 - TLS_KRB5_WITH_RC4_128_MD5("KRB5-RC4-MD5", - KeyExchange.KRB5, - Authentication.KRB5, - Encryption.RC4, - MessageDigest.MD5, - Protocol.SSLv3, - false, - EncryptionLevel.MEDIUM, - false, - 128, - 128), - // Cipher 25 - TLS_KRB5_WITH_IDEA_CBC_MD5("KRB5-IDEA-CBC-MD5", - KeyExchange.KRB5, - Authentication.KRB5, - Encryption.IDEA, - MessageDigest.MD5, - Protocol.SSLv3, - false, - EncryptionLevel.MEDIUM, - false, - 128, - 128), - // Cipher 26 - TLS_KRB5_EXPORT_WITH_DES_CBC_40_SHA("EXP-KRB5-DES-CBC-SHA", - KeyExchange.KRB5, - Authentication.KRB5, - Encryption.DES, - MessageDigest.SHA1, - Protocol.SSLv3, - true, - EncryptionLevel.EXP40, - false, - 40, - 56), - // Cipher 27 - TLS_KRB5_EXPORT_WITH_RC2_CBC_40_SHA("EXP-KRB5-RC2-CBC-SHA", - KeyExchange.KRB5, - Authentication.KRB5, - Encryption.RC2, - MessageDigest.SHA1, - Protocol.SSLv3, - true, - EncryptionLevel.EXP40, - false, - 40, - 128), - // Cipher 28 - TLS_KRB5_EXPORT_WITH_RC4_40_SHA("EXP-KRB5-RC4-SHA", - KeyExchange.KRB5, - Authentication.KRB5, - Encryption.RC4, - MessageDigest.SHA1, - Protocol.SSLv3, - true, - EncryptionLevel.EXP40, - false, - 40, - 128), - // Cipher 29 - TLS_KRB5_EXPORT_WITH_DES_CBC_40_MD5("EXP-KRB5-DES-CBC-MD5", - KeyExchange.KRB5, - Authentication.KRB5, - Encryption.DES, - MessageDigest.MD5, - Protocol.SSLv3, - true, - EncryptionLevel.EXP40, - false, - 40, - 56), - // Cipher 2A - TLS_KRB5_EXPORT_WITH_RC2_CBC_40_MD5("EXP-KRB5-RC2-CBC-MD5", - KeyExchange.KRB5, - Authentication.KRB5, - Encryption.RC2, - MessageDigest.MD5, - Protocol.SSLv3, - true, - EncryptionLevel.EXP40, - false, - 40, - 128), - // Cipher 2B - TLS_KRB5_EXPORT_WITH_RC4_40_MD5("EXP-KRB5-RC4-MD5", - KeyExchange.KRB5, - Authentication.KRB5, - Encryption.RC4, - MessageDigest.MD5, - Protocol.SSLv3, - true, - EncryptionLevel.EXP40, - false, - 40, - 128),*/ - /* New AES ciphersuites */ - // Cipher 2F - TLS_RSA_WITH_AES_128_CBC_SHA("AES128-SHA", - KeyExchange.RSA, - Authentication.RSA, - Encryption.AES128, - MessageDigest.SHA1, - Protocol.TLSv1, - false, - EncryptionLevel.HIGH, - true, - 128, - 128), - // Cipher 30 - TLS_DH_DSS_WITH_AES_128_CBC_SHA("DH-DSS-AES128-SHA", - KeyExchange.DHd, - Authentication.DH, - Encryption.AES128, - MessageDigest.SHA1, - Protocol.TLSv1, - false, - EncryptionLevel.HIGH, - true, - 128, - 128), - // Cipher 31 - TLS_DH_RSA_WITH_AES_128_CBC_SHA("DH-RSA-AES128-SHA", - KeyExchange.DHr, - Authentication.DH, - Encryption.AES128, - MessageDigest.SHA1, - Protocol.TLSv1, - false, - EncryptionLevel.HIGH, - true, - 128, - 128), - // Cipher 32 - TLS_DHE_DSS_WITH_AES_128_CBC_SHA("DHE-DSS-AES128-SHA", - KeyExchange.EDH, - Authentication.DSS, - Encryption.AES128, - MessageDigest.SHA1, - Protocol.TLSv1, - false, - EncryptionLevel.HIGH, - true, - 128, - 128), - // Cipher 33 - TLS_DHE_RSA_WITH_AES_128_CBC_SHA("DHE-RSA-AES128-SHA", - KeyExchange.EDH, - Authentication.RSA, - Encryption.AES128, - MessageDigest.SHA1, - Protocol.TLSv1, - false, - EncryptionLevel.HIGH, - true, - 128, - 128), - // Cipher 34 - TLS_DH_anon_WITH_AES_128_CBC_SHA("ADH-AES128-SHA", - KeyExchange.EDH, - Authentication.aNULL, - Encryption.AES128, - MessageDigest.SHA1, - Protocol.TLSv1, - false, - EncryptionLevel.HIGH, - true, - 128, - 128), - // Cipher 35 - TLS_RSA_WITH_AES_256_CBC_SHA("AES256-SHA", - KeyExchange.RSA, - Authentication.RSA, - Encryption.AES256, - MessageDigest.SHA1, - Protocol.TLSv1, - false, - EncryptionLevel.HIGH, - true, - 256, - 256), - // Cipher 36 - TLS_DH_DSS_WITH_AES_256_CBC_SHA("DH-DSS-AES256-SHA", - KeyExchange.DHd, - Authentication.DH, - Encryption.AES256, - MessageDigest.SHA1, - Protocol.TLSv1, - false, - EncryptionLevel.HIGH, - true, - 256, - 256), - // Cipher 37 - TLS_DH_RSA_WITH_AES_256_CBC_SHA("DH-RSA-AES256-SHA", - KeyExchange.DHr, - Authentication.DH, - Encryption.AES256, - MessageDigest.SHA1, - Protocol.TLSv1, - false, - EncryptionLevel.HIGH, - true, - 256, - 256), - // Cipher 38 - TLS_DHE_DSS_WITH_AES_256_CBC_SHA("DHE-DSS-AES256-SHA", - KeyExchange.EDH, - Authentication.DSS, - Encryption.AES256, - MessageDigest.SHA1, - Protocol.TLSv1, - false, - EncryptionLevel.HIGH, - true, - 256, - 256), - // Cipher 39 - TLS_DHE_RSA_WITH_AES_256_CBC_SHA("DHE-RSA-AES256-SHA", - KeyExchange.EDH, - Authentication.RSA, - Encryption.AES256, - MessageDigest.SHA1, - Protocol.TLSv1, - false, - EncryptionLevel.HIGH, - true, - 256, - 256), // Cipher 3A - TLS_DH_anon_WITH_AES_256_CBC_SHA("ADH-AES256-SHA", - KeyExchange.EDH, - Authentication.aNULL, - Encryption.AES256, - MessageDigest.SHA1, - Protocol.TLSv1, - false, - EncryptionLevel.HIGH, - true, - 256, - 256), - /* TLS v1.2 ciphersuites */ - // Cipher 3B - TLS_RSA_WITH_NULL_SHA256("NULL-SHA256", - KeyExchange.RSA, - Authentication.RSA, - Encryption.eNULL, - MessageDigest.SHA256, - Protocol.TLSv1_2, - false, - EncryptionLevel.STRONG_NONE, - true, - 0, - 0), - // Cipher 3C - TLS_RSA_WITH_AES_128_CBC_SHA256("AES128-SHA256", - KeyExchange.RSA, - Authentication.RSA, - Encryption.AES128, - MessageDigest.SHA256, - Protocol.TLSv1_2, - false, - EncryptionLevel.HIGH, - true, - 128, - 128), - // Cipher 3D - TLS_RSA_WITH_AES_256_CBC_SHA256("AES256-SHA256", - KeyExchange.RSA, - Authentication.RSA, - Encryption.AES256, - MessageDigest.SHA256, - Protocol.TLSv1_2, - false, - EncryptionLevel.HIGH, - true, - 256, - 256), - // Cipher 3E - TLS_DH_DSS_WITH_AES_128_CBC_SHA256("DH-DSS-AES128-SHA256", - KeyExchange.DHd, - Authentication.DH, - Encryption.AES128, - MessageDigest.SHA256, - Protocol.TLSv1_2, - false, - EncryptionLevel.HIGH, - true, - 128, - 128), - // Cipher 3F - TLS_DH_RSA_WITH_AES_128_CBC_SHA256("DH-RSA-AES128-SHA256", - KeyExchange.DHr, - Authentication.DH, - Encryption.AES128, - MessageDigest.SHA256, - Protocol.TLSv1_2, - false, - EncryptionLevel.HIGH, - true, - 128, - 128), - // Cipher 40 - TLS_DHE_DSS_WITH_AES_128_CBC_SHA256("DHE-DSS-AES128-SHA256", - KeyExchange.EDH, - Authentication.DSS, - Encryption.AES128, - MessageDigest.SHA256, - Protocol.TLSv1_2, - false, - EncryptionLevel.HIGH, - true, - 128, - 128), - /* Camellia ciphersuites from RFC4132 (128-bit portion) */ - // Cipher 41 - TLS_RSA_WITH_CAMELLIA_128_CBC_SHA("CAMELLIA128-SHA", - KeyExchange.RSA, - Authentication.RSA, - Encryption.CAMELLIA128, - MessageDigest.SHA1, - Protocol.TLSv1, - false, - EncryptionLevel.HIGH, - false, - 128, - 128), - // Cipher 42 - TLS_DH_DSS_WITH_CAMELLIA_128_CBC_SHA("DH-DSS-CAMELLIA128-SHA", - KeyExchange.DHd, - Authentication.DH, - Encryption.CAMELLIA128, - MessageDigest.SHA1, - Protocol.TLSv1, - false, - EncryptionLevel.HIGH, - false, - 128, - 128), - // Cipher 43 - TLS_DH_RSA_WITH_CAMELLIA_128_CBC_SHA("DH-RSA-CAMELLIA128-SHA", - KeyExchange.DHr, - Authentication.DH, - Encryption.CAMELLIA128, - MessageDigest.SHA1, - Protocol.TLSv1, - false, - EncryptionLevel.HIGH, - false, - 128, - 128), - // Cipher 44 - TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA("DHE-DSS-CAMELLIA128-SHA", - KeyExchange.EDH, - Authentication.DSS, - Encryption.CAMELLIA128, - MessageDigest.SHA1, - Protocol.TLSv1, - false, - EncryptionLevel.HIGH, - false, - 128, - 128), - // Cipher 45 - TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA("DHE-RSA-CAMELLIA128-SHA", - KeyExchange.EDH, - Authentication.RSA, - Encryption.CAMELLIA128, - MessageDigest.SHA1, - Protocol.TLSv1, - false, - EncryptionLevel.HIGH, - false, - 128, - 128), - // Cipher 46 - TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA("ADH-CAMELLIA128-SHA", - KeyExchange.EDH, - Authentication.aNULL, - Encryption.CAMELLIA128, - MessageDigest.SHA1, - Protocol.TLSv1, - false, - EncryptionLevel.HIGH, - false, - 128, - 128), - /* New TLS Export CipherSuites from expired ID */ - // Cipher 60 - SSL_RSA_EXPORT1024_WITH_RC4_56_MD5("EXP1024-RC4-MD5", - KeyExchange.RSA, - Authentication.RSA, - Encryption.RC4, - MessageDigest.MD5, - Protocol.TLSv1, - true, - EncryptionLevel.EXP56, - false, - 56, - 128), - // Cipher 61 - SSL_RSA_EXPORT1024_WITH_RC2_CBC_56_MD("EXP1024-RC2-CBC-MD5", - KeyExchange.RSA, - Authentication.RSA, - Encryption.RC2, - MessageDigest.MD5, - Protocol.TLSv1, - true, - EncryptionLevel.EXP56, - false, - 56, - 128), - // Cipher 62 - SSL_RSA_EXPORT1024_WITH_DES_CBC_SHA("EXP1024-DES-CBC-SHA", - KeyExchange.RSA, - Authentication.RSA, - Encryption.DES, - MessageDigest.SHA1, - Protocol.TLSv1, - true, - EncryptionLevel.EXP56, - false, - 56, - 56), - // Cipher 63 - SSL_DHE_DSS_EXPORT1024_WITH_DES_CBC_SHA("EXP1024-DHE-DSS-DES-CBC-SHA", - KeyExchange.EDH, - Authentication.DSS, - Encryption.DES, - MessageDigest.SHA1, - Protocol.TLSv1, - true, - EncryptionLevel.EXP56, - false, - 56, - 56), - // Cipher 64 - SSL_RSA_EXPORT1024_WITH_RC4_56_SHA("EXP1024-RC4-SHA", - KeyExchange.RSA, - Authentication.RSA, - Encryption.RC4, - MessageDigest.SHA1, - Protocol.TLSv1, - true, - EncryptionLevel.EXP56, - false, - 56, - 128), - // Cipher 65 - SSL_DHE_DSS_EXPORT1024_WITH_RC4_56_SHA("EXP1024-DHE-DSS-RC4-SHA", - KeyExchange.EDH, - Authentication.DSS, - Encryption.RC4, - MessageDigest.SHA1, - Protocol.TLSv1, - true, - EncryptionLevel.EXP56, - false, - 56, - 128), - // Cipher 66 - SSL_DHE_DSS_WITH_RC4_128_SHA("DHE-DSS-RC4-SHA", - KeyExchange.EDH, - Authentication.DSS, - Encryption.RC4, - MessageDigest.SHA1, - Protocol.TLSv1, - false, - EncryptionLevel.MEDIUM, - false, - 128, - 128), - /* TLS v1.2 ciphersuites */ - // Cipher 67 - TLS_DHE_RSA_WITH_AES_128_CBC_SHA256("DHE-RSA-AES128-SHA256", - KeyExchange.EDH, - Authentication.RSA, - Encryption.AES128, - MessageDigest.SHA256, - Protocol.TLSv1_2, - false, - EncryptionLevel.HIGH, - true, - 128, - 128), - // Cipher 68 - TLS_DH_DSS_WITH_AES_256_CBC_SHA256("DH-DSS-AES256-SHA256", - KeyExchange.DHd, - Authentication.DH, - Encryption.AES256, - MessageDigest.SHA256, - Protocol.TLSv1_2, - false, - EncryptionLevel.HIGH, - true, - 256, - 256), - // Cipher 69 - TLS_DH_RSA_WITH_AES_256_CBC_SHA256("DH-RSA-AES256-SHA256", - KeyExchange.DHr, - Authentication.DH, - Encryption.AES256, - MessageDigest.SHA256, - Protocol.TLSv1_2, - false, - EncryptionLevel.HIGH, - true, - 256, - 256), - // Cipher 6A - TLS_DHE_DSS_WITH_AES_256_CBC_SHA256("DHE-DSS-AES256-SHA256", - KeyExchange.EDH, - Authentication.DSS, - Encryption.AES256, - MessageDigest.SHA256, - Protocol.TLSv1_2, - false, - EncryptionLevel.HIGH, - true, - 256, - 256), - // Cipher 6B - TLS_DHE_RSA_WITH_AES_256_CBC_SHA256("DHE-RSA-AES256-SHA256", - KeyExchange.EDH, - Authentication.RSA, - Encryption.AES256, - MessageDigest.SHA256, - Protocol.TLSv1_2, - false, - EncryptionLevel.HIGH, - true, - 256, - 256), - // Cipher 6C - TLS_DH_anon_WITH_AES_128_CBC_SHA256("ADH-AES128-SHA256", - KeyExchange.EDH, - Authentication.aNULL, - Encryption.AES128, - MessageDigest.SHA256, - Protocol.TLSv1_2, - false, - EncryptionLevel.HIGH, - true, - 128, - 128 - ), - // Cipher 6D - TLS_DH_anon_WITH_AES_256_CBC_SHA256("ADH-AES256-SHA256", - KeyExchange.EDH, - Authentication.aNULL, - Encryption.AES256, - MessageDigest.SHA256, - Protocol.TLSv1_2, - false, - EncryptionLevel.HIGH, - true, - 256, - 256), - /* GOST Ciphersuites */ - TLS_GOSTR341094_WITH_28147_CNT_IMIT("GOST94-GOST89-GOST89", - KeyExchange.GOST, - Authentication.GOST94, - Encryption.eGOST2814789CNT, - MessageDigest.GOST89MAC, - Protocol.TLSv1, - false, - EncryptionLevel.HIGH, - false, - 256, - 256), - TLS_GOSTR341001_WITH_28147_CNT_IMIT("GOST2001-GOST89-GOST89", - KeyExchange.GOST, - Authentication.GOST01, - Encryption.eGOST2814789CNT, - MessageDigest.GOST89MAC, - Protocol.TLSv1, - false, - EncryptionLevel.HIGH, - false, - 256, - 256), - TLS_GOSTR341094_WITH_NULL_GOSTR3411("GOST94-NULL-GOST94", - KeyExchange.GOST, - Authentication.GOST94, - Encryption.eNULL, - MessageDigest.GOST94, - Protocol.TLSv1, - false, - EncryptionLevel.STRONG_NONE, - false, - 0, - 0), - TLS_GOSTR341001_WITH_NULL_GOSTR3411("GOST2001-NULL-GOST94", - KeyExchange.GOST, - Authentication.GOST01, - Encryption.eNULL, - MessageDigest.GOST94, - Protocol.TLSv1, - false, - EncryptionLevel.STRONG_NONE, - false, - 0, - 0), - /* Camellia ciphersuites from RFC4132 (256-bit portion) */ - // Cipher 84 - TLS_RSA_WITH_CAMELLIA_256_CBC_SHA("CAMELLIA256-SHA", - KeyExchange.RSA, - Authentication.RSA, - Encryption.CAMELLIA256, - MessageDigest.SHA1, - Protocol.TLSv1, - false, - EncryptionLevel.HIGH, - false, - 256, - 256), - // Cipher 85 - TLS_DH_DSS_WITH_CAMELLIA_256_CBC_SHA("DH-DSS-CAMELLIA256-SHA", - KeyExchange.DHd, - Authentication.DH, - Encryption.CAMELLIA256, - MessageDigest.SHA1, - Protocol.TLSv1, - false, - EncryptionLevel.HIGH, - false, - 256, - 256), - // Cipher 86 - TLS_DH_RSA_WITH_CAMELLIA_256_CBC_SH("DH-RSA-CAMELLIA256-SHA", - KeyExchange.DHr, - Authentication.DH, - Encryption.CAMELLIA256, - MessageDigest.SHA1, - Protocol.TLSv1, - false, - EncryptionLevel.HIGH, - false, - 256, - 256), - // Cipher 87 - TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA("DHE-DSS-CAMELLIA256-SHA", - KeyExchange.EDH, - Authentication.DSS, - Encryption.CAMELLIA256, - MessageDigest.SHA1, - Protocol.TLSv1, - false, - EncryptionLevel.HIGH, - false, - 256, - 256), - // Cipher 88 - TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA("DHE-RSA-CAMELLIA256-SHA", - KeyExchange.EDH, - Authentication.RSA, - Encryption.CAMELLIA256, - MessageDigest.SHA1, - Protocol.TLSv1, - false, - EncryptionLevel.HIGH, - false, - 256, - 256), // Cipher 89 - TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA("ADH-CAMELLIA256-SHA", - KeyExchange.EDH, - Authentication.aNULL, - Encryption.CAMELLIA256, - MessageDigest.SHA1, - Protocol.TLSv1, - false, - EncryptionLevel.HIGH, - false, - 256, - 256), - // Cipher 8A - TLS_PSK_WITH_RC4_128_SHA("PSK-RC4-SHA", - KeyExchange.PSK, - Authentication.PSK, - Encryption.RC4, - MessageDigest.SHA1, - Protocol.TLSv1, - false, - EncryptionLevel.MEDIUM, - false, - 128, - 128), - // Cipher 8B - TLS_PSK_WITH_3DES_EDE_CBC_SHA("PSK-3DES-EDE-CBC-SHA", - KeyExchange.PSK, - Authentication.PSK, - Encryption.TRIPLE_DES, - MessageDigest.SHA1, - Protocol.TLSv1, - false, - EncryptionLevel.HIGH, - true, - 168, - 168 - ), - // Cipher 8C - TLS_PSK_WITH_AES_128_CBC_SHA("PSK-AES128-CBC-SHA", - KeyExchange.PSK, - Authentication.PSK, - Encryption.AES128, - MessageDigest.SHA1, - Protocol.TLSv1, - false, - EncryptionLevel.HIGH, - true, - 128, - 128 - ), - // Cipher 8D - TLS_PSK_WITH_AES_256_CBC_SHA("PSK-AES256-CBC-SHA", - KeyExchange.PSK, - Authentication.PSK, - Encryption.AES256, - MessageDigest.SHA1, - Protocol.TLSv1, - false, - EncryptionLevel.HIGH, - true, - 256, - 256 - ), - /* SEED ciphersuites from RFC4162 */ - // Cipher 96 - TLS_RSA_WITH_SEED_CBC_SHA("SEED-SHA", - KeyExchange.RSA, - Authentication.RSA, - Encryption.SEED, - MessageDigest.SHA1, - Protocol.TLSv1, - false, - EncryptionLevel.MEDIUM, - false, - 128, - 128 - ), - // Cipher 97 - TLS_DH_DSS_WITH_SEED_CBC_SHA("DH-DSS-SEED-SHA", - KeyExchange.DHd, - Authentication.DH, - Encryption.SEED, - MessageDigest.SHA1, - Protocol.TLSv1, - false, - EncryptionLevel.MEDIUM, - false, - 128, - 128 - ), - // Cipher 98 - TLS_DH_RSA_WITH_SEED_CBC_SHA("DH-RSA-SEED-SHA", - KeyExchange.DHr, - Authentication.DH, - Encryption.SEED, - MessageDigest.SHA1, - Protocol.TLSv1, - false, - EncryptionLevel.MEDIUM, - false, - 128, - 128 - ), - // Cipher 99 - TLS_DHE_DSS_WITH_SEED_CBC_SHA("DHE-DSS-SEED-SHA", - KeyExchange.EDH, - Authentication.DSS, - Encryption.SEED, - MessageDigest.SHA1, - Protocol.TLSv1, - false, - EncryptionLevel.MEDIUM, - false, - 128, - 128 - ), - // Cipher 9A - TLS_DHE_RSA_WITH_SEED_CBC_SHA("DHE-RSA-SEED-SHA", - KeyExchange.EDH, - Authentication.RSA, - Encryption.SEED, - MessageDigest.SHA1, - Protocol.TLSv1, - false, - EncryptionLevel.MEDIUM, - false, - 128, - 128 - ), - // Cipher 9B - TLS_DH_anon_WITH_SEED_CBC_SHA("ADH-SEED-SHA", - KeyExchange.EDH, - Authentication.aNULL, - Encryption.SEED, - MessageDigest.SHA1, - Protocol.TLSv1, - false, - EncryptionLevel.MEDIUM, - false, - 128, - 128 - ), - /* GCM ciphersuites from RFC5288 */ - // Cipher 9C - TLS_RSA_WITH_AES_128_GCM_SHA256("AES128-GCM-SHA256", - KeyExchange.RSA, - Authentication.RSA, - Encryption.AES128GCM, - MessageDigest.AEAD, - Protocol.TLSv1_2, - false, - EncryptionLevel.HIGH, - true, - 128, - 128 - ), - // Cipher 9D - TLS_RSA_WITH_AES_256_GCM_SHA384("AES256-GCM-SHA384", - KeyExchange.RSA, - Authentication.RSA, - Encryption.AES256GCM, - MessageDigest.AEAD, - Protocol.TLSv1_2, - false, - EncryptionLevel.HIGH, - true, - 256, - 256 - ), - // Cipher 9E - TLS_DHE_RSA_WITH_AES_128_GCM_SHA256("DHE-RSA-AES128-GCM-SHA256", - KeyExchange.EDH, - Authentication.RSA, - Encryption.AES128GCM, - MessageDigest.AEAD, - Protocol.TLSv1_2, - false, - EncryptionLevel.HIGH, - true, - 128, - 128 - ), - // Cipher 9F - TLS_DHE_RSA_WITH_AES_256_GCM_SHA384("DHE-RSA-AES256-GCM-SHA384", - KeyExchange.EDH, - Authentication.RSA, - Encryption.AES256GCM, - MessageDigest.AEAD, - Protocol.TLSv1_2, - false, - EncryptionLevel.HIGH, - true, - 256, - 256 - ), - // Cipher A0 - TLS_DH_RSA_WITH_AES_128_GCM_SHA256("DH-RSA-AES128-GCM-SHA256", - KeyExchange.DHr, - Authentication.DH, - Encryption.AES128GCM, - MessageDigest.AEAD, - Protocol.TLSv1_2, - false, - EncryptionLevel.HIGH, - true, - 128, - 128 - ), - // Cipher A1 - TLS_DH_RSA_WITH_AES_256_GCM_SHA384("DH-RSA-AES256-GCM-SHA384", - KeyExchange.DHr, - Authentication.DH, - Encryption.AES256GCM, - MessageDigest.AEAD, - Protocol.TLSv1_2, - false, - EncryptionLevel.HIGH, - true, - 256, - 256 - ), - // Cipher A2 - TLS_DHE_DSS_WITH_AES_128_GCM_SHA256("DHE-DSS-AES128-GCM-SHA256", - KeyExchange.EDH, - Authentication.DSS, - Encryption.AES128GCM, - MessageDigest.AEAD, - Protocol.TLSv1_2, - false, - EncryptionLevel.HIGH, - true, - 128, - 128 - ), - // Cipher A3 - TLS_DHE_DSS_WITH_AES_256_GCM_SHA384("DHE-DSS-AES256-GCM-SHA384", - KeyExchange.EDH, - Authentication.DSS, - Encryption.AES256GCM, - MessageDigest.AEAD, - Protocol.TLSv1_2, - false, - EncryptionLevel.HIGH, - true, - 256, - 256 - ), - // Cipher A4 - TLS_DH_DSS_WITH_AES_128_GCM_SHA256("DH-DSS-AES128-GCM-SHA256", - KeyExchange.DHd, - Authentication.DH, - Encryption.AES128GCM, - MessageDigest.AEAD, - Protocol.TLSv1_2, - false, - EncryptionLevel.HIGH, - true, - 128, - 128 - ), - // Cipher A5 - TLS_DH_DSS_WITH_AES_256_GCM_SHA384("DH-DSS-AES256-GCM-SHA384", - KeyExchange.DHd, - Authentication.DH, - Encryption.AES256GCM, - MessageDigest.AEAD, - Protocol.TLSv1_2, - false, - EncryptionLevel.HIGH, - true, - 256, - 256 - ), - // Cipher A6 - TLS_DH_anon_WITH_AES_128_GCM_SHA256("ADH-AES128-GCM-SHA256", - KeyExchange.EDH, - Authentication.aNULL, - Encryption.AES128GCM, - MessageDigest.AEAD, - Protocol.TLSv1_2, - false, - EncryptionLevel.HIGH, - true, - 128, - 128 - ), - // Cipher A7 - TLS_DH_anon_WITH_AES_256_GCM_SHA384("ADH-AES256-GCM-SHA384", - KeyExchange.EDH, - Authentication.aNULL, - Encryption.AES256GCM, - MessageDigest.AEAD, - Protocol.TLSv1_2, - false, - EncryptionLevel.HIGH, - true, - 256, - 256 - ), - /* ECC ciphersuites from draft-ietf-tls-ecc-01.txt (Mar 15, 2001) */ - // Cipher C001 - TLS_ECDH_ECDSA_WITH_NULL_SHA("ECDH-ECDSA-NULL-SHA", - KeyExchange.ECDHe, - Authentication.ECDH, - Encryption.eNULL, - MessageDigest.SHA1, - Protocol.TLSv1, - false, - EncryptionLevel.STRONG_NONE, - true, - 0, - 0 - ), - // Cipher C002 - TLS_ECDH_ECDSA_WITH_RC4_128_SHA("ECDH-ECDSA-RC4-SHA", - KeyExchange.ECDHe, - Authentication.ECDH, - Encryption.RC4, - MessageDigest.SHA1, - Protocol.TLSv1, - false, - EncryptionLevel.MEDIUM, - false, - 128, - 128 - ), - // Cipher C003 - TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA("ECDH-ECDSA-DES-CBC3-SHA", - KeyExchange.ECDHe, - Authentication.ECDH, - Encryption.TRIPLE_DES, - MessageDigest.SHA1, - Protocol.TLSv1, - false, - EncryptionLevel.HIGH, - true, - 168, - 168 - ), - // Cipher C004 - TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA("ECDH-ECDSA-AES128-SHA", - KeyExchange.ECDHe, - Authentication.ECDH, - Encryption.AES128, - MessageDigest.SHA1, - Protocol.TLSv1, - false, - EncryptionLevel.HIGH, - true, - 128, - 128 - ), - // Cipher C005 - TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA("ECDH-ECDSA-AES256-SHA", - KeyExchange.ECDHe, - Authentication.ECDH, - Encryption.AES256, - MessageDigest.SHA1, - Protocol.TLSv1, - false, - EncryptionLevel.HIGH, - true, - 256, - 256 - ), - // Cipher C006 - TLS_ECDHE_ECDSA_WITH_NULL_SHA("ECDHE-ECDSA-NULL-SHA", - KeyExchange.EECDH, - Authentication.ECDSA, - Encryption.eNULL, - MessageDigest.SHA1, - Protocol.TLSv1, - false, - EncryptionLevel.STRONG_NONE, - true, - 0, - 0 - ), - // Cipher C007 - TLS_ECDHE_ECDSA_WITH_RC4_128_SHA("ECDHE-ECDSA-RC4-SHA", - KeyExchange.EECDH, - Authentication.ECDSA, - Encryption.RC4, - MessageDigest.SHA1, - Protocol.TLSv1, - false, - EncryptionLevel.MEDIUM, - false, - 128, - 128 - ), - // Cipher C008 - TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA("ECDHE-ECDSA-DES-CBC3-SHA", - KeyExchange.EECDH, - Authentication.ECDSA, - Encryption.TRIPLE_DES, - MessageDigest.SHA1, - Protocol.TLSv1, - false, - EncryptionLevel.HIGH, - true, - 168, - 168 - ), - // Cipher C009 - TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA("ECDHE-ECDSA-AES128-SHA", - KeyExchange.EECDH, - Authentication.ECDSA, - Encryption.AES128, - MessageDigest.SHA1, - Protocol.TLSv1, - false, - EncryptionLevel.HIGH, - true, - 128, - 128 - ), - // Cipher C00A - TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA("ECDHE-ECDSA-AES256-SHA", - KeyExchange.EECDH, - Authentication.ECDSA, - Encryption.AES256, - MessageDigest.SHA1, - Protocol.TLSv1, - false, - EncryptionLevel.HIGH, - true, - 256, - 256 - ), - // Cipher C00B - TLS_ECDH_RSA_WITH_NULL_SHA("ECDH-RSA-NULL-SHA", - KeyExchange.ECDHr, - Authentication.ECDH, - Encryption.eNULL, - MessageDigest.SHA1, - Protocol.TLSv1, - false, - EncryptionLevel.STRONG_NONE, - true, - 0, - 0 - ), - // Cipher C00C - TLS_ECDH_RSA_WITH_RC4_128_SHA("ECDH-RSA-RC4-SHA", - KeyExchange.ECDHr, - Authentication.ECDH, - Encryption.RC4, - MessageDigest.SHA1, - Protocol.TLSv1, - false, - EncryptionLevel.MEDIUM, - false, - 128, - 128 - ), - // Cipher C00D - TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA("ECDH-RSA-DES-CBC3-SHA", - KeyExchange.ECDHr, - Authentication.ECDH, - Encryption.TRIPLE_DES, - MessageDigest.SHA1, - Protocol.TLSv1, - false, - EncryptionLevel.HIGH, - true, - 168, - 168 - ), - // Cipher C00E - TLS_ECDH_RSA_WITH_AES_128_CBC_SHA("ECDH-RSA-AES128-SHA", - KeyExchange.ECDHr, - Authentication.ECDH, - Encryption.AES128, - MessageDigest.SHA1, - Protocol.TLSv1, - false, - EncryptionLevel.HIGH, - true, - 128, - 128 - ), - // Cipher C00F - TLS_ECDH_RSA_WITH_AES_256_CBC_SHA("ECDH-RSA-AES256-SHA", - KeyExchange.ECDHr, - Authentication.ECDH, - Encryption.AES256, - MessageDigest.SHA1, - Protocol.TLSv1, - false, - EncryptionLevel.HIGH, - true, - 256, - 256 - ), - TLS_ECDHE_RSA_WITH_NULL_SHA("ECDHE-RSA-NULL-SHA", - KeyExchange.EECDH, - Authentication.RSA, - Encryption.eNULL, - MessageDigest.SHA1, - Protocol.TLSv1, - false, - EncryptionLevel.STRONG_NONE, - true, - 0, - 0 - ), - // Cipher C011 - TLS_ECDHE_RSA_WITH_RC4_128_SHA("ECDHE-RSA-RC4-SHA", - KeyExchange.EECDH, - Authentication.RSA, - Encryption.RC4, - MessageDigest.SHA1, - Protocol.TLSv1, - false, - EncryptionLevel.MEDIUM, - false, - 128, - 128 - ), - // Cipher C012 - TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA("ECDHE-RSA-DES-CBC3-SHA", - KeyExchange.EECDH, - Authentication.RSA, - Encryption.TRIPLE_DES, - MessageDigest.SHA1, - Protocol.TLSv1, - false, - EncryptionLevel.HIGH, - true, - 168, - 168 - ), - // Cipher C013 - TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA("ECDHE-RSA-AES128-SHA", - KeyExchange.EECDH, - Authentication.RSA, - Encryption.AES128, - MessageDigest.SHA1, - Protocol.TLSv1, - false, - EncryptionLevel.HIGH, - true, - 128, - 128 - ), - // Cipher C014 - TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA("ECDHE-RSA-AES256-SHA", - KeyExchange.EECDH, - Authentication.RSA, - Encryption.AES256, - MessageDigest.SHA1, - Protocol.TLSv1, - false, - EncryptionLevel.HIGH, - true, - 256, - 256 - ), - // Cipher C015 - TLS_ECDH_anon_WITH_NULL_SHA("AECDH-NULL-SHA", - KeyExchange.EECDH, - Authentication.aNULL, - Encryption.eNULL, - MessageDigest.SHA1, - Protocol.TLSv1, - false, - EncryptionLevel.STRONG_NONE, - true, - 0, - 0 - ), - // Cipher C016 - TLS_ECDH_anon_WITH_RC4_128_SHA("AECDH-RC4-SHA", - KeyExchange.EECDH, - Authentication.aNULL, - Encryption.RC4, - MessageDigest.SHA1, - Protocol.TLSv1, - false, - EncryptionLevel.MEDIUM, - false, - 128, - 128 - ), - // Cipher C017 - TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA("AECDH-DES-CBC3-SHA", - KeyExchange.EECDH, - Authentication.aNULL, - Encryption.TRIPLE_DES, - MessageDigest.SHA1, - Protocol.TLSv1, - false, - EncryptionLevel.HIGH, - true, - 168, - 168 - ), - // Cipher C018 - TLS_ECDH_anon_WITH_AES_128_CBC_SHA("AECDH-AES128-SHA", - KeyExchange.EECDH, - Authentication.aNULL, - Encryption.AES128, - MessageDigest.SHA1, - Protocol.TLSv1, - false, - EncryptionLevel.HIGH, - true, - 128, - 128 - ), - // Cipher C019 - TLS_ECDH_anon_WITH_AES_256_CBC_SHA("AECDH-AES256-SHA", - KeyExchange.EECDH, - Authentication.aNULL, - Encryption.AES256, - MessageDigest.SHA1, - Protocol.TLSv1, - false, - EncryptionLevel.HIGH, - true, - 256, - 256 - ), - /* SRP ciphersuite from RFC 5054 */ - // Cipher C01A - TLS_SRP_SHA_WITH_3DES_EDE_CBC_SHA("SRP-3DES-EDE-CBC-SHA", - KeyExchange.SRP, - Authentication.aNULL, - Encryption.TRIPLE_DES, - MessageDigest.SHA1, - Protocol.TLSv1, - false, - EncryptionLevel.HIGH, - false, - 168, - 168 - ), - // Cipher C01B - TLS_SRP_SHA_RSA_WITH_3DES_EDE_CBC_SHA("SRP-RSA-3DES-EDE-CBC-SHA", - KeyExchange.SRP, - Authentication.RSA, - Encryption.TRIPLE_DES, - MessageDigest.SHA1, - Protocol.TLSv1, - false, - EncryptionLevel.HIGH, - false, - 168, - 168 - ), - // Cipher C01C - TLS_SRP_SHA_DSS_WITH_3DES_EDE_CBC_SHA("SRP-DSS-3DES-EDE-CBC-SHA", - KeyExchange.SRP, - Authentication.DSS, - Encryption.TRIPLE_DES, - MessageDigest.SHA1, - Protocol.TLSv1, - false, - EncryptionLevel.HIGH, - false, - 168, - 168 - ), - // Cipher C01D - TLS_SRP_SHA_WITH_AES_128_CBC_SHA("SRP-AES-128-CBC-SHA", - KeyExchange.SRP, - Authentication.aNULL, - Encryption.AES128, - MessageDigest.SHA1, - Protocol.TLSv1, - false, - EncryptionLevel.HIGH, - false, - 128, - 128 - ), - // Cipher C01E - TLS_SRP_SHA_RSA_WITH_AES_128_CBC_SHA("SRP-RSA-AES-128-CBC-SHA", - KeyExchange.SRP, - Authentication.RSA, - Encryption.AES128, - MessageDigest.SHA1, - Protocol.TLSv1, - false, - EncryptionLevel.HIGH, - false, - 128, - 128 - ), - // Cipher C01F - TLS_SRP_SHA_DSS_WITH_AES_128_CBC_SHA("SRP-DSS-AES-128-CBC-SHA", - KeyExchange.SRP, - Authentication.DSS, - Encryption.AES128, - MessageDigest.SHA1, - Protocol.TLSv1, - false, - EncryptionLevel.HIGH, - false, - 128, - 128 - ), - // Cipher C020 - TLS_SRP_SHA_WITH_AES_256_CBC_SHA("SRP-AES-256-CBC-SHA", - KeyExchange.SRP, - Authentication.aNULL, - Encryption.AES256, - MessageDigest.SHA1, - Protocol.TLSv1, - false, - EncryptionLevel.HIGH, - false, - 256, - 256 - ), - // Cipher C021 - TLS_SRP_SHA_RSA_WITH_AES_256_CBC_SHA("SRP-RSA-AES-256-CBC-SHA", - KeyExchange.SRP, - Authentication.RSA, - Encryption.AES256, - MessageDigest.SHA1, - Protocol.TLSv1, - false, - EncryptionLevel.HIGH, - false, - 256, - 256 - ), - // Cipher C022 - TLS_SRP_SHA_DSS_WITH_AES_256_CBC_SHA("SRP-DSS-AES-256-CBC-SHA", - KeyExchange.SRP, - Authentication.DSS, - Encryption.AES256, - MessageDigest.SHA1, - Protocol.TLSv1, - false, - EncryptionLevel.HIGH, - false, - 256, - 256 - ), - /* HMAC based TLS v1.2 ciphersuites from RFC5289 */ - // Cipher C023 - TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256("ECDHE-ECDSA-AES128-SHA256", - KeyExchange.EECDH, - Authentication.ECDSA, - Encryption.AES128, - MessageDigest.SHA256, - Protocol.TLSv1_2, - false, - EncryptionLevel.HIGH, - true, - 128, - 128 - ), - // Cipher C024 - TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384("ECDHE-ECDSA-AES256-SHA384", - KeyExchange.EECDH, - Authentication.ECDSA, - Encryption.AES256, - MessageDigest.SHA384, - Protocol.TLSv1_2, - false, - EncryptionLevel.HIGH, - true, - 256, - 256 - ), - // Cipher C025 - TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256("ECDH-ECDSA-AES128-SHA256", - KeyExchange.ECDHe, - Authentication.ECDH, - Encryption.AES128, - MessageDigest.SHA256, - Protocol.TLSv1_2, - false, - EncryptionLevel.HIGH, - true, - 128, - 128 - ), - // Cipher C026 - TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384("ECDH-ECDSA-AES256-SHA384", - KeyExchange.ECDHe, - Authentication.ECDH, - Encryption.AES256, - MessageDigest.SHA384, - Protocol.TLSv1_2, - false, - EncryptionLevel.HIGH, - true, - 256, - 256 - ), - // Cipher C027 - TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256("ECDHE-RSA-AES128-SHA256", - KeyExchange.EECDH, - Authentication.RSA, - Encryption.AES128, - MessageDigest.SHA256, - Protocol.TLSv1_2, - false, - EncryptionLevel.HIGH, - true, - 128, - 128 - ), - // Cipher C028 - TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384("ECDHE-RSA-AES256-SHA384", - KeyExchange.EECDH, - Authentication.RSA, - Encryption.AES256, - MessageDigest.SHA384, - Protocol.TLSv1_2, - false, - EncryptionLevel.HIGH, - true, - 256, - 256 - ), - // Cipher C029 - TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256("ECDH-RSA-AES128-SHA256", - KeyExchange.ECDHr, - Authentication.ECDH, - Encryption.AES128, - MessageDigest.SHA256, - Protocol.TLSv1_2, - false, - EncryptionLevel.HIGH, - true, - 128, - 128 - ), - // Cipher C02A - TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384("ECDH-RSA-AES256-SHA384", - KeyExchange.ECDHr, - Authentication.ECDH, - Encryption.AES256, - MessageDigest.SHA384, - Protocol.TLSv1_2, - false, - EncryptionLevel.HIGH, - true, - 256, - 256 - ), - /* GCM based TLS v1.2 ciphersuites from RFC5289 */ - // Cipher C02B - TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256("ECDHE-ECDSA-AES128-GCM-SHA256", - KeyExchange.EECDH, - Authentication.ECDSA, - Encryption.AES128GCM, - MessageDigest.AEAD, - Protocol.TLSv1_2, - false, - EncryptionLevel.HIGH, - true, - 128, - 128 - ), - // Cipher C02C - TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384("ECDHE-ECDSA-AES256-GCM-SHA384", - KeyExchange.EECDH, - Authentication.ECDSA, - Encryption.AES256GCM, - MessageDigest.AEAD, - Protocol.TLSv1_2, - false, - EncryptionLevel.HIGH, - true, - 256, - 256 - ), - // Cipher C02D - TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256("ECDH-ECDSA-AES128-GCM-SHA256", - KeyExchange.ECDHe, - Authentication.ECDH, - Encryption.AES128GCM, - MessageDigest.AEAD, - Protocol.TLSv1_2, - false, - EncryptionLevel.HIGH, - true, - 128, - 128 - ), - // Cipher C02E - TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384("ECDH-ECDSA-AES256-GCM-SHA384", - KeyExchange.ECDHe, - Authentication.ECDH, - Encryption.AES256GCM, - MessageDigest.AEAD, - Protocol.TLSv1_2, - false, - EncryptionLevel.HIGH, - true, - 256, - 256 - ), - // Cipher C02F - TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256("ECDHE-RSA-AES128-GCM-SHA256", - KeyExchange.EECDH, - Authentication.RSA, - Encryption.AES128GCM, - MessageDigest.AEAD, - Protocol.TLSv1_2, - false, - EncryptionLevel.HIGH, - true, - 128, - 128 - ), - // Cipher C030 - TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384("ECDHE-RSA-AES256-GCM-SHA384", - KeyExchange.EECDH, - Authentication.RSA, - Encryption.AES256GCM, - MessageDigest.AEAD, - Protocol.TLSv1_2, - false, - EncryptionLevel.HIGH, - true, - 256, - 256 - ), - // Cipher C031 - TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256("ECDH-RSA-AES128-GCM-SHA256", - KeyExchange.ECDHr, - Authentication.ECDH, - Encryption.AES128GCM, - MessageDigest.AEAD, - Protocol.TLSv1_2, - false, - EncryptionLevel.HIGH, - true, - 128, - 128 - ), - // Cipher C032 - TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384("ECDH-RSA-AES256-GCM-SHA384", - KeyExchange.ECDHr, - Authentication.ECDH, - Encryption.AES256GCM, - MessageDigest.AEAD, - Protocol.TLSv1_2, - false, - EncryptionLevel.HIGH, - true, - 256, - 256 - ), - // RC4_128_WITH_MD5 - SSL_CK_RC4_128_WITH_MD5("RC4-MD5", - KeyExchange.RSA, - Authentication.RSA, - Encryption.RC4, - MessageDigest.MD5, - Protocol.SSLv2, - false, - EncryptionLevel.MEDIUM, - false, - 128, - 128 - ), - // RC4_128_EXPORT40_WITH_MD5 - SSL_CK_RC4_128_EXPORT40_WITH_MD5("EXP-RC4-MD5", - KeyExchange.RSA, - Authentication.RSA, - Encryption.RC4, - MessageDigest.MD5, - Protocol.SSLv2, - true, - EncryptionLevel.EXP40, - false, - 40, - 128 - ), - // RC2_128_CBC_WITH_MD5 - SSL_CK_RC2_128_CBC_WITH_MD5("RC2-MD5", - KeyExchange.RSA, - Authentication.RSA, - Encryption.RC2, - MessageDigest.MD5, - Protocol.SSLv2, - false, - EncryptionLevel.MEDIUM, - false, - 128, - 128 - ), - // RC2_128_CBC_EXPORT40_WITH_MD5 - SSL_CK_RC2_128_CBC_EXPORT40_WITH_MD5("EXP-RC2-MD5", - KeyExchange.RSA, - Authentication.RSA, - Encryption.RC2, - MessageDigest.MD5, - Protocol.SSLv2, - true, - EncryptionLevel.EXP40, - false, - 40, - 128 - ), - // IDEA_128_CBC_WITH_MD5 - SSL_CK_IDEA_128_CBC_WITH_MD5("IDEA-CBC-MD5", - KeyExchange.RSA, - Authentication.RSA, - Encryption.IDEA, - MessageDigest.MD5, - Protocol.SSLv2, - false, EncryptionLevel.MEDIUM, - false, - 128, - 128 - ), - // DES_64_CBC_WITH_MD5 - SSL_CK_DES_64_CBC_WITH_MD5("DES-CBC-MD5", - KeyExchange.RSA, - Authentication.RSA, - Encryption.DES, - MessageDigest.MD5, - Protocol.SSLv2, - false, - EncryptionLevel.LOW, - false, - 56, - 56 - ), - // DES_192_EDE3_CBC_WITH_MD5 - SSL_CK_DES_192_EDE3_CBC_WITH_MD5("DES-CBC3-MD5", - KeyExchange.RSA, - Authentication.RSA, - Encryption.TRIPLE_DES, - MessageDigest.MD5, - Protocol.SSLv2, - false, - EncryptionLevel.HIGH, - false, - 168, - 168 - ); - - /* TEMP_GOST_TLS*/ - /* - // Cipher FF00 - TLS_GOSTR341094_RSA_WITH_28147_CNT_MD5("GOST-MD5", - KeyExchange.RSA, - Authentication.RSA, - Encryption.eGOST2814789CNT, - MessageDigest.MD5, - Protocol.TLSv1, - false, EncryptionLevel.HIGH,false, - - 256, - 256, - ), - TLS_RSA_WITH_28147_CNT_GOST94( - "GOST-GOST94", - KeyExchange.RSA, - Authentication.RSA, - Encryption.eGOST2814789CNT, - MessageDigest.GOST94, - Protocol.TLSv1, - false, EncryptionLevel.HIGH,false, - - 256, - 256 - ), - { - 1, - "GOST-GOST89MAC", - 0x0300ff02, - KeyExchange.RSA, - Authentication.RSA, - Encryption.eGOST2814789CNT, - MessageDigest.GOST89MAC, - Protocol.TLSv1, - false, EncryptionLevel.HIGH,false, - - 256, - 256 - ), - { - 1, - "GOST-GOST89STREAM", - 0x0300ff03, - KeyExchange.RSA, - Authentication.RSA, - Encryption.eGOST2814789CNT, - MessageDigest.GOST89MAC, - Protocol.TLSv1, - false, EncryptionLevel.HIGH,false, - - 256, - 256 - };*/ - private final String openSSLAlias; - private final KeyExchange kx; - private final Authentication au; - private final Encryption enc; - private final MessageDigest mac; - private final Protocol protocol; - private final boolean export; - private final EncryptionLevel level; - private final boolean fipsCompatible; - /** - * Number of bits really used - */ - private final int strength_bits; - /** - * Number of bits for algorithm - */ - private final int alg_bits; - - Ciphers(String openSSLAlias, KeyExchange kx, Authentication au, - Encryption enc, MessageDigest mac, Protocol protocol, boolean export, - EncryptionLevel level, boolean fipsCompatible, int strength_bits, - int alg_bits) { - this.openSSLAlias = openSSLAlias; - this.kx = kx; - this.au = au; - this.enc = enc; - this.mac = mac; - this.protocol = protocol; - this.export = export; - this.level = level; - this.fipsCompatible = fipsCompatible; - this.strength_bits = strength_bits; - this.alg_bits = alg_bits; - } - - public String getOpenSSLAlias() { - return openSSLAlias; - } - - public KeyExchange getKx() { - return kx; - } - - public Authentication getAu() { - return au; - } - - public Encryption getEnc() { - return enc; - } - - public MessageDigest getMac() { - return mac; - } - - public Protocol getProtocol() { - return protocol; - } - - public boolean isExport() { - return export; - } - - public EncryptionLevel getLevel() { - return level; - } - - public boolean isFipsCompatible() { - return fipsCompatible; - } - - public int getStrength_bits() { - return strength_bits; - } - - public int getAlg_bits() { - return alg_bits; - } - -} Modified: branches/7.5.x/src/main/java/org/apache/tomcat/util/net/jsse/openssl/Encryption.java =================================================================== --- branches/7.5.x/src/main/java/org/apache/tomcat/util/net/jsse/openssl/Encryption.java 2014-09-09 14:10:18 UTC (rev 2508) +++ branches/7.5.x/src/main/java/org/apache/tomcat/util/net/jsse/openssl/Encryption.java 2014-09-11 15:09:44 UTC (rev 2509) @@ -1,30 +1,22 @@ /* - * Copyright (C) 2014 Red Hat, inc., and individual contributors - * as indicated by the @author tags. See the copyright.txt file in the - * distribution for a full listing of individual contributors. + * Licensed to the Apache Software Foundation (ASF) under one or more + * contributor license agreements. See the NOTICE file distributed with + * this work for additional information regarding copyright ownership. + * The ASF licenses this file to You under the Apache License, Version 2.0 + * (the "License"); you may not use this file except in compliance with + * the License. You may obtain a copy of the License at * - * This library is free software; you can redistribute it and/or - * modify it under the terms of the GNU Lesser General Public - * License as published by the Free Software Foundation; either - * version 2.1 of the License, or (at your option) any later version. + * http://www.apache.org/licenses/LICENSE-2.0 * - * This library is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU - * Lesser General Public License for more details. - * - * You should have received a copy of the GNU Lesser General Public - * License along with this library; if not, write to the Free Software - * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, - * MA 02110-1301 USA + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. */ + package org.apache.tomcat.util.net.jsse.openssl; -/** - * - * @author <a href="mailto:ehugonne@redhat.com">Emmanuel Hugonnet</a> (c) 2014 - * Red Hat, inc. - */ enum Encryption { AES256GCM, AES256, AES128GCM, AES128, CAMELLIA256, CAMELLIA128, TRIPLE_DES, DES, IDEA, eGOST2814789CNT, SEED, FZA, RC4, RC2, eNULL; } Modified: branches/7.5.x/src/main/java/org/apache/tomcat/util/net/jsse/openssl/EncryptionLevel.java =================================================================== --- branches/7.5.x/src/main/java/org/apache/tomcat/util/net/jsse/openssl/EncryptionLevel.java 2014-09-09 14:10:18 UTC (rev 2508) +++ branches/7.5.x/src/main/java/org/apache/tomcat/util/net/jsse/openssl/EncryptionLevel.java 2014-09-11 15:09:44 UTC (rev 2509) @@ -1,29 +1,22 @@ /* - * Copyright (C) 2014 Red Hat, inc., and individual contributors - * as indicated by the @author tags. See the copyright.txt file in the - * distribution for a full listing of individual contributors. + * Licensed to the Apache Software Foundation (ASF) under one or more + * contributor license agreements. See the NOTICE file distributed with + * this work for additional information regarding copyright ownership. + * The ASF licenses this file to You under the Apache License, Version 2.0 + * (the "License"); you may not use this file except in compliance with + * the License. You may obtain a copy of the License at * - * This library is free software; you can redistribute it and/or - * modify it under the terms of the GNU Lesser General Public - * License as published by the Free Software Foundation; either - * version 2.1 of the License, or (at your option) any later version. + * http://www.apache.org/licenses/LICENSE-2.0 * - * This library is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU - * Lesser General Public License for more details. - * - * You should have received a copy of the GNU Lesser General Public - * License along with this library; if not, write to the Free Software - * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, - * MA 02110-1301 USA + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. */ + package org.apache.tomcat.util.net.jsse.openssl; -/** - * - * @author <a href="mailto:ehugonne@redhat.com">Emmanuel Hugonnet</a> (c) 2014 Red Hat, inc. - */ enum EncryptionLevel { STRONG_NONE, EXP40, EXP56, LOW, MEDIUM, HIGH, FIPS; } Modified: branches/7.5.x/src/main/java/org/apache/tomcat/util/net/jsse/openssl/KeyExchange.java =================================================================== --- branches/7.5.x/src/main/java/org/apache/tomcat/util/net/jsse/openssl/KeyExchange.java 2014-09-09 14:10:18 UTC (rev 2508) +++ branches/7.5.x/src/main/java/org/apache/tomcat/util/net/jsse/openssl/KeyExchange.java 2014-09-11 15:09:44 UTC (rev 2509) @@ -1,29 +1,22 @@ /* - * Copyright (C) 2014 Red Hat, inc., and individual contributors - * as indicated by the @author tags. See the copyright.txt file in the - * distribution for a full listing of individual contributors. + * Licensed to the Apache Software Foundation (ASF) under one or more + * contributor license agreements. See the NOTICE file distributed with + * this work for additional information regarding copyright ownership. + * The ASF licenses this file to You under the Apache License, Version 2.0 + * (the "License"); you may not use this file except in compliance with + * the License. You may obtain a copy of the License at * - * This library is free software; you can redistribute it and/or - * modify it under the terms of the GNU Lesser General Public - * License as published by the Free Software Foundation; either - * version 2.1 of the License, or (at your option) any later version. + * http://www.apache.org/licenses/LICENSE-2.0 * - * This library is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU - * Lesser General Public License for more details. - * - * You should have received a copy of the GNU Lesser General Public - * License along with this library; if not, write to the Free Software - * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, - * MA 02110-1301 USA + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. */ + package org.apache.tomcat.util.net.jsse.openssl; -/** - * - * @author <a href="mailto:ehugonne@redhat.com">Emmanuel Hugonnet</a> (c) 2014 Red Hat, inc. - */ enum KeyExchange { EECDH /* ephemeral ECDH */, RSA /* RSA key exchange */, Modified: branches/7.5.x/src/main/java/org/apache/tomcat/util/net/jsse/openssl/MessageDigest.java =================================================================== --- branches/7.5.x/src/main/java/org/apache/tomcat/util/net/jsse/openssl/MessageDigest.java 2014-09-09 14:10:18 UTC (rev 2508) +++ branches/7.5.x/src/main/java/org/apache/tomcat/util/net/jsse/openssl/MessageDigest.java 2014-09-11 15:09:44 UTC (rev 2509) @@ -1,29 +1,22 @@ /* - * Copyright (C) 2014 Red Hat, inc., and individual contributors - * as indicated by the @author tags. See the copyright.txt file in the - * distribution for a full listing of individual contributors. + * Licensed to the Apache Software Foundation (ASF) under one or more + * contributor license agreements. See the NOTICE file distributed with + * this work for additional information regarding copyright ownership. + * The ASF licenses this file to You under the Apache License, Version 2.0 + * (the "License"); you may not use this file except in compliance with + * the License. You may obtain a copy of the License at * - * This library is free software; you can redistribute it and/or - * modify it under the terms of the GNU Lesser General Public - * License as published by the Free Software Foundation; either - * version 2.1 of the License, or (at your option) any later version. + * http://www.apache.org/licenses/LICENSE-2.0 * - * This library is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU - * Lesser General Public License for more details. - * - * You should have received a copy of the GNU Lesser General Public - * License along with this library; if not, write to the Free Software - * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, - * MA 02110-1301 USA + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. */ + package org.apache.tomcat.util.net.jsse.openssl; -/** - * - * @author <a href="mailto:ehugonne@redhat.com">Emmanuel Hugonnet</a> (c) 2014 Red Hat, inc. - */ enum MessageDigest { MD5, SHA1, GOST94, GOST89MAC, SHA256, SHA384, AEAD; } Modified: branches/7.5.x/src/main/java/org/apache/tomcat/util/net/jsse/openssl/OpenSSLCipherConfigurationParser.java =================================================================== --- branches/7.5.x/src/main/java/org/apache/tomcat/util/net/jsse/openssl/OpenSSLCipherConfigurationParser.java 2014-09-09 14:10:18 UTC (rev 2508) +++ branches/7.5.x/src/main/java/org/apache/tomcat/util/net/jsse/openssl/OpenSSLCipherConfigurationParser.java 2014-09-11 15:09:44 UTC (rev 2509) @@ -1,23 +1,20 @@ /* - * Copyright (C) 2014 Red Hat, inc., and individual contributors - * as indicated by the @author tags. See the copyright.txt file in the - * distribution for a full listing of individual contributors. + * Licensed to the Apache Software Foundation (ASF) under one or more + * contributor license agreements. See the NOTICE file distributed with + * this work for additional information regarding copyright ownership. + * The ASF licenses this file to You under the Apache License, Version 2.0 + * (the "License"); you may not use this file except in compliance with + * the License. You may obtain a copy of the License at * - * This library is free software; you can redistribute it and/or - * modify it under the terms of the GNU Lesser General Public - * License as published by the Free Software Foundation; either - * version 2.1 of the License, or (at your option) any later version. + * http://www.apache.org/licenses/LICENSE-2.0 * - * This library is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU - * Lesser General Public License for more details. - * - * You should have received a copy of the GNU Lesser General Public - * License along with this library; if not, write to the Free Software - * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, - * MA 02110-1301 USA + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. */ + package org.apache.tomcat.util.net.jsse.openssl; import java.util.ArrayList; @@ -35,8 +32,6 @@ /** * Class in charge with parsing openSSL expressions to define a list of ciphers. - * - * @author <a href="mailto:ehugonne@redhat.com">Emmanuel Hugonnet</a> (c) 2014 Red Hat, inc. */ public class OpenSSLCipherConfigurationParser { @@ -52,7 +47,7 @@ * If ! is used then the ciphers are permanently deleted from the list. The ciphers deleted can never reappear in the list * even if they are explicitly stated. */ - private final static String EXCLUDE = "!"; + private static final String EXCLUDE = "!"; /** * If - is used then the ciphers are deleted from the list, but some or all of the ciphers can be added again by later * options. @@ -64,15 +59,15 @@ */ private static final String TO_END = "+"; /** - * Lists of cipher suites can be combined in a single cipher string using the + character. - * This is used as a logical and operation. - * For example SHA1+DES represents all cipher suites containing the SHA1 and the DES algorithms. + * Lists of cipher suites can be combined in a single cipher string using the + character. + * This is used as a logical and operation. + * For example SHA1+DES represents all cipher suites containing the SHA1 and the DES algorithms. */ private static final String AND = "+"; /** * All ciphers by their openssl alias name. */ - private static final Map<String, List<Ciphers>> aliases = new LinkedHashMap<String, List<Ciphers>>(); + private static final Map<String, List<Cipher>> aliases = new LinkedHashMap<String, List<Cipher>>(); /** * the 'NULL' ciphers that is those offering no encryption. Because these offer no encryption at all and are a security risk @@ -120,7 +115,8 @@ */ private static final String aRSA = "aRSA"; /** - * Cipher suites using RSA for key exchange or for authentication. + * Cipher suites using RSA for key exchange + * Despite what the docs say, RSA is equivalent to kRSA. */ private static final String RSA = "RSA"; /** @@ -168,6 +164,11 @@ */ private static final String kEECDH = "kEECDH"; /** + * Cipher suites using ephemeral ECDH key agreement, excluding anonymous cipher suites. + * Same as "kEECDH:-AECDH" + */ + private static final String EECDH = "EECDH"; + /** * Cipher suitesusing ECDH key exchange, including anonymous, ephemeral and fixed ECDH. */ private static final String ECDH = "ECDH"; @@ -226,7 +227,7 @@ /** * TLS v1.2 cipher suites. Note: there are no cipher suites specific to TLS v1.1. */ - private static final String TLSv1_2 = "TLSv1_2"; + private static final String TLSv1_2 = "TLSv1.2"; /** * TLS v1.0 cipher suites. */ @@ -361,154 +362,162 @@ private static final void init() { - for (Ciphers cipher : Ciphers.values()) { + for (Cipher cipher : Cipher.values()) { String alias = cipher.getOpenSSLAlias(); if (aliases.containsKey(alias)) { aliases.get(alias).add(cipher); } else { - List<Ciphers> list = new ArrayList<Ciphers>(); + List<Cipher> list = new ArrayList<Cipher>(); list.add(cipher); aliases.put(alias, list); } aliases.put(cipher.name(), Collections.singletonList(cipher)); } - List<Ciphers> allCiphers = Arrays.asList(Ciphers.values()); - Collections.reverse(allCiphers); - LinkedHashSet<Ciphers> all = defaultSort(new LinkedHashSet<Ciphers>(allCiphers)); + List<Cipher> allCiphersList = Arrays.asList(Cipher.values()); + Collections.reverse(allCiphersList); + LinkedHashSet<Cipher> allCiphers = defaultSort(new LinkedHashSet<Cipher>(allCiphersList)); + addListAlias(eNULL, filterByEncryption(allCiphers, Collections.singleton(Encryption.eNULL))); + LinkedHashSet<Cipher> all = new LinkedHashSet<Cipher>(allCiphers); + remove(all, eNULL); addListAlias(ALL, all); - addListAlias(HIGH, filterByEncryptionLevel(all, Collections.singleton(EncryptionLevel.HIGH))); - addListAlias(MEDIUM, filterByEncryptionLevel(all, Collections.singleton(EncryptionLevel.MEDIUM))); - addListAlias(LOW, filterByEncryptionLevel(all, Collections.singleton(EncryptionLevel.LOW))); - addListAlias(EXPORT, filterByEncryptionLevel(all, new HashSet<EncryptionLevel>(Arrays.asList(EncryptionLevel.EXP40, EncryptionLevel.EXP56)))); + addListAlias(HIGH, filterByEncryptionLevel(allCiphers, Collections.singleton(EncryptionLevel.HIGH))); + addListAlias(MEDIUM, filterByEncryptionLevel(allCiphers, Collections.singleton(EncryptionLevel.MEDIUM))); + addListAlias(LOW, filterByEncryptionLevel(allCiphers, Collections.singleton(EncryptionLevel.LOW))); + addListAlias(EXPORT, filterByEncryptionLevel(allCiphers, new HashSet<EncryptionLevel>(Arrays.asList(EncryptionLevel.EXP40, EncryptionLevel.EXP56)))); aliases.put("EXP", aliases.get(EXPORT)); - addListAlias(EXPORT40, filterByEncryptionLevel(all, Collections.singleton(EncryptionLevel.EXP40))); - addListAlias(EXPORT56, filterByEncryptionLevel(all, Collections.singleton(EncryptionLevel.EXP56))); - addListAlias(eNULL, filterByEncryption(all, Collections.singleton(Encryption.eNULL))); + addListAlias(EXPORT40, filterByEncryptionLevel(allCiphers, Collections.singleton(EncryptionLevel.EXP40))); + addListAlias(EXPORT56, filterByEncryptionLevel(allCiphers, Collections.singleton(EncryptionLevel.EXP56))); aliases.put("NULL", aliases.get(eNULL)); aliases.put(COMPLEMENTOFALL, aliases.get(eNULL)); - addListAlias(aNULL, filterByAuthentication(all, Collections.singleton(Authentication.aNULL))); - addListAlias(kRSA, filterByKeyExchange(all, Collections.singleton(KeyExchange.RSA))); - addListAlias(aRSA, filterByAuthentication(all, Collections.singleton(Authentication.RSA))); - addListAlias(RSA, filter(all, null, Collections.singleton(KeyExchange.RSA), Collections.singleton(Authentication.RSA), null, null, null)); - addListAlias(kEDH, filterByKeyExchange(all, Collections.singleton(KeyExchange.EDH))); - addListAlias(kDHE, filterByKeyExchange(all, Collections.singleton(KeyExchange.EDH))); - Set<Ciphers> edh = filterByKeyExchange(all, Collections.singleton(KeyExchange.EDH)); - edh.removeAll(filterByAuthentication(all, Collections.singleton(Authentication.DH))); + addListAlias(aNULL, filterByAuthentication(allCiphers, Collections.singleton(Authentication.aNULL))); + addListAlias(kRSA, filterByKeyExchange(allCiphers, Collections.singleton(KeyExchange.RSA))); + addListAlias(aRSA, filterByAuthentication(allCiphers, Collections.singleton(Authentication.RSA))); + // Despite what the docs say, RSA is equivalent to kRSA + aliases.put(RSA, aliases.get(kRSA)); + addListAlias(kEDH, filterByKeyExchange(allCiphers, Collections.singleton(KeyExchange.EDH))); + addListAlias(kDHE, filterByKeyExchange(allCiphers, Collections.singleton(KeyExchange.EDH))); + Set<Cipher> edh = filterByKeyExchange(allCiphers, Collections.singleton(KeyExchange.EDH)); + edh.removeAll(filterByAuthentication(allCiphers, Collections.singleton(Authentication.aNULL))); addListAlias(EDH, edh); addListAlias(DHE, edh); - addListAlias(kDHr, filterByKeyExchange(all, Collections.singleton(KeyExchange.DHr))); - addListAlias(kDHd, filterByKeyExchange(all, Collections.singleton(KeyExchange.DHd))); - addListAlias(kDH, filterByKeyExchange(all, new HashSet<KeyExchange>(Arrays.asList(KeyExchange.DHr, KeyExchange.DHd)))); + addListAlias(kDHr, filterByKeyExchange(allCiphers, Collections.singleton(KeyExchange.DHr))); + addListAlias(kDHd, filterByKeyExchange(allCiphers, Collections.singleton(KeyExchange.DHd))); + addListAlias(kDH, filterByKeyExchange(allCiphers, new HashSet<KeyExchange>(Arrays.asList(KeyExchange.DHr, KeyExchange.DHd)))); - addListAlias(kECDHr, filterByKeyExchange(all, Collections.singleton(KeyExchange.ECDHr))); - addListAlias(kECDHe, filterByKeyExchange(all, Collections.singleton(KeyExchange.ECDHe))); - addListAlias(kECDH, filterByKeyExchange(all, new HashSet<KeyExchange>(Arrays.asList(KeyExchange.ECDHe, KeyExchange.ECDHr)))); - aliases.put(ECDH, aliases.get(kECDH)); - addListAlias(kECDHE, filterByKeyExchange(all, Collections.singleton(KeyExchange.ECDHe))); + addListAlias(kECDHr, filterByKeyExchange(allCiphers, Collections.singleton(KeyExchange.ECDHr))); + addListAlias(kECDHe, filterByKeyExchange(allCiphers, Collections.singleton(KeyExchange.ECDHe))); + addListAlias(kECDH, filterByKeyExchange(allCiphers, new HashSet<KeyExchange>(Arrays.asList(KeyExchange.ECDHe, KeyExchange.ECDHr)))); + addListAlias(ECDH, filterByKeyExchange(allCiphers, new HashSet<KeyExchange>(Arrays.asList(KeyExchange.ECDHe, KeyExchange.ECDHr, KeyExchange.EECDH)))); + addListAlias(kECDHE, filterByKeyExchange(allCiphers, Collections.singleton(KeyExchange.ECDHe))); aliases.put(ECDHE, aliases.get(kECDHE)); - addListAlias(kEECDH, filterByKeyExchange(all, Collections.singleton(KeyExchange.EECDH))); + addListAlias(kEECDH, filterByKeyExchange(allCiphers, Collections.singleton(KeyExchange.EECDH))); aliases.put(EECDHE, aliases.get(kEECDH)); - addListAlias(aDSS, filterByAuthentication(all, Collections.singleton(Authentication.DSS))); + Set<Cipher> eecdh = filterByKeyExchange(allCiphers, Collections.singleton(KeyExchange.EECDH)); + eecdh.removeAll(filterByAuthentication(allCiphers, Collections.singleton(Authentication.aNULL))); + addListAlias(EECDH, eecdh); + addListAlias(aDSS, filterByAuthentication(allCiphers, Collections.singleton(Authentication.DSS))); aliases.put("DSS", aliases.get(aDSS)); - addListAlias(aDH, filterByAuthentication(all, Collections.singleton(Authentication.DH))); - Set<Ciphers> aecdh = filterByKeyExchange(all, new HashSet<KeyExchange>(Arrays.asList(KeyExchange.ECDHe, KeyExchange.ECDHr))); - aecdh.retainAll(filterByAuthentication(all, Collections.singleton(Authentication.aNULL))); - addListAlias(AECDH, aecdh); - addListAlias(aECDH, filterByAuthentication(all, Collections.singleton(Authentication.ECDH))); - addListAlias(ECDSA, filterByAuthentication(all, Collections.singleton(Authentication.ECDSA))); + addListAlias(aDH, filterByAuthentication(allCiphers, Collections.singleton(Authentication.DH))); + Set<Cipher> aecdh = filterByKeyExchange(allCiphers, Collections.singleton(KeyExchange.EECDH)); + addListAlias(AECDH, filterByAuthentication(aecdh, Collections.singleton(Authentication.aNULL))); + addListAlias(aECDH, filterByAuthentication(allCiphers, Collections.singleton(Authentication.ECDH))); + addListAlias(ECDSA, filterByAuthentication(allCiphers, Collections.singleton(Authentication.ECDSA))); aliases.put(aECDSA, aliases.get(ECDSA)); - addListAlias(kFZA, filterByKeyExchange(all, Collections.singleton(KeyExchange.FZA))); - addListAlias(aFZA, filterByAuthentication(all, Collections.singleton(Authentication.FZA))); - addListAlias(eFZA, filterByEncryption(all, Collections.singleton(Encryption.FZA))); - addListAlias(FZA, filter(all, null, Collections.singleton(KeyExchange.FZA), Collections.singleton(Authentication.FZA), Collections.singleton(Encryption.FZA), null, null)); - addListAlias(TLSv1_2, filterByProtocol(all, Collections.singleton(Protocol.TLSv1_2))); - addListAlias("TLSv1.1", filterByProtocol(all, Collections.singleton(Protocol.SSLv3))); - addListAlias(TLSv1, filterByProtocol(all, Collections.singleton(Protocol.TLSv1))); - addListAlias(SSLv3, filterByProtocol(all, Collections.singleton(Protocol.SSLv3))); - addListAlias(SSLv2, filterByProtocol(all, Collections.singleton(Protocol.SSLv2))); - addListAlias(DH, filterByKeyExchange(all, new HashSet<KeyExchange>(Arrays.asList(KeyExchange.DHr, KeyExchange.DHd, KeyExchange.EDH)))); - Set<Ciphers> adh = filterByKeyExchange(all, Collections.singleton(KeyExchange.EDH)); - adh.retainAll(filterByAuthentication(all, Collections.singleton(Authentication.aNULL))); + addListAlias(kFZA, filterByKeyExchange(allCiphers, Collections.singleton(KeyExchange.FZA))); + addListAlias(aFZA, filterByAuthentication(allCiphers, Collections.singleton(Authentication.FZA))); + addListAlias(eFZA, filterByEncryption(allCiphers, Collections.singleton(Encryption.FZA))); + addListAlias(FZA, filter(allCiphers, null, Collections.singleton(KeyExchange.FZA), Collections.singleton(Authentication.FZA), Collections.singleton(Encryption.FZA), null, null)); + addListAlias(TLSv1_2, filterByProtocol(allCiphers, Collections.singleton(Protocol.TLSv1_2))); + addListAlias("TLSv1.1", filterByProtocol(allCiphers, Collections.singleton(Protocol.SSLv3))); + addListAlias(TLSv1, filterByProtocol(allCiphers, new HashSet<Protocol>(Arrays.asList(Protocol.TLSv1, Protocol.SSLv3)))); + aliases.put(SSLv3, aliases.get(TLSv1)); + addListAlias(SSLv2, filterByProtocol(allCiphers, Collections.singleton(Protocol.SSLv2))); + addListAlias(DH, filterByKeyExchange(allCiphers, new HashSet<KeyExchange>(Arrays.asList(KeyExchange.DHr, KeyExchange.DHd, KeyExchange.EDH)))); + Set<Cipher> adh = filterByKeyExchange(allCiphers, Collections.singleton(KeyExchange.EDH)); + adh.retainAll(filterByAuthentication(allCiphers, Collections.singleton(Authentication.aNULL))); addListAlias(ADH, adh); - addListAlias(AES128, filterByEncryption(all, new HashSet<Encryption>(Arrays.asList(Encryption.AES128, Encryption.AES128GCM)))); - addListAlias(AES256, filterByEncryption(all, new HashSet<Encryption>(Arrays.asList(Encryption.AES256, Encryption.AES256GCM)))); - addListAlias(AES, filterByEncryption(all, new HashSet<Encryption>(Arrays.asList(Encryption.AES128, Encryption.AES128GCM, Encryption.AES256, Encryption.AES256GCM)))); - addListAlias(AESGCM, filterByEncryption(all, new HashSet<Encryption>(Arrays.asList(Encryption.AES128GCM, Encryption.AES256GCM)))); - addListAlias(CAMELLIA, filterByEncryption(all, new HashSet<Encryption>(Arrays.asList(Encryption.CAMELLIA128, Encryption.CAMELLIA256)))); - addListAlias(CAMELLIA128, filterByEncryption(all, Collections.singleton(Encryption.CAMELLIA128))); - addListAlias(CAMELLIA256, filterByEncryption(all, Collections.singleton(Encryption.CAMELLIA256))); - addListAlias(TRIPLE_DES, filterByEncryption(all, Collections.singleton(Encryption.TRIPLE_DES))); - addListAlias(DES, filterByEncryption(all, Collections.singleton(Encryption.DES))); - addListAlias(RC4, filterByEncryption(all, Collections.singleton(Encryption.RC4))); - addListAlias(RC2, filterByEncryption(all, Collections.singleton(Encryption.RC2))); - addListAlias(IDEA, filterByEncryption(all, Collections.singleton(Encryption.IDEA))); - addListAlias(SEED, filterByEncryption(all, Collections.singleton(Encryption.SEED))); - addListAlias(MD5, filterByMessageDigest(all, Collections.singleton(MessageDigest.MD5))); - addListAlias(SHA1, filterByMessageDigest(all, Collections.singleton(MessageDigest.SHA1))); + addListAlias(AES128, filterByEncryption(allCiphers, new HashSet<Encryption>(Arrays.asList(Encryption.AES128, Encryption.AES128GCM)))); + addListAlias(AES256, filterByEncryption(allCiphers, new HashSet<Encryption>(Arrays.asList(Encryption.AES256, Encryption.AES256GCM)))); + addListAlias(AES, filterByEncryption(allCiphers, new HashSet<Encryption>(Arrays.asList(Encryption.AES128, Encryption.AES128GCM, Encryption.AES256, Encryption.AES256GCM)))); + addListAlias(AESGCM, filterByEncryption(allCiphers, new HashSet<Encryption>(Arrays.asList(Encryption.AES128GCM, Encryption.AES256GCM)))); + addListAlias(CAMELLIA, filterByEncryption(allCiphers, new HashSet<Encryption>(Arrays.asList(Encryption.CAMELLIA128, Encryption.CAMELLIA256)))); + addListAlias(CAMELLIA128, filterByEncryption(allCiphers, Collections.singleton(Encryption.CAMELLIA128))); + addListAlias(CAMELLIA256, filterByEncryption(allCiphers, Collections.singleton(Encryption.CAMELLIA256))); + addListAlias(TRIPLE_DES, filterByEncryption(allCiphers, Collections.singleton(Encryption.TRIPLE_DES))); + addListAlias(DES, filterByEncryption(allCiphers, Collections.singleton(Encryption.DES))); + addListAlias(RC4, filterByEncryption(allCiphers, Collections.singleton(Encryption.RC4))); + addListAlias(RC2, filterByEncryption(allCiphers, Collections.singleton(Encryption.RC2))); + addListAlias(IDEA, filterByEncryption(allCiphers, Collections.singleton(Encryption.IDEA))); + addListAlias(SEED, filterByEncryption(allCiphers, Collections.singleton(Encryption.SEED))); + addListAlias(MD5, filterByMessageDigest(allCiphers, Collections.singleton(MessageDigest.MD5))); + addListAlias(SHA1, filterByMessageDigest(allCiphers, Collections.singleton(MessageDigest.SHA1))); aliases.put(SHA, aliases.get(SHA1)); - addListAlias(SHA256, filterByMessageDigest(all, Collections.singleton(MessageDigest.SHA256))); - addListAlias(SHA384, filterByMessageDigest(all, Collections.singleton(MessageDigest.SHA384))); - addListAlias(aGOST, filterByAuthentication(all, new HashSet<Authentication>(Arrays.asList(Authentication.GOST01, Authentication.GOST94)))); - addListAlias(aGOST01, filterByAuthentication(all, Collections.singleton(Authentication.GOST01))); - addListAlias(aGOST94, filterByAuthentication(all, Collections.singleton(Authentication.GOST94))); - addListAlias(kGOST, filterByKeyExchange(all, Collections.singleton(KeyExchange.GOST))); - addListAlias(GOST94, filterByMessageDigest(all, Collections.singleton(MessageDigest.GOST94))); - addListAlias(GOST89MAC, filterByMessageDigest(all, Collections.singleton(MessageDigest.GOST89MAC))); - addListAlias(PSK, filter(all, null, Collections.singleton(KeyExchange.PSK), Collections.singleton(Authentication.PSK), null, null, null)); - addListAlias(KRB5, filter(all, null, Collections.singleton(KeyExchange.KRB5), Collections.singleton(Authentication.KRB5), null, null, null)); + addListAlias(SHA256, filterByMessageDigest(allCiphers, Collections.singleton(MessageDigest.SHA256))); + addListAlias(SHA384, filterByMessageDigest(allCiphers, Collections.singleton(MessageDigest.SHA384))); + addListAlias(aGOST, filterByAuthentication(allCiphers, new HashSet<Authentication>(Arrays.asList(Authentication.GOST01, Authentication.GOST94)))); + addListAlias(aGOST01, filterByAuthentication(allCiphers, Collections.singleton(Authentication.GOST01))); + addListAlias(aGOST94, filterByAuthentication(allCiphers, Collections.singleton(Authentication.GOST94))); + addListAlias(kGOST, filterByKeyExchange(allCiphers, Collections.singleton(KeyExchange.GOST))); + addListAlias(GOST94, filterByMessageDigest(allCiphers, Collections.singleton(MessageDigest.GOST94))); + addListAlias(GOST89MAC, filterByMessageDigest(allCiphers, Collections.singleton(MessageDigest.GOST89MAC))); + addListAlias(PSK, filter(allCiphers, null, Collections.singleton(KeyExchange.PSK), Collections.singleton(Authentication.PSK), null, null, null)); + addListAlias(KRB5, filter(allCiphers, null, Collections.singleton(KeyExchange.KRB5), Collections.singleton(Authentication.KRB5), null, null, null)); initialized = true; - String defaultExpression = System.getProperty(DEFAULT_EXPRESSION_KEY, "ALL:!eNULL:!aNULL"); + // Despite what the OpenSSL docs say, DEFAULT also excludes SSLv2 + String defaultExpression = System.getProperty(DEFAULT_EXPRESSION_KEY, "ALL:!eNULL:!aNULL:!SSLv2"); addListAlias(DEFAULT, parse(defaultExpression)); - LinkedHashSet<Ciphers> complementOfDefault = new LinkedHashSet<Ciphers>(all); - complementOfDefault.removeAll(aliases.get(DEFAULT)); + // COMPLEMENTOFDEFAULT is also not exactly as defined by the docs + Set<Cipher> complementOfDefault = filterByKeyExchange(all, new HashSet<KeyExchange>(Arrays.asList(KeyExchange.EDH,KeyExchange.EECDH))); + complementOfDefault = filterByAuthentication(complementOfDefault, Collections.singleton(Authentication.aNULL)); + complementOfDefault.removeAll(aliases.get(eNULL)); addListAlias(COMPLEMENTOFDEFAULT, complementOfDefault); } - static void addListAlias(String alias, Set<Ciphers> ciphers) { - aliases.put(alias, new ArrayList<Ciphers>(ciphers)); + static void addListAlias(String alias, Set<Cipher> ciphers) { + aliases.put(alias, new ArrayList<Cipher>(ciphers)); } - static void moveToEnd(final LinkedHashSet<Ciphers> ciphers, final String alias) { + static void moveToEnd(final LinkedHashSet<Cipher> ciphers, final String alias) { moveToEnd(ciphers, aliases.get(alias)); } - static void moveToEnd(final LinkedHashSet<Ciphers> ciphers, final Collection<Ciphers> toBeMovedCiphers) { - List<Ciphers> movedCiphers = new ArrayList<Ciphers>(toBeMovedCiphers); + static void moveToEnd(final LinkedHashSet<Cipher> ciphers, final Collection<Cipher> toBeMovedCiphers) { + List<Cipher> movedCiphers = new ArrayList<Cipher>(toBeMovedCiphers); movedCiphers.retainAll(ciphers); ciphers.removeAll(movedCiphers); ciphers.addAll(movedCiphers); } - static void add(final LinkedHashSet<Ciphers> ciphers, final String alias) { + static void add(final LinkedHashSet<Cipher> ciphers, final String alias) { ciphers.addAll(aliases.get(alias)); } - static void remove(final LinkedHashSet<Ciphers> ciphers, final String alias) { + static void remove(final LinkedHashSet<Cipher> ciphers, final String alias) { ciphers.removeAll(aliases.get(alias)); } - static LinkedHashSet<Ciphers> strengthSort(final LinkedHashSet<Ciphers> ciphers) { + static LinkedHashSet<Cipher> strengthSort(final LinkedHashSet<Cipher> ciphers) { /* * This routine sorts the ciphers with descending strength. The sorting * must keep the pre-sorted sequence, so we apply the normal sorting * routine as '+' movement to the end of the list. */ Set<Integer> keySizes = new HashSet<Integer>(); - for (Ciphers cipher : ciphers) { - keySizes.add(cipher.getStrength_bits()); + for (Cipher cipher : ciphers) { + keySizes.add(Integer.valueOf(cipher.getStrength_bits())); } List<Integer> strength_bits = new ArrayList<Integer>(keySizes); Collections.sort(strength_bits); Collections.reverse(strength_bits); - final LinkedHashSet<Ciphers> result = new LinkedHashSet<Ciphers>(ciphers); + final LinkedHashSet<Cipher> result = new LinkedHashSet<Cipher>(ciphers); for (int strength : strength_bits) { moveToEnd(result, filterByStrengthBits(ciphers, strength)); } return result; } - static LinkedHashSet<Ciphers> defaultSort(final LinkedHashSet<Ciphers> ciphers) { - final LinkedHashSet<Ciphers> result = new LinkedHashSet<Ciphers>(ciphers.size()); + static LinkedHashSet<Cipher> defaultSort(final LinkedHashSet<Cipher> ciphers) { + final LinkedHashSet<Cipher> result = new LinkedHashSet<Cipher>(ciphers.size()); /* Now arrange all ciphers by preference: */ /* Everything else being equal, prefer ephemeral ECDH over other key exchange mechanisms */ @@ -519,6 +528,8 @@ /* Temporarily enable everything else for sorting */ result.addAll(ciphers); + /* Low priority for SSLv2 */ + moveToEnd(result, filterByProtocol(result, Collections.singleton(Protocol.SSLv2))); /* Low priority for MD5 */ moveToEnd(result, filterByMessageDigest(result, Collections.singleton(MessageDigest.MD5))); @@ -538,9 +549,9 @@ return strengthSort(result); } - static Set<Ciphers> filterByStrengthBits(Set<Ciphers> ciphers, int strength_bits) { - Set<Ciphers> result = new LinkedHashSet<Ciphers>(ciphers.size()); - for (Ciphers cipher : ciphers) { + static Set<Cipher> filterByStrengthBits(Set<Cipher> ciphers, int strength_bits) { + Set<Cipher> result = new LinkedHashSet<Cipher>(ciphers.size()); + for (Cipher cipher : ciphers) { if (cipher.getStrength_bits() == strength_bits) { result.add(cipher); } @@ -548,34 +559,34 @@ return result; } - static Set<Ciphers> filterByProtocol(Set<Ciphers> ciphers, Set<Protocol> protocol) { + static Set<Cipher> filterByProtocol(Set<Cipher> ciphers, Set<Protocol> protocol) { return filter(ciphers, protocol, null, null, null, null, null); } - static Set<Ciphers> filterByKeyExchange(Set<Ciphers> ciphers, Set<KeyExchange> kx) { + static Set<Cipher> filterByKeyExchange(Set<Cipher> ciphers, Set<KeyExchange> kx) { return filter(ciphers, null, kx, null, null, null, null); } - static Set<Ciphers> filterByAuthentication(Set<Ciphers> ciphers, Set<Authentication> au) { + static Set<Cipher> filterByAuthentication(Set<Cipher> ciphers, Set<Authentication> au) { return filter(ciphers, null, null, au, null, null, null); } - static Set<Ciphers> filterByEncryption(Set<Ciphers> ciphers, Set<Encryption> enc) { + static Set<Cipher> filterByEncryption(Set<Cipher> ciphers, Set<Encryption> enc) { return filter(ciphers, null, null, null, enc, null, null); } - static Set<Ciphers> filterByEncryptionLevel(Set<Ciphers> ciphers, Set<EncryptionLevel> level) { + static Set<Cipher> filterByEncryptionLevel(Set<Cipher> ciphers, Set<EncryptionLevel> level) { return filter(ciphers, null, null, null, null, level, null); } - static Set<Ciphers> filterByMessageDigest(Set<Ciphers> ciphers, Set<MessageDigest> mac) { + static Set<Cipher> filterByMessageDigest(Set<Cipher> ciphers, Set<MessageDigest> mac) { return filter(ciphers, null, null, null, null, null, mac); } - static Set<Ciphers> filter(Set<Ciphers> ciphers, Set<Protocol> protocol, Set<KeyExchange> kx, + static Set<Cipher> filter(Set<Cipher> ciphers, Set<Protocol> protocol, Set<KeyExchange> kx, Set<Authentication> au, Set<Encryption> enc, Set<EncryptionLevel> level, Set<MessageDigest> mac) { - Set<Ciphers> result = new LinkedHashSet<Ciphers>(ciphers.size()); - for (Ciphers cipher : ciphers) { + Set<Cipher> result = new LinkedHashSet<Cipher>(ciphers.size()); + for (Cipher cipher : ciphers) { if (protocol != null && protocol.contains(cipher.getProtocol())) { result.add(cipher); } @@ -598,13 +609,13 @@ return result; } - static LinkedHashSet<Ciphers> parse(String expression) { + static LinkedHashSet<Cipher> parse(String expression) { if (!initialized) { init(); } String[] elements = expression.split(SEPARATOR); - LinkedHashSet<Ciphers> ciphers = new LinkedHashSet<Ciphers>(); - Set<Ciphers> removedCiphers = new HashSet<Ciphers>(); + LinkedHashSet<Cipher> ciphers = new LinkedHashSet<Cipher>(); + Set<Cipher> removedCiphers = new HashSet<Cipher>(); for (String element : elements) { if (element.startsWith(DELETE)) { String alias = element.substring(1); @@ -630,8 +641,8 @@ add(ciphers, element); } else if (element.contains(AND)) { String[] intersections = element.split("\\" + AND); - if(intersections.length > 0) { - List<Ciphers> result = new ArrayList<Ciphers>(aliases.get(intersections[0])); + if(intersections.length > 0 && aliases.containsKey(intersections[0])) { + List<Cipher> result = new ArrayList<Cipher>(aliases.get(intersections[0])); for(int i = 1; i < intersections.length; i++) { if(aliases.containsKey(intersections[i])) { result.retainAll(aliases.get(intersections[i])); @@ -645,10 +656,10 @@ return defaultSort(ciphers); } - static List<String> convertForJSSE(Collection<Ciphers> ciphers) { + static List<String> convertForJSSE(Collection<Cipher> ciphers) { List<String> result = new ArrayList<String>(ciphers.size()); - for (Ciphers cipher : ciphers) { - result.add(cipher.name()); + for (Cipher cipher : ciphers) { + result.addAll(cipher.getJsseNames()); } JSSELogger.ROOT_LOGGER.logEnabledCiphers(displayResult(ciphers, true, ",")); return result; @@ -657,21 +668,24 @@ /** * Parse the specified expression according to the OpenSSL syntax and returns a list of standard cipher names. * - * @param expression: the openssl expression to define a list of cipher. + * @param expression the openssl expression to define a list of cipher. * @return the corresponding list of ciphers. */ public static List<String> parseExpression(String expression) { return convertForJSSE(parse(expression)); } - static String displayResult(Collection<Ciphers> ciphers, boolean useJSSEFormat, String separator) { + static String displayResult(Collection<Cipher> ciphers, boolean useJSSEFormat, String separator) { if (ciphers.isEmpty()) { return ""; } StringBuilder builder = new StringBuilder(ciphers.size() * 16); - for (Ciphers cipher : ciphers) { + for (Cipher cipher : ciphers) { if (useJSSEFormat) { - builder.append(cipher.name()); + for (String name : cipher.getJsseNames()) { + builder.append(name); + builder.append(separator); + } } else { builder.append(cipher.getOpenSSLAlias()); } Modified: branches/7.5.x/src/main/java/org/apache/tomcat/util/net/jsse/openssl/Protocol.java =================================================================== --- branches/7.5.x/src/main/java/org/apache/tomcat/util/net/jsse/openssl/Protocol.java 2014-09-09 14:10:18 UTC (rev 2508) +++ branches/7.5.x/src/main/java/org/apache/tomcat/util/net/jsse/openssl/Protocol.java 2014-09-11 15:09:44 UTC (rev 2509) @@ -1,29 +1,41 @@ /* - * Copyright (C) 2014 Red Hat, inc., and individual contributors - * as indicated by the @author tags. See the copyright.txt file in the - * distribution for a full listing of individual contributors. + * Licensed to the Apache Software Foundation (ASF) under one or more + * contributor license agreements. See the NOTICE file distributed with + * this work for additional information regarding copyright ownership. + * The ASF licenses this file to You under the Apache License, Version 2.0 + * (the "License"); you may not use this file except in compliance with + * the License. You may obtain a copy of the License at * - * This library is free software; you can redistribute it and/or - * modify it under the terms of the GNU Lesser General Public - * License as published by the Free Software Foundation; either - * version 2.1 of the License, or (at your option) any later version. + * http://www.apache.org/licenses/LICENSE-2.0 * - * This library is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU - * Lesser General Public License for more details. - * - * You should have received a copy of the GNU Lesser General Public - * License along with this library; if not, write to the Free Software - * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, - * MA 02110-1301 USA + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. */ + package org.apache.tomcat.util.net.jsse.openssl; -/** - * - * @author <a href="mailto:ehugonne@redhat.com">Emmanuel Hugonnet</a> (c) 2014 Red Hat, inc. - */ enum Protocol { - SSLv3, SSLv2, TLSv1, TLSv1_2; + + SSLv3("SSLv3"), + SSLv2("SSLv2"), + TLSv1("SSLv3"), + TLSv1_2("TLSv1.2"); + + private final String openSSLName; + + private Protocol(String openSSLName) { + this.openSSLName = openSSLName; + } + + /** + * The name returned by OpenSSL in the protocol column when using + * <code>openssl ciphers -v</code>. This is currently only used by the unit + * tests hence it is package private. + */ + String getOpenSSLName() { + return openSSLName; + } }

10 years, 4 months

1
0
0 / 0

JBossWeb SVN: r2508 - branches/7.5.x/src/main/java/org/apache/tomcat/util/net/jsse/openssl.

by jbossweb-commits＠lists.jboss.org

Author: remy.maucherat(a)jboss.com Date: 2014-09-09 10:10:18 -0400 (Tue, 09 Sep 2014) New Revision: 2508 Modified: branches/7.5.x/src/main/java/org/apache/tomcat/util/net/jsse/openssl/OpenSSLCipherConfigurationParser.java Log: BZ1127283: Cut & paste issue for generating anonymous ciphers. Submitted by Radim Hatlapatka. Modified: branches/7.5.x/src/main/java/org/apache/tomcat/util/net/jsse/openssl/OpenSSLCipherConfigurationParser.java =================================================================== --- branches/7.5.x/src/main/java/org/apache/tomcat/util/net/jsse/openssl/OpenSSLCipherConfigurationParser.java 2014-09-05 12:10:17 UTC (rev 2507) +++ branches/7.5.x/src/main/java/org/apache/tomcat/util/net/jsse/openssl/OpenSSLCipherConfigurationParser.java 2014-09-09 14:10:18 UTC (rev 2508) @@ -412,7 +412,7 @@ aliases.put("DSS", aliases.get(aDSS)); addListAlias(aDH, filterByAuthentication(all, Collections.singleton(Authentication.DH))); Set<Ciphers> aecdh = filterByKeyExchange(all, new HashSet<KeyExchange>(Arrays.asList(KeyExchange.ECDHe, KeyExchange.ECDHr))); - aecdh.removeAll(filterByAuthentication(all, Collections.singleton(Authentication.aNULL))); + aecdh.retainAll(filterByAuthentication(all, Collections.singleton(Authentication.aNULL))); addListAlias(AECDH, aecdh); addListAlias(aECDH, filterByAuthentication(all, Collections.singleton(Authentication.ECDH))); addListAlias(ECDSA, filterByAuthentication(all, Collections.singleton(Authentication.ECDSA)));

10 years, 4 months

1
0
0 / 0

JBossWeb SVN: r2507 - tags.

by jbossweb-commits＠lists.jboss.org

Author: remy.maucherat(a)jboss.com Date: 2014-09-05 08:10:17 -0400 (Fri, 05 Sep 2014) New Revision: 2507 Added: tags/JBOSSWEB_7_5_0_BETA1/ Log: First build.

10 years, 4 months

1
0
0 / 0

JBossWeb SVN: r2506 - branches/7.5.x.

by jbossweb-commits＠lists.jboss.org

Author: remy.maucherat(a)jboss.com Date: 2014-09-05 08:08:45 -0400 (Fri, 05 Sep 2014) New Revision: 2506 Modified: branches/7.5.x/pom.xml Log: First build. Modified: branches/7.5.x/pom.xml =================================================================== --- branches/7.5.x/pom.xml 2014-09-04 21:30:47 UTC (rev 2505) +++ branches/7.5.x/pom.xml 2014-09-05 12:08:45 UTC (rev 2506) @@ -33,7 +33,7 @@ <groupId>org.jboss.web</groupId> <artifactId>jbossweb</artifactId> - <version>7.5.0.Alpha</version> + <version>7.5.0.Beta1</version> <name>JBoss Web</name> <description>Servlet 3.0 container</description>

10 years, 4 months

1
0
0 / 0

JBossWeb SVN: r2505 - in branches/JBOSSWEB_2_1_12_GA_JBPAPP-11181/java: org/apache/catalina/security and 8 other directories.

by jbossweb-commits＠lists.jboss.org

Author: aogburn Date: 2014-09-04 17:30:47 -0400 (Thu, 04 Sep 2014) New Revision: 2505 Modified: branches/JBOSSWEB_2_1_12_GA_JBPAPP-11181/java/ branches/JBOSSWEB_2_1_12_GA_JBPAPP-11181/java/org/apache/catalina/security/SecurityClassLoad.java branches/JBOSSWEB_2_1_12_GA_JBPAPP-11181/java/org/apache/catalina/servlets/DefaultServlet.java branches/JBOSSWEB_2_1_12_GA_JBPAPP-11181/java/org/apache/coyote/ajp/AjpAprProcessor.java branches/JBOSSWEB_2_1_12_GA_JBPAPP-11181/java/org/apache/coyote/ajp/AjpProcessor.java branches/JBOSSWEB_2_1_12_GA_JBPAPP-11181/java/org/apache/coyote/http11/Http11AprProcessor.java branches/JBOSSWEB_2_1_12_GA_JBPAPP-11181/java/org/apache/coyote/http11/Http11Processor.java branches/JBOSSWEB_2_1_12_GA_JBPAPP-11181/java/org/apache/coyote/http11/filters/ChunkedInputFilter.java branches/JBOSSWEB_2_1_12_GA_JBPAPP-11181/java/org/apache/jasper/compiler/JspDocumentParser.java branches/JBOSSWEB_2_1_12_GA_JBPAPP-11181/java/org/apache/tomcat/util/ branches/JBOSSWEB_2_1_12_GA_JBPAPP-11181/java/org/apache/tomcat/util/buf/Ascii.java branches/JBOSSWEB_2_1_12_GA_JBPAPP-11181/java/org/apache/tomcat/util/net/JIoEndpoint.java Log: [JBPAPP-11181] merge fix for CVE-2013-4286 Property changes on: branches/JBOSSWEB_2_1_12_GA_JBPAPP-11181/java ___________________________________________________________________ Modified: svn:mergeinfo - /branches/2.1.x/java:2480-2482 + /branches/2.1.x/java:2394,2480-2482 Property changes on: branches/JBOSSWEB_2_1_12_GA_JBPAPP-11181/java/org/apache/catalina/security/SecurityClassLoad.java ___________________________________________________________________ Modified: svn:mergeinfo - /branches/2.1.x/java/org/apache/catalina/security/SecurityClassLoad.java:2480-2482 /branches/7.4.x/src/main/java/org/apache/catalina/security/SecurityClassLoad.java:2460 + /branches/2.1.x/java/org/apache/catalina/security/SecurityClassLoad.java:2394,2480-2482 /branches/7.4.x/src/main/java/org/apache/catalina/security/SecurityClassLoad.java:2460 Property changes on: branches/JBOSSWEB_2_1_12_GA_JBPAPP-11181/java/org/apache/catalina/servlets/DefaultServlet.java ___________________________________________________________________ Modified: svn:mergeinfo - /branches/2.1.x/java/org/apache/catalina/servlets/DefaultServlet.java:2480-2482 /branches/7.4.x/src/main/java/org/apache/catalina/servlets/DefaultServlet.java:2427 + /branches/2.1.x/java/org/apache/catalina/servlets/DefaultServlet.java:2394,2480-2482 /branches/7.4.x/src/main/java/org/apache/catalina/servlets/DefaultServlet.java:2427 Modified: branches/JBOSSWEB_2_1_12_GA_JBPAPP-11181/java/org/apache/coyote/ajp/AjpAprProcessor.java =================================================================== --- branches/JBOSSWEB_2_1_12_GA_JBPAPP-11181/java/org/apache/coyote/ajp/AjpAprProcessor.java 2014-09-04 20:50:30 UTC (rev 2504) +++ branches/JBOSSWEB_2_1_12_GA_JBPAPP-11181/java/org/apache/coyote/ajp/AjpAprProcessor.java 2014-09-04 21:30:47 UTC (rev 2505) @@ -25,6 +25,8 @@ import java.security.cert.CertificateFactory; import java.security.cert.X509Certificate; +import javax.servlet.http.HttpServletResponse; + import org.apache.coyote.ActionCode; import org.apache.coyote.ActionHook; import org.apache.coyote.Adapter; @@ -654,6 +656,7 @@ // Decode headers MimeHeaders headers = request.getMimeHeaders(); + boolean contentLengthSet = false; int hCount = requestHeaderMessage.getInt(); for(int i = 0 ; i < hCount ; i++) { String hName = null; @@ -689,7 +692,16 @@ if (hId == Constants.SC_REQ_CONTENT_LENGTH || (hId == -1 && tmpMB.equalsIgnoreCase("Content-Length"))) { // just read the content-length header, so set it - request.setContentLength( vMB.getInt() ); + long cl = vMB.getLong(); + if (contentLengthSet) { + response.setStatus(HttpServletResponse.SC_BAD_REQUEST); + error = true; + } else { + contentLengthSet = true; + // Set the content-length header for the request + if(cl < Integer.MAX_VALUE) + request.setContentLength( (int)cl ); + } } else if (hId == Constants.SC_REQ_CONTENT_TYPE || (hId == -1 && tmpMB.equalsIgnoreCase("Content-Type"))) { // just read the content-type header, so set it Modified: branches/JBOSSWEB_2_1_12_GA_JBPAPP-11181/java/org/apache/coyote/ajp/AjpProcessor.java =================================================================== --- branches/JBOSSWEB_2_1_12_GA_JBPAPP-11181/java/org/apache/coyote/ajp/AjpProcessor.java 2014-09-04 20:50:30 UTC (rev 2504) +++ branches/JBOSSWEB_2_1_12_GA_JBPAPP-11181/java/org/apache/coyote/ajp/AjpProcessor.java 2014-09-04 21:30:47 UTC (rev 2505) @@ -27,6 +27,8 @@ import java.security.cert.CertificateFactory; import java.security.cert.X509Certificate; +import javax.servlet.http.HttpServletResponse; + import org.apache.coyote.ActionCode; import org.apache.coyote.ActionHook; import org.apache.coyote.Adapter; @@ -659,6 +661,7 @@ // Decode headers MimeHeaders headers = request.getMimeHeaders(); + boolean contentLengthSet = false; int hCount = requestHeaderMessage.getInt(); for(int i = 0 ; i < hCount ; i++) { String hName = null; @@ -694,7 +697,16 @@ if (hId == Constants.SC_REQ_CONTENT_LENGTH || (hId == -1 && tmpMB.equalsIgnoreCase("Content-Length"))) { // just read the content-length header, so set it - request.setContentLength( vMB.getInt() ); + long cl = vMB.getLong(); + if (contentLengthSet) { + response.setStatus(HttpServletResponse.SC_BAD_REQUEST); + error = true; + } else { + contentLengthSet = true; + // Set the content-length header for the request + if(cl < Integer.MAX_VALUE) + request.setContentLength( (int)cl ); + } } else if (hId == Constants.SC_REQ_CONTENT_TYPE || (hId == -1 && tmpMB.equalsIgnoreCase("Content-Type"))) { // just read the content-type header, so set it Modified: branches/JBOSSWEB_2_1_12_GA_JBPAPP-11181/java/org/apache/coyote/http11/Http11AprProcessor.java =================================================================== --- branches/JBOSSWEB_2_1_12_GA_JBPAPP-11181/java/org/apache/coyote/http11/Http11AprProcessor.java 2014-09-04 20:50:30 UTC (rev 2504) +++ branches/JBOSSWEB_2_1_12_GA_JBPAPP-11181/java/org/apache/coyote/http11/Http11AprProcessor.java 2014-09-04 21:30:47 UTC (rev 2505) @@ -1469,10 +1469,20 @@ // Parse content-length header long contentLength = request.getContentLengthLong(); - if (contentLength >= 0 && !contentDelimitation) { - inputBuffer.addActiveFilter + if (contentLength >= 0) { + if (contentDelimitation) { + // contentDelimitation being true at this point indicates that + // chunked encoding is being used but chunked encoding should + // not be used with a content length. RFC 2616, section 4.4, + // bullet 3 states Content-Length must be ignored in this case - + // so remove it. + headers.removeHeader("content-length"); + request.setContentLength(-1); + } else { + inputBuffer.addActiveFilter (inputFilters[Constants.IDENTITY_FILTER]); - contentDelimitation = true; + contentDelimitation = true; + } } MessageBytes valueMB = headers.getValue("host"); Modified: branches/JBOSSWEB_2_1_12_GA_JBPAPP-11181/java/org/apache/coyote/http11/Http11Processor.java =================================================================== --- branches/JBOSSWEB_2_1_12_GA_JBPAPP-11181/java/org/apache/coyote/http11/Http11Processor.java 2014-09-04 20:50:30 UTC (rev 2504) +++ branches/JBOSSWEB_2_1_12_GA_JBPAPP-11181/java/org/apache/coyote/http11/Http11Processor.java 2014-09-04 21:30:47 UTC (rev 2505) @@ -1273,10 +1273,20 @@ // Parse content-length header long contentLength = request.getContentLengthLong(); - if (contentLength >= 0 && !contentDelimitation) { - inputBuffer.addActiveFilter + if (contentLength >= 0) { + if (contentDelimitation) { + // contentDelimitation being true at this point indicates that + // chunked encoding is being used but chunked encoding should + // not be used with a content length. RFC 2616, section 4.4, + // bullet 3 states Content-Length must be ignored in this case - + // so remove it. + headers.removeHeader("content-length"); + request.setContentLength(-1); + } else { + inputBuffer.addActiveFilter (inputFilters[Constants.IDENTITY_FILTER]); - contentDelimitation = true; + contentDelimitation = true; + } } MessageBytes valueMB = headers.getValue("host"); Property changes on: branches/JBOSSWEB_2_1_12_GA_JBPAPP-11181/java/org/apache/coyote/http11/filters/ChunkedInputFilter.java ___________________________________________________________________ Modified: svn:mergeinfo - /branches/2.1.x/java/org/apache/coyote/http11/filters/ChunkedInputFilter.java:2480-2482 /branches/7.4.x/src/main/java/org/apache/coyote/http11/filters/ChunkedInputFilter.java:2428 + /branches/2.1.x/java/org/apache/coyote/http11/filters/ChunkedInputFilter.java:2394,2480-2482 /branches/7.4.x/src/main/java/org/apache/coyote/http11/filters/ChunkedInputFilter.java:2428 Property changes on: branches/JBOSSWEB_2_1_12_GA_JBPAPP-11181/java/org/apache/jasper/compiler/JspDocumentParser.java ___________________________________________________________________ Modified: svn:mergeinfo - /branches/2.1.x/java/org/apache/jasper/compiler/JspDocumentParser.java:2480-2482 /branches/7.4.x/src/main/java/org/apache/jasper/compiler/JspDocumentParser.java:2427 + /branches/2.1.x/java/org/apache/jasper/compiler/JspDocumentParser.java:2394,2480-2482 /branches/7.4.x/src/main/java/org/apache/jasper/compiler/JspDocumentParser.java:2427 Property changes on: branches/JBOSSWEB_2_1_12_GA_JBPAPP-11181/java/org/apache/tomcat/util ___________________________________________________________________ Modified: svn:mergeinfo - /branches/2.1.x/java/org/apache/tomcat/util:2480-2482 /branches/7.4.x/src/main/java/org/apache/tomcat/util:2427 + /branches/2.1.x/java/org/apache/tomcat/util:2394,2480-2482 /branches/7.4.x/src/main/java/org/apache/tomcat/util:2427 Property changes on: branches/JBOSSWEB_2_1_12_GA_JBPAPP-11181/java/org/apache/tomcat/util/buf/Ascii.java ___________________________________________________________________ Modified: svn:mergeinfo - /branches/2.1.x/java/org/apache/tomcat/util/buf/Ascii.java:2480-2482 /branches/7.4.x/src/main/java/org/apache/tomcat/util/buf/Ascii.java:2426-2427 + /branches/2.1.x/java/org/apache/tomcat/util/buf/Ascii.java:2394,2480-2482 /branches/7.4.x/src/main/java/org/apache/tomcat/util/buf/Ascii.java:2426-2427 Property changes on: branches/JBOSSWEB_2_1_12_GA_JBPAPP-11181/java/org/apache/tomcat/util/net/JIoEndpoint.java ___________________________________________________________________ Modified: svn:mergeinfo - /branches/7.4.x/src/main/java/org/apache/tomcat/util/net/JIoEndpoint.java:2427 + /branches/2.1.x/java/org/apache/tomcat/util/net/JIoEndpoint.java:2394 /branches/7.4.x/src/main/java/org/apache/tomcat/util/net/JIoEndpoint.java:2427

10 years, 4 months

1
0
0 / 0

JBossWeb SVN: r2504 - branches.

by jbossweb-commits＠lists.jboss.org

Author: aogburn Date: 2014-09-04 16:50:30 -0400 (Thu, 04 Sep 2014) New Revision: 2504 Added: branches/JBOSSWEB_2_1_12_GA_JBPAPP-11181/ Log: [JBPAPP-11181] create one-off branch

10 years, 4 months

1
0
0 / 0

JBossWeb SVN: r2503 - branches/7.5.x/src/main/java/org/apache/catalina/connector.

by jbossweb-commits＠lists.jboss.org

Author: remy.maucherat(a)jboss.com Date: 2014-09-04 12:21:03 -0400 (Thu, 04 Sep 2014) New Revision: 2503 Modified: branches/7.5.x/src/main/java/org/apache/catalina/connector/Request.java Log: BZ1008041: doGetUserPrincipal will be used by getRemoteUser to be consistent with getUserPrincipal. Modified: branches/7.5.x/src/main/java/org/apache/catalina/connector/Request.java =================================================================== --- branches/7.5.x/src/main/java/org/apache/catalina/connector/Request.java 2014-09-04 15:16:55 UTC (rev 2502) +++ branches/7.5.x/src/main/java/org/apache/catalina/connector/Request.java 2014-09-04 16:21:03 UTC (rev 2503) @@ -2253,13 +2253,14 @@ * for this Request. */ public String getRemoteUser() { - - if (userPrincipal != null) { - return (userPrincipal.getName()); + Principal principal = doGetUserPrincipal(); + if (principal instanceof GenericPrincipal) { + return ((GenericPrincipal) principal).getUserPrincipal().getName(); + } else if (principal != null) { + return (principal.getName()); } else { return (null); } - } @@ -2516,8 +2517,9 @@ if (USE_PRINCIPAL_FROM_SESSION && userPrincipal == null) { Session session = doGetSession(false); Principal principal = session.getPrincipal(); - if (principal != null) - return principal; + if (principal != null) { + return principal; + } } return userPrincipal; }

10 years, 4 months

1
0
0 / 0

JBossWeb SVN: r2502 - branches/7.5.x/src/main/java/org/jboss/web.

by jbossweb-commits＠lists.jboss.org

Author: remy.maucherat(a)jboss.com Date: 2014-09-04 11:16:55 -0400 (Thu, 04 Sep 2014) New Revision: 2502 Modified: branches/7.5.x/src/main/java/org/jboss/web/WebsocketsLogger.java Log: BZ1095361: Warn for websockets initialization failure. Modified: branches/7.5.x/src/main/java/org/jboss/web/WebsocketsLogger.java =================================================================== --- branches/7.5.x/src/main/java/org/jboss/web/WebsocketsLogger.java 2014-09-04 13:08:00 UTC (rev 2501) +++ branches/7.5.x/src/main/java/org/jboss/web/WebsocketsLogger.java 2014-09-04 15:16:55 UTC (rev 2502) @@ -94,7 +94,7 @@ @Message(id = 8812, value = "Failed to close the ServletOutputStream connection cleanly") void closeFailed(@Cause Throwable t); - @LogMessage(level = INFO) + @LogMessage(level = WARN) @Message(id = 8813, value = "WebSocket support is not available when running on Java 6") void noWebsocketsSupport();

10 years, 4 months

1
0
0 / 0

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

jbossweb-commits September 2014