drop 1.1 aliases - restore previous behavior

kares · kares · commit b662bf53e4e2 · 2022-01-28T14:38:15.000+01:00
we know the old code has issues and can not be mapped to OpenSSL
still, the OpenSSL 1.1 behavior attempt needs much more work ...
diff --git a/src/main/java/org/jruby/ext/openssl/CipherStrings.java b/src/main/java/org/jruby/ext/openssl/CipherStrings.java
@@ -317,7 +317,8 @@ public class CipherStrings {
     public final static long SSL_SHA256 = 0x00000010L;
     public final static long SSL_SHA384 = 0x00000020L;
 
-    //public final static long SSL_SSL_MASK = 0x03000000L;
+    @Deprecated
+    public final static long SSL_SSL_MASK = 0x03000000L; // legacy
     public final static long SSL_SSLV2 = 0x01000000L;
     public final static long SSL_SSLV3 = 0x02000000L;
     public final static long SSL_TLSV1 = SSL_SSLV3;
@@ -336,11 +337,14 @@ public class CipherStrings {
     public final static long SSL_MEDIUM = 0x00000040L; // 0x00000004U in OSSL 1.1
     public final static long SSL_HIGH = 0x00000080L; // 0x00000008U in OSSL 1.1
     public final static long SSL_FIPS = 0x00000100L; // 0x00000010U in OSSL 1.1
-    public final static long SSL_NOT_DEFAULT = 0x00000200L; // 0x00000020U in OSSL 1.1 TODO: kares
-
-    //public final static long SSL_ALL = 0xffffffffL;
-    public final static long SSL_ALL_CIPHERS = (SSL_MKEY_MASK|SSL_AUTH_MASK|SSL_ENC_MASK|SSL_MAC_MASK); // TODO drop
-    public final static long SSL_ALL_STRENGTHS = (SSL_EXP_MASK|SSL_STRONG_MASK); // TODO drop
+    public final static long SSL_NOT_DEFAULT = 0x00000200L; // 0x00000020U in OSSL 1.1
+
+    @Deprecated
+    public final static long SSL_ALL = 0xffffffffL; // legacy
+    @Deprecated
+    public final static long SSL_ALL_CIPHERS = (SSL_MKEY_MASK|SSL_AUTH_MASK|SSL_ENC_MASK|SSL_MAC_MASK);
+    @Deprecated
+    public final static long SSL_ALL_STRENGTHS = (SSL_EXP_MASK|SSL_STRONG_MASK);
     public final static long SSL_PKEY_RSA_ENC = 0;
     public final static long SSL_PKEY_RSA_SIGN = 1;
     public final static long SSL_PKEY_DSA_SIGN = 2;
@@ -776,138 +780,53 @@ private static Collection<Def> matchingPattern(
     private final static Map<String, String> SuiteToOSSL;
 
     static {
-        final String NULL = null;
-
-        Object[] cipher_aliases[] = { // NOTE: copied from OpenSSL 1.1 (ssl_ciph.c)
-            /* "ALL" doesn't include eNULL (must be specifically enabled) */
-            {0, SSL_TXT_ALL, NULL, 0, 0, 0, ~SSL_eNULL},
-            /* "COMPLEMENTOFALL" */
-            {0, SSL_TXT_CMPALL, NULL, 0, 0, 0, SSL_eNULL},
-
-            /*
-             * "COMPLEMENTOFDEFAULT" (does *not* include ciphersuites not found in ALL!)
-             */
-            {0, SSL_TXT_CMPDEF, NULL, 0, 0, 0, 0, 0, 0, 0, 0, 0, SSL_NOT_DEFAULT},
-
-            /*
-             * key exchange aliases (some of those using only a single bit here
-             * combine multiple key exchange algs according to the RFCs, e.g. kDHE
-             * combines DHE_DSS and DHE_RSA)
-             */
-            {0, SSL_TXT_kRSA, NULL, 0, SSL_kRSA},
-
-            {0, SSL_TXT_kEDH, NULL, 0, SSL_kDHE},
-            {0, SSL_TXT_kDHE, NULL, 0, SSL_kDHE},
-            {0, SSL_TXT_DH, NULL, 0, SSL_kDHE},
-
-            {0, SSL_TXT_kEECDH, NULL, 0, SSL_kECDHE},
-            {0, SSL_TXT_kECDHE, NULL, 0, SSL_kECDHE},
-            {0, SSL_TXT_ECDH, NULL, 0, SSL_kECDHE},
-
-            //{0, SSL_TXT_kPSK, NULL, 0, SSL_kPSK},
-            //{0, SSL_TXT_kRSAPSK, NULL, 0, SSL_kRSAPSK},
-            //{0, SSL_TXT_kECDHEPSK, NULL, 0, SSL_kECDHEPSK},
-            //{0, SSL_TXT_kDHEPSK, NULL, 0, SSL_kDHEPSK},
-            //{0, SSL_TXT_kSRP, NULL, 0, SSL_kSRP},
-            //{0, SSL_TXT_kGOST, NULL, 0, SSL_kGOST},
-
-            /* server authentication aliases */
-            {0, SSL_TXT_aRSA, NULL, 0, 0, SSL_aRSA},
-            {0, SSL_TXT_aDSS, NULL, 0, 0, SSL_aDSS},
-            {0, SSL_TXT_DSS, NULL, 0, 0, SSL_aDSS},
-            {0, SSL_TXT_aNULL, NULL, 0, 0, SSL_aNULL},
-            {0, SSL_TXT_aECDSA, NULL, 0, 0, SSL_aECDSA},
-            {0, SSL_TXT_ECDSA, NULL, 0, 0, SSL_aECDSA},
-            //{0, SSL_TXT_aPSK, NULL, 0, 0, SSL_aPSK},
-            //{0, SSL_TXT_aGOST01, NULL, 0, 0, SSL_aGOST01},
-            //{0, SSL_TXT_aGOST12, NULL, 0, 0, SSL_aGOST12},
-            //{0, SSL_TXT_aGOST, NULL, 0, 0, SSL_aGOST01 | SSL_aGOST12},
-            //{0, SSL_TXT_aSRP, NULL, 0, 0, SSL_aSRP},
-
-            /* aliases combining key exchange and server authentication */
-            {0, SSL_TXT_EDH, NULL, 0, SSL_kDHE, ~SSL_aNULL},
-            {0, SSL_TXT_DHE, NULL, 0, SSL_kDHE, ~SSL_aNULL},
-            {0, SSL_TXT_EECDH, NULL, 0, SSL_kECDHE, ~SSL_aNULL},
-            {0, SSL_TXT_ECDHE, NULL, 0, SSL_kECDHE, ~SSL_aNULL},
-            {0, SSL_TXT_NULL, NULL, 0, 0, 0, SSL_eNULL},
-            {0, SSL_TXT_RSA, NULL, 0, SSL_kRSA, SSL_aRSA},
-            {0, SSL_TXT_ADH, NULL, 0, SSL_kDHE, SSL_aNULL},
-            {0, SSL_TXT_AECDH, NULL, 0, SSL_kECDHE, SSL_aNULL},
-            //{0, SSL_TXT_PSK, NULL, 0, SSL_PSK},
-            //{0, SSL_TXT_SRP, NULL, 0, SSL_kSRP},
-
-            /* symmetric encryption aliases */
-            {0, SSL_TXT_3DES, NULL, 0, 0, 0, SSL_3DES},
-            {0, SSL_TXT_RC4, NULL, 0, 0, 0, SSL_RC4},
-            {0, SSL_TXT_RC2, NULL, 0, 0, 0, SSL_RC2},
-            {0, SSL_TXT_IDEA, NULL, 0, 0, 0, SSL_IDEA},
-            {0, SSL_TXT_SEED, NULL, 0, 0, 0, SSL_SEED},
-            {0, SSL_TXT_eNULL, NULL, 0, 0, 0, SSL_eNULL},
-            //{0, SSL_TXT_GOST, NULL, 0, 0, 0, SSL_eGOST2814789CNT | SSL_eGOST2814789CNT12},
-            {0, SSL_TXT_AES128, NULL, 0, 0, 0,
-                    SSL_AES128 | SSL_AES128GCM | SSL_AES128CCM | SSL_AES128CCM8},
-            {0, SSL_TXT_AES256, NULL, 0, 0, 0,
-                    SSL_AES256 | SSL_AES256GCM | SSL_AES256CCM | SSL_AES256CCM8},
-            {0, SSL_TXT_AES, NULL, 0, 0, 0, SSL_AES},
-            {0, SSL_TXT_AES_GCM, NULL, 0, 0, 0, SSL_AES128GCM | SSL_AES256GCM},
-            {0, SSL_TXT_AES_CCM, NULL, 0, 0, 0,
-                    SSL_AES128CCM | SSL_AES256CCM | SSL_AES128CCM8 | SSL_AES256CCM8},
-            {0, SSL_TXT_AES_CCM_8, NULL, 0, 0, 0, SSL_AES128CCM8 | SSL_AES256CCM8},
-            {0, SSL_TXT_CAMELLIA128, NULL, 0, 0, 0, SSL_CAMELLIA128},
-            {0, SSL_TXT_CAMELLIA256, NULL, 0, 0, 0, SSL_CAMELLIA256},
-            {0, SSL_TXT_CAMELLIA, NULL, 0, 0, 0, SSL_CAMELLIA},
-            {0, SSL_TXT_CHACHA20, NULL, 0, 0, 0, SSL_CHACHA20},
-
-            {0, SSL_TXT_ARIA, NULL, 0, 0, 0, SSL_ARIA},
-            {0, SSL_TXT_ARIA_GCM, NULL, 0, 0, 0, SSL_ARIA128GCM | SSL_ARIA256GCM},
-            {0, SSL_TXT_ARIA128, NULL, 0, 0, 0, SSL_ARIA128GCM},
-            {0, SSL_TXT_ARIA256, NULL, 0, 0, 0, SSL_ARIA256GCM},
-
-            /* MAC aliases */
-            {0, SSL_TXT_MD5, NULL, 0, 0, 0, 0, SSL_MD5},
-            {0, SSL_TXT_SHA1, NULL, 0, 0, 0, 0, SSL_SHA1},
-            {0, SSL_TXT_SHA, NULL, 0, 0, 0, 0, SSL_SHA1},
-            //{0, SSL_TXT_GOST94, NULL, 0, 0, 0, 0, SSL_GOST94},
-            //{0, SSL_TXT_GOST89MAC, NULL, 0, 0, 0, 0, SSL_GOST89MAC | SSL_GOST89MAC12},
-            {0, SSL_TXT_SHA256, NULL, 0, 0, 0, 0, SSL_SHA256},
-            {0, SSL_TXT_SHA384, NULL, 0, 0, 0, 0, SSL_SHA384},
-            //{0, SSL_TXT_GOST12, NULL, 0, 0, 0, 0, SSL_GOST12_256},
-
-            /* protocol version aliases */
-            {0, SSL_TXT_SSLV3, NULL, 0, 0, 0, 0, 0, SSL3_VERSION},
-            {0, SSL_TXT_TLSV1, NULL, 0, 0, 0, 0, 0, TLS1_VERSION},
-            {0, "TLSv1.0", NULL, 0, 0, 0, 0, 0, TLS1_VERSION},
-            {0, SSL_TXT_TLSV1_2, NULL, 0, 0, 0, 0, 0, TLS1_2_VERSION},
-
-            /* strength classes */
-            {0, SSL_TXT_LOW, NULL, 0, 0, 0, 0, 0, 0, 0, 0, 0, SSL_LOW},
-            {0, SSL_TXT_MEDIUM, NULL, 0, 0, 0, 0, 0, 0, 0, 0, 0, SSL_MEDIUM},
-            {0, SSL_TXT_HIGH, NULL, 0, 0, 0, 0, 0, 0, 0, 0, 0, SSL_HIGH},
-            /* FIPS 140-2 approved ciphersuite */
-            //{0, SSL_TXT_FIPS, NULL, 0, 0, 0, ~SSL_eNULL, 0, 0, 0, 0, 0, SSL_FIPS},
-
-            /* "EDH-" aliases to "DHE-" labels (for backward compatibility) */
-            //{0, SSL3_TXT_EDH_DSS_DES_192_CBC3_SHA, NULL, 0, SSL_kDHE, SSL_aDSS, SSL_3DES, SSL_SHA1, 0, 0, 0, 0, SSL_HIGH | SSL_FIPS},
-            //{0, SSL3_TXT_EDH_RSA_DES_192_CBC3_SHA, NULL, 0, SSL_kDHE, SSL_aRSA, SSL_3DES, SSL_SHA1, 0, 0, 0, 0, SSL_HIGH | SSL_FIPS},
-        };
-
-        Definitions = new HashMap<String, Def>(128);
-
-        for (Object[] a : cipher_aliases) {
-            int valid = (Integer) a[0];
-            String txt_name = (String) a[1];
-            String std_name = (String) a[2];
-            long id = (Integer) a[3];
-            long algorithm_mkey = a.length > 4 ? ((Number) a[4]).longValue() : 0;
-            long algorithm_auth = a.length > 5 ? ((Number) a[5]).longValue() : 0;
-            long algorithm_enc = a.length > 6 ? ((Number) a[6]).longValue() : 0;
-            long algorithm_mac = a.length > 7 ? ((Number) a[7]).longValue() : 0;
-            int min_tls = a.length > 8 ? ((Integer) a[8]) : 0;
-            int max_tls = a.length > 9 ? ((Integer) a[9]) : 0;
-            Definitions.put(txt_name,
-                new Def(valid, txt_name, std_name, id, algorithm_mkey, algorithm_auth, algorithm_enc, algorithm_mac, min_tls, max_tls)
-            );
-        }
+        Definitions = new HashMap<String, Def>( 48, 1 );
+        // TODO review base on OpenSSL's static const SSL_CIPHER cipher_aliases[] ?!
+        Definitions.put(SSL_TXT_ALL,new Def(0,SSL_TXT_ALL, 0,SSL_ALL & ~SSL_eNULL, SSL_ALL ,0,0,0,SSL_ALL,SSL_ALL));
+        Definitions.put(SSL_TXT_CMPALL,new Def(0,SSL_TXT_CMPALL,0,SSL_eNULL,0,0,0,0,SSL_ENC_MASK,0));
+        Definitions.put(SSL_TXT_CMPDEF,new Def(0,SSL_TXT_CMPDEF,0,SSL_ADH, 0,0,0,0,SSL_AUTH_MASK,0));
+        Definitions.put(SSL_TXT_kKRB5,new Def(0,SSL_TXT_kKRB5,0,SSL_kKRB5,0,0,0,0,SSL_MKEY_MASK,0));
+        Definitions.put(SSL_TXT_kRSA,new Def(0,SSL_TXT_kRSA,0,SSL_kRSA,  0,0,0,0,SSL_MKEY_MASK,0));
+        Definitions.put(SSL_TXT_kDHr,new Def(0,SSL_TXT_kDHr,0,SSL_kDHr,  0,0,0,0,SSL_MKEY_MASK,0));
+        Definitions.put(SSL_TXT_kDHd,new Def(0,SSL_TXT_kDHd,0,SSL_kDHd,  0,0,0,0,SSL_MKEY_MASK,0));
+        Definitions.put(SSL_TXT_kEDH,new Def(0,SSL_TXT_kEDH,0,SSL_kEDH,  0,0,0,0,SSL_MKEY_MASK,0));
+        Definitions.put(SSL_TXT_kFZA,new Def(0,SSL_TXT_kFZA,0,SSL_kFZA,  0,0,0,0,SSL_MKEY_MASK,0));
+        Definitions.put(SSL_TXT_DH,new Def(0,SSL_TXT_DH,	0,SSL_DH,    0,0,0,0,SSL_MKEY_MASK,0));
+        Definitions.put(SSL_TXT_ECC,new Def(0,SSL_TXT_ECC,	0,(SSL_kECDH|SSL_kECDHE), 0,0,0,0,SSL_MKEY_MASK,0));
+        Definitions.put(SSL_TXT_EDH,new Def(0,SSL_TXT_EDH,	0,SSL_EDH,   0,0,0,0,SSL_MKEY_MASK|SSL_AUTH_MASK,0));
+        Definitions.put(SSL_TXT_aKRB5,new Def(0,SSL_TXT_aKRB5,0,SSL_aKRB5,0,0,0,0,SSL_AUTH_MASK,0));
+        Definitions.put(SSL_TXT_aRSA,new Def(0,SSL_TXT_aRSA,0,SSL_aRSA,  0,0,0,0,SSL_AUTH_MASK,0));
+        Definitions.put(SSL_TXT_aDSS,new Def(0,SSL_TXT_aDSS,0,SSL_aDSS,  0,0,0,0,SSL_AUTH_MASK,0));
+        Definitions.put(SSL_TXT_aFZA,new Def(0,SSL_TXT_aFZA,0,SSL_aFZA,  0,0,0,0,SSL_AUTH_MASK,0));
+        Definitions.put(SSL_TXT_aNULL,new Def(0,SSL_TXT_aNULL,0,SSL_aNULL,0,0,0,0,SSL_AUTH_MASK,0));
+        Definitions.put(SSL_TXT_aDH,new Def(0,SSL_TXT_aDH, 0,SSL_aDH,   0,0,0,0,SSL_AUTH_MASK,0));
+        Definitions.put(SSL_TXT_DSS,new Def(0,SSL_TXT_DSS,	0,SSL_DSS,   0,0,0,0,SSL_AUTH_MASK,0));
+        Definitions.put(SSL_TXT_DES,new Def(0,SSL_TXT_DES,	0,SSL_DES,   0,0,0,0,SSL_ENC_MASK,0));
+        Definitions.put(SSL_TXT_3DES,new Def(0,SSL_TXT_3DES,0,SSL_3DES,  0,0,0,0,SSL_ENC_MASK,0));
+        Definitions.put(SSL_TXT_RC4,new Def(0,SSL_TXT_RC4,	0,SSL_RC4,   0,0,0,0,SSL_ENC_MASK,0));
+        Definitions.put(SSL_TXT_RC2,new Def(0,SSL_TXT_RC2,	0,SSL_RC2,   0,0,0,0,SSL_ENC_MASK,0));
+        Definitions.put(SSL_TXT_IDEA,new Def(0,SSL_TXT_IDEA,0,SSL_IDEA,  0,0,0,0,SSL_ENC_MASK,0));
+        Definitions.put(SSL_TXT_eNULL,new Def(0,SSL_TXT_eNULL,0,SSL_eNULL,0,0,0,0,SSL_ENC_MASK,0));
+        Definitions.put(SSL_TXT_eFZA,new Def(0,SSL_TXT_eFZA,0,SSL_eFZA,  0,0,0,0,SSL_ENC_MASK,0));
+        Definitions.put(SSL_TXT_AES,new Def(0,SSL_TXT_AES,	0,SSL_AES,   0,0,0,0,SSL_ENC_MASK,0));
+        Definitions.put(SSL_TXT_MD5,new Def(0,SSL_TXT_MD5,	0,SSL_MD5,   0,0,0,0,SSL_MAC_MASK,0));
+        Definitions.put(SSL_TXT_SHA1,new Def(0,SSL_TXT_SHA1,0,SSL_SHA1,  0,0,0,0,SSL_MAC_MASK,0));
+        Definitions.put(SSL_TXT_SHA,new Def(0,SSL_TXT_SHA,	0,SSL_SHA,   0,0,0,0,SSL_MAC_MASK,0));
+        Definitions.put(SSL_TXT_NULL,new Def(0,SSL_TXT_NULL,0,SSL_eNULL,  0,0,0,0,SSL_ENC_MASK,0));
+        Definitions.put(SSL_TXT_KRB5,new Def(0,SSL_TXT_KRB5,0,SSL_KRB5,  0,0,0,0,SSL_AUTH_MASK|SSL_MKEY_MASK,0));
+        Definitions.put(SSL_TXT_RSA,new Def(0,SSL_TXT_RSA,	0,SSL_RSA,   0,0,0,0,SSL_AUTH_MASK|SSL_MKEY_MASK,0));
+        Definitions.put(SSL_TXT_ADH,new Def(0,SSL_TXT_ADH,	0,SSL_ADH,   0,0,0,0,SSL_AUTH_MASK|SSL_MKEY_MASK,0));
+        Definitions.put(SSL_TXT_FZA,new Def(0,SSL_TXT_FZA,	0,SSL_FZA,   0,0,0,0,SSL_AUTH_MASK|SSL_MKEY_MASK|SSL_ENC_MASK,0));
+        Definitions.put(SSL_TXT_SSLV2,new Def(0,SSL_TXT_SSLV2, 0,SSL_SSLV2, 0,0,0,0,SSL_SSL_MASK,0));
+        Definitions.put(SSL_TXT_SSLV3,new Def(0,SSL_TXT_SSLV3, 0,SSL_SSLV3, 0,0,0,0,SSL_SSL_MASK,0));
+        Definitions.put(SSL_TXT_TLSV1,new Def(0,SSL_TXT_TLSV1, 0,SSL_TLSV1, 0,0,0,0,SSL_SSL_MASK,0));
+        Definitions.put(SSL_TXT_EXP,new Def(0,SSL_TXT_EXP   ,0, 0,SSL_EXPORT, 0,0,0,0,SSL_EXP_MASK));
+        Definitions.put(SSL_TXT_EXPORT,new Def(0,SSL_TXT_EXPORT,0, 0,SSL_EXPORT, 0,0,0,0,SSL_EXP_MASK));
+        Definitions.put(SSL_TXT_EXP40,new Def(0,SSL_TXT_EXP40, 0, 0, SSL_EXP40, 0,0,0,0,SSL_STRONG_MASK));
+        Definitions.put(SSL_TXT_EXP56,new Def(0,SSL_TXT_EXP56, 0, 0, SSL_EXP56, 0,0,0,0,SSL_STRONG_MASK));
+        Definitions.put(SSL_TXT_LOW,new Def(0,SSL_TXT_LOW,   0, 0,   SSL_LOW, 0,0,0,0,SSL_STRONG_MASK));
+        Definitions.put(SSL_TXT_MEDIUM,new Def(0,SSL_TXT_MEDIUM,0, 0,SSL_MEDIUM, 0,0,0,0,SSL_STRONG_MASK));
+        Definitions.put(SSL_TXT_HIGH,new Def(0,SSL_TXT_HIGH,  0, 0,  SSL_HIGH, 0,0,0,0,SSL_STRONG_MASK));
 
         final ArrayList<Def> Ciphers = new ArrayList<Def>( 96 );
         /* Cipher 01 */
