{******************************************************************************} { } { Library: Fundamentals TLS } { File name: flcTLSCipherSuite.pas } { File version: 5.04 } { Description: TLS cipher suite } { } { Copyright: Copyright (c) 2008-2020, David J Butler } { All rights reserved. } { Redistribution and use in source and binary forms, with } { or without modification, are permitted provided that } { the following conditions are met: } { Redistributions of source code must retain the above } { copyright notice, this list of conditions and the } { following disclaimer. } { THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND } { CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED } { WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED } { WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A } { PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL } { THE REGENTS OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, } { INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR } { CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, } { PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF } { USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) } { HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER } { IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING } { NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE } { USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE } { POSSIBILITY OF SUCH DAMAGE. } { } { Github: https://github.com/fundamentalslib } { E-mail: fundamentals.library at gmail.com } { } { References: } { } { http://www.iana.org/assignments/tls-parameters/tls-parameters.xhtml } { https://ldapwiki.com/wiki/Known%20Cipher%20Suites } { } { Revision history: } { } { 2008/01/18 0.01 Initial development. } { 2018/07/17 5.02 Revised for Fundamentals 5. } { 2020/05/09 5.03 Populate CipherSuiteInfo.Auhtentication. } { 2020/05/19 5.04 Enable support for DHE_RSA_WITH_AES suites. } { } {******************************************************************************} {$INCLUDE flcTLS.inc} unit flcTLSCipherSuite; interface uses { Utils } flcStdTypes, { TLS } flcTLSProtocolVersion, flcTLSAlgorithmTypes; { } { Cipher Suite } { } type TTLSCipherSuite = ( tlscsNone, tlscsNULL_WITH_NULL_NULL, tlscsRSA_WITH_NULL_MD5, tlscsRSA_WITH_NULL_SHA, tlscsDH_Anon_EXPORT_WITH_RC4_40_MD5, tlscsDH_Anon_WITH_RC4_128_MD5, tlscsDH_Anon_EXPORT_WITH_DES40_CBC_SHA, tlscsDH_Anon_WITH_DES_CBC_SHA, tlscsDH_Anon_WITH_3DES_EDE_CBC_SHA, tlscsDH_Anon_WITH_AES_128_CBC_SHA256, tlscsDH_Anon_WITH_AES_256_CBC_SHA256, tlscsDH_DSS_EXPORT_WITH_DES40_CBC_SHA, tlscsDH_DSS_WITH_DES_CBC_SHA, tlscsDH_DSS_WITH_3DES_EDE_CBC_SHA, tlscsDH_RSA_EXPORT_WITH_DES40_CBC_SHA, tlscsDH_RSA_WITH_DES_CBC_SHA, tlscsDH_RSA_WITH_3DES_EDE_CBC_SHA, tlscsDH_DSS_WITH_AES_128_CBC_SHA, tlscsDH_DSS_WITH_AES_256_CBC_SHA, tlscsDH_DSS_WITH_AES_128_CBC_SHA256, tlscsDH_DSS_WITH_AES_256_CBC_SHA256, tlscsDH_RSA_WITH_AES_128_CBC_SHA, tlscsDH_RSA_WITH_AES_256_CBC_SHA, tlscsDH_RSA_WITH_AES_128_CBC_SHA256, tlscsDH_RSA_WITH_AES_256_CBC_SHA256, tlscsRSA_EXPORT_WITH_RC4_40_MD5, tlscsRSA_WITH_RC4_128_MD5, tlscsRSA_WITH_RC4_128_SHA, tlscsRSA_EXPORT_WITH_RC2_CBC_40_MD5, tlscsRSA_WITH_IDEA_CBC_SHA, tlscsRSA_EXPORT_WITH_DES40_CBC_SHA, tlscsRSA_WITH_DES_CBC_SHA, tlscsRSA_WITH_3DES_EDE_CBC_SHA, tlscsRSA_EXPORT1024_WITH_DES_CBC_SHA, // draft-ietf-tls-56-bit-ciphersuites-01 tlscsRSA_EXPORT1024_WITH_RC4_56_SHA, // draft-ietf-tls-56-bit-ciphersuites-01 tlscsRSA_WITH_NULL_SHA256, tlscsRSA_WITH_AES_128_CBC_SHA, // mandatory for tls 1.2 (rfc 5246) tlscsRSA_WITH_AES_256_CBC_SHA, tlscsRSA_WITH_AES_128_CBC_SHA256, tlscsRSA_WITH_AES_256_CBC_SHA256, tlscsDHE_DSS_EXPORT_WITH_DES40_CBC_SHA, tlscsDHE_DSS_WITH_DES_CBC_SHA, tlscsDHE_DSS_WITH_3DES_EDE_CBC_SHA, tlscsDHE_DSS_WITH_RC4_128_SHA, // draft-ietf-tls-56-bit-ciphersuites-01 tlscsDHE_RSA_EXPORT_WITH_DES40_CBC_SHA, tlscsDHE_RSA_WITH_DES_CBC_SHA, tlscsDHE_RSA_WITH_3DES_EDE_CBC_SHA, tlscsDHE_DSS_WITH_AES_128_CBC_SHA, tlscsDHE_DSS_WITH_AES_256_CBC_SHA, tlscsDHE_DSS_WITH_AES_128_CBC_SHA256, tlscsDHE_DSS_WITH_AES_256_CBC_SHA256, tlscsDHE_RSA_WITH_AES_128_CBC_SHA, tlscsDHE_RSA_WITH_AES_256_CBC_SHA, tlscsDHE_RSA_WITH_AES_128_CBC_SHA256, tlscsDHE_RSA_WITH_AES_256_CBC_SHA256, tlscsECDHE_ECDSA_WITH_AES_128_CBC_SHA256, // rfc 5289 tlscsECDHE_ECDSA_WITH_AES_256_CBC_SHA384, // rfc 5289 tlscsECDH_ECDSA_WITH_AES_128_CBC_SHA256, // rfc 5289 tlscsECDH_ECDSA_WITH_AES_256_CBC_SHA384, // rfc 5289 tlscsECDHE_RSA_WITH_AES_128_CBC_SHA256, // rfc 5289 tlscsECDHE_RSA_WITH_AES_256_CBC_SHA384, // rfc 5289 tlscsECDH_RSA_WITH_AES_128_CBC_SHA256, // rfc 5289 tlscsECDH_RSA_WITH_AES_256_CBC_SHA384 // rfc 5289 ); TTLSCipherSuites = set of TTLSCipherSuite; TTLSCipherSuiteKeyExchange = ( tlscskeNone, tlscskeNULL, tlscskeRSA, tlscskeRSA_EXPORT, tlscskeRSA_EXPORT1024, tlscskeDH_DSS_EXPORT, tlscskeDH_DSS, tlscskeDH_RSA_EXPORT, tlscskeDH_RSA, tlscskeDHE_DSS_EXPORT, tlscskeDHE_DSS, tlscskeDHE_RSA_EXPORT, tlscskeDHE_RSA, tlscskeDH_anon_EXPORT, tlscskeDH_anon, tlscskeECDHE_ECDSA, tlscskeECDH_ECDSA, tlscskeECDHE_RSA, tlscskeECDH_RSA ); TTLSCipherSuiteAuthentication = ( tlscsaNone, tlscsaAnon, tlscsaRSA, tlscsaDSS, tlscsaPSK, tlscsaECDSA ); TTLSCipherSuiteCipher = ( tlscscNone, tlscscNULL, tlscscRC2_CBC_40, tlscscRC4_40, tlscscRC4_56, tlscscRC4_128, tlscscIDEA_CBC, tlscscDES40_CBC, tlscscDES_CBC, tlscsc3DES_EDE_CBC, tlscscAES_128_CBC, tlscscAES_256_CBC ); TTLSCipherSuiteHash = ( tlscshNone, tlscshNULL, tlscshSHA, tlscshSHA256, tlscshSHA384, tlscshMD5 ); type TTLSCipherSuiteRec = packed record B1, B2 : Byte; end; PTLSCipherSuiteRec = ^TTLSCipherSuiteRec; const TLSCipherSuiteRecSize = Sizeof(TTLSCipherSuiteRec); type TTLSCipherSuiteInfo = record Name : RawByteString; KeyExchange : TTLSCipherSuiteKeyExchange; Authentication : TTLSCipherSuiteAuthentication; Cipher : TTLSCipherSuiteCipher; Hash : TTLSCipherSuiteHash; Rec : TTLSCipherSuiteRec; ServerSupport : Boolean; ClientSupport : Boolean; MinVersion : TTLSProtocolVersion; end; PTLSCipherSuiteInfo = ^TTLSCipherSuiteInfo; const TLSCipherSuiteInfo : array[TTLSCipherSuite] of TTLSCipherSuiteInfo = ( ( // None Name : ''; KeyExchange : tlscskeNone; Authentication : tlscsaNone; Cipher : tlscscNone; Hash : tlscshNone; Rec : (B1: $FF; B2: $FF); ServerSupport : False; ClientSupport : False; MinVersion : (major: 0; minor: 0); ), ( // NULL_WITH_NULL_NULL Name : 'NULL_WITH_NULL_NULL'; KeyExchange : tlscskeNULL; Authentication : tlscsaNone; Cipher : tlscscNULL; Hash : tlscshNULL; Rec : (B1: $00; B2: $00); ServerSupport : False; ClientSupport : False; MinVersion : (major: 0; minor: 0); ), ( // RSA_WITH_NULL_MD5 Name : 'RSA_WITH_NULL_MD5'; KeyExchange : tlscskeRSA; Authentication : tlscsaAnon; Cipher : tlscscNULL; Hash : tlscshMD5; Rec : (B1: $00; B2: $01); ServerSupport : False; ClientSupport : False; ), ( // RSA_WITH_NULL_SHA Name : 'RSA_WITH_NULL_SHA'; KeyExchange : tlscskeRSA; Authentication : tlscsaAnon; Cipher : tlscscNULL; Hash : tlscshSHA; Rec : (B1: $00; B2: $02); ServerSupport : False; ClientSupport : False; ), ( // DH_anon_EXPORT_WITH_RC4_40_MD5 Name : 'DH_anon_EXPORT_WITH_RC4_40_MD5'; KeyExchange : tlscskeDH_anon_EXPORT; Authentication : tlscsaAnon; Cipher : tlscscRC4_40; Hash : tlscshMD5; Rec : (B1: $00; B2: $17); ServerSupport : False; ClientSupport : False; ), ( // DH_anon_WITH_RC4_128_MD5 Name : 'DH_anon_WITH_RC4_128_MD5'; KeyExchange : tlscskeDH_anon; Authentication : tlscsaAnon; Cipher : tlscscRC4_128; Hash : tlscshMD5; Rec : (B1: $00; B2: $18); ServerSupport : False; ClientSupport : False; ), ( // DH_anon_EXPORT_WITH_DES40_CBC_SHA Name : 'DH_anon_EXPORT_WITH_DES40_CBC_SHA'; KeyExchange : tlscskeDH_anon_EXPORT; Authentication : tlscsaAnon; Cipher : tlscscDES40_CBC; Hash : tlscshSHA; Rec : (B1: $00; B2: $19); ServerSupport : False; ClientSupport : False; ), ( // DH_anon_WITH_DES_CBC_SHA Name : 'DH_anon_WITH_DES_CBC_SHA'; KeyExchange : tlscskeDH_anon; Authentication : tlscsaAnon; Cipher : tlscscDES_CBC; Hash : tlscshSHA; Rec : (B1: $00; B2: $1A); ServerSupport : False; ClientSupport : False; ), ( // DH_anon_WITH_3DES_EDE_CBC_SHA Name : 'DH_anon_WITH_3DES_EDE_CBC_SHA'; KeyExchange : tlscskeDH_anon; Authentication : tlscsaAnon; Cipher : tlscsc3DES_EDE_CBC; Hash : tlscshSHA; Rec : (B1: $00; B2: $1B); ServerSupport : False; ClientSupport : False; ), ( // DH_anon_WITH_AES_128_CBC_SHA256 Name : 'DH_anon_WITH_AES_128_CBC_SHA256'; KeyExchange : tlscskeDH_anon; Authentication : tlscsaAnon; Cipher : tlscscAES_128_CBC; Hash : tlscshSHA256; Rec : (B1: $00; B2: $6C); ServerSupport : False; ClientSupport : False; ), ( // DH_anon_WITH_AES_256_CBC_SHA256 Name : 'DH_anon_WITH_AES_256_CBC_SHA256'; KeyExchange : tlscskeDH_anon; Authentication : tlscsaAnon; Cipher : tlscscAES_256_CBC; Hash : tlscshSHA256; Rec : (B1: $00; B2: $6D); ServerSupport : False; ClientSupport : False; ), ( // DH_DSS_EXPORT_WITH_DES40_CBC_SHA Name : 'DH_DSS_EXPORT_WITH_DES40_CBC_SHA'; KeyExchange : tlscskeDH_DSS_EXPORT; Authentication : tlscsaDSS; Cipher : tlscscDES40_CBC; Hash : tlscshSHA; Rec : (B1: $00; B2: $0B); ServerSupport : False; ClientSupport : False; ), ( // DH_DSS_WITH_DES_CBC_SHA Name : 'DH_DSS_WITH_DES_CBC_SHA'; KeyExchange : tlscskeDH_DSS; Authentication : tlscsaDSS; Cipher : tlscscDES_CBC; Hash : tlscshSHA; Rec : (B1: $00; B2: $0C); ServerSupport : False; ClientSupport : False; ), ( // DH_DSS_WITH_3DES_EDE_CBC_SHA Name : 'DH_DSS_WITH_3DES_EDE_CBC_SHA'; KeyExchange : tlscskeDH_DSS; Authentication : tlscsaDSS; Cipher : tlscsc3DES_EDE_CBC; Hash : tlscshSHA; Rec : (B1: $00; B2: $0D); ServerSupport : False; ClientSupport : False; ), ( // DH_RSA_EXPORT_WITH_DES40_CBC_SHA Name : 'DH_RSA_EXPORT_WITH_DES40_CBC_SHA'; KeyExchange : tlscskeDH_RSA_EXPORT; Authentication : tlscsaAnon; Cipher : tlscscDES40_CBC; Hash : tlscshSHA; Rec : (B1: $00; B2: $0E); ServerSupport : False; ClientSupport : False; ), ( // DH_RSA_WITH_DES_CBC_SHA Name : 'DH_RSA_WITH_DES_CBC_SHA'; KeyExchange : tlscskeDH_RSA; Authentication : tlscsaRSA; Cipher : tlscscDES_CBC; Hash : tlscshSHA; Rec : (B1: $00; B2: $0F); ServerSupport : False; ClientSupport : False; ), ( // DH_RSA_WITH_3DES_EDE_CBC_SHA Name : 'DH_RSA_WITH_3DES_EDE_CBC_SHA'; KeyExchange : tlscskeDH_RSA; Authentication : tlscsaRSA; Cipher : tlscsc3DES_EDE_CBC; Hash : tlscshSHA; Rec : (B1: $00; B2: $10); ServerSupport : False; ClientSupport : False; ), ( // DH_DSS_WITH_AES_128_CBC_SHA Name : 'DH_DSS_WITH_AES_128_CBC_SHA'; KeyExchange : tlscskeDH_DSS; Authentication : tlscsaDSS; Cipher : tlscscAES_128_CBC; Hash : tlscshSHA; Rec : (B1: $00; B2: $30); ServerSupport : False; ClientSupport : False; ), ( // DH_DSS_WITH_AES_256_CBC_SHA Name : 'DH_DSS_WITH_AES_256_CBC_SHA'; KeyExchange : tlscskeDH_DSS; Authentication : tlscsaDSS; Cipher : tlscscAES_256_CBC; Hash : tlscshSHA; Rec : (B1: $00; B2: $36); ServerSupport : False; ClientSupport : False; ), ( // DH_DSS_WITH_AES_128_CBC_SHA256 Name : 'DH_DSS_WITH_AES_128_CBC_SHA256'; KeyExchange : tlscskeDH_DSS; Authentication : tlscsaDSS; Cipher : tlscscAES_128_CBC; Hash : tlscshSHA256; Rec : (B1: $00; B2: $3E); ServerSupport : False; ClientSupport : False; ), ( // DH_DSS_WITH_AES_256_CBC_SHA256 Name : 'DH_DSS_WITH_AES_256_CBC_SHA256'; KeyExchange : tlscskeDH_DSS; Authentication : tlscsaDSS; Cipher : tlscscAES_256_CBC; Hash : tlscshSHA256; Rec : (B1: $00; B2: $68); ServerSupport : False; ClientSupport : False; ), ( // DH_RSA_WITH_AES_128_CBC_SHA Name : 'DH_RSA_WITH_AES_128_CBC_SHA'; KeyExchange : tlscskeDH_RSA; Authentication : tlscsaRSA; Cipher : tlscscAES_128_CBC; Hash : tlscshSHA; Rec : (B1: $00; B2: $31); ServerSupport : False; ClientSupport : False; ), ( // DH_RSA_WITH_AES_256_CBC_SHA Name : 'DH_RSA_WITH_AES_256_CBC_SHA'; KeyExchange : tlscskeDH_RSA; Authentication : tlscsaRSA; Cipher : tlscscAES_256_CBC; Hash : tlscshSHA; Rec : (B1: $00; B2: $37); ServerSupport : False; ClientSupport : False; ), ( // DH_RSA_WITH_AES_128_CBC_SHA256 Name : 'DH_RSA_WITH_AES_128_CBC_SHA256'; KeyExchange : tlscskeDH_RSA; Authentication : tlscsaRSA; Cipher : tlscscAES_128_CBC; Hash : tlscshSHA256; Rec : (B1: $00; B2: $3F); ServerSupport : False; ClientSupport : False; ), ( // DH_RSA_WITH_AES_256_CBC_SHA256 Name : 'DH_RSA_WITH_AES_256_CBC_SHA256'; KeyExchange : tlscskeDH_RSA; Authentication : tlscsaRSA; Cipher : tlscscAES_256_CBC; Hash : tlscshSHA256; Rec : (B1: $00; B2: $69); ServerSupport : False; ClientSupport : False; ), ( // RSA_EXPORT_WITH_RC4_40_MD5 Name : 'RSA_EXPORT_WITH_RC4_40_MD5'; KeyExchange : tlscskeRSA_EXPORT; Authentication : tlscsaAnon; Cipher : tlscscRC4_40; Hash : tlscshMD5; Rec : (B1: $00; B2: $03); ServerSupport : False; ClientSupport : False; MinVersion : (major: 3; minor: 0); // SSL 3 ), ( // RSA_WITH_RC4_128_MD5 Name : 'RSA_WITH_RC4_128_MD5'; KeyExchange : tlscskeRSA; Authentication : tlscsaAnon; Cipher : tlscscRC4_128; Hash : tlscshMD5; Rec : (B1: $00; B2: $04); ServerSupport : True; ClientSupport : True; MinVersion : (major: 3; minor: 0); // SSL 3 ), ( // RSA_WITH_RC4_128_SHA Name : 'RSA_WITH_RC4_128_SHA'; KeyExchange : tlscskeRSA; Authentication : tlscsaAnon; Cipher : tlscscRC4_128; Hash : tlscshSHA; Rec : (B1: $00; B2: $05); ServerSupport : True; ClientSupport : True; MinVersion : (major: 3; minor: 0); // SSL 3 ), ( // RSA_EXPORT_WITH_RC2_CBC_40_MD5 Name : 'RSA_EXPORT_WITH_RC2_CBC_40_MD5'; KeyExchange : tlscskeRSA_EXPORT; Authentication : tlscsaAnon; Cipher : tlscscRC2_CBC_40; Hash : tlscshMD5; Rec : (B1: $00; B2: $06); ServerSupport : False; ClientSupport : False; MinVersion : (major: 3; minor: 0); // SSL 3 ), ( // RSA_WITH_IDEA_CBC_SHA Name : 'RSA_WITH_IDEA_CBC_SHA'; KeyExchange : tlscskeRSA; Authentication : tlscsaAnon; Cipher : tlscscIDEA_CBC; Hash : tlscshSHA; Rec : (B1: $00; B2: $07); ServerSupport : False; ClientSupport : False; ), ( // RSA_EXPORT_WITH_DES40_CBC_SHA Name : 'RSA_EXPORT_WITH_DES40_CBC_SHA'; KeyExchange : tlscskeRSA_EXPORT; Authentication : tlscsaAnon; Cipher : tlscscDES40_CBC; Hash : tlscshSHA; Rec : (B1: $00; B2: $08); ServerSupport : False; ClientSupport : False; ), ( // RSA_WITH_DES_CBC_SHA Name : 'RSA_WITH_DES_CBC_SHA'; KeyExchange : tlscskeRSA; Authentication : tlscsaAnon; Cipher : tlscscDES_CBC; Hash : tlscshSHA; Rec : (B1: $00; B2: $09); ServerSupport : True; ClientSupport : True; MinVersion : (major: 3; minor: 0); // SSL 3 ), ( // RSA_WITH_3DES_EDE_CBC_SHA Name : 'RSA_WITH_3DES_EDE_CBC_SHA'; KeyExchange : tlscskeRSA; Authentication : tlscsaAnon; Cipher : tlscsc3DES_EDE_CBC; Hash : tlscshSHA; Rec : (B1: $00; B2: $0A); ServerSupport : False; ClientSupport : False; MinVersion : (major: 3; minor: 0); // SSL 3 ), ( // RSA_EXPORT1024_WITH_DES_CBC_SHA Name : 'RSA_EXPORT1024_WITH_DES_CBC_SHA'; KeyExchange : tlscskeRSA_EXPORT1024; Authentication : tlscsaAnon; Cipher : tlscscDES_CBC; Hash : tlscshSHA; Rec : (B1: $00; B2: $62); ServerSupport : False; ClientSupport : False; MinVersion : (major: 3; minor: 0); // SSL 3 ), ( // RSA_EXPORT1024_WITH_RC4_56_SHA Name : 'RSA_EXPORT1024_WITH_RC4_56_SHA'; KeyExchange : tlscskeRSA_EXPORT1024; Authentication : tlscsaAnon; Cipher : tlscscRC4_56; Hash : tlscshSHA; Rec : (B1: $00; B2: $64); ServerSupport : False; ClientSupport : False; MinVersion : (major: 3; minor: 0); // SSL 3 ), ( // RSA_WITH_NULL_SHA256 Name : 'RSA_WITH_NULL_SHA256'; KeyExchange : tlscskeRSA; Authentication : tlscsaAnon; Cipher : tlscscNULL; Hash : tlscshSHA256; Rec : (B1: $00; B2: $3B); ServerSupport : False; ClientSupport : False; ), ( // RSA_WITH_AES_128_CBC_SHA Name : 'RSA_WITH_AES_128_CBC_SHA'; KeyExchange : tlscskeRSA; Authentication : tlscsaAnon; Cipher : tlscscAES_128_CBC; Hash : tlscshSHA; Rec : (B1: $00; B2: $2F); ServerSupport : True; ClientSupport : True; ), ( // RSA_WITH_AES_256_CBC_SHA Name : 'RSA_WITH_AES_256_CBC_SHA'; KeyExchange : tlscskeRSA; Authentication : tlscsaAnon; Cipher : tlscscAES_256_CBC; Hash : tlscshSHA; Rec : (B1: $00; B2: $35); ServerSupport : True; ClientSupport : True; ), ( // RSA_WITH_AES_128_CBC_SHA256 Name : 'RSA_WITH_AES_128_CBC_SHA256'; KeyExchange : tlscskeRSA; Authentication : tlscsaAnon; Cipher : tlscscAES_128_CBC; Hash : tlscshSHA256; Rec : (B1: $00; B2: $3C); ServerSupport : True; ClientSupport : True; MinVersion : (major: 3; minor: 3); // TLS 1.2 ), ( // RSA_WITH_AES_256_CBC_SHA256 Name : 'RSA_WITH_AES_256_CBC_SHA256'; KeyExchange : tlscskeRSA; Authentication : tlscsaAnon; Cipher : tlscscAES_256_CBC; Hash : tlscshSHA256; Rec : (B1: $00; B2: $3D); ServerSupport : True; ClientSupport : True; MinVersion : (major: 3; minor: 3); // TLS 1.2 ), ( // DHE_DSS_EXPORT_WITH_DES40_CBC_SHA Name : 'DHE_DSS_EXPORT_WITH_DES40_CBC_SHA'; KeyExchange : tlscskeDHE_DSS_EXPORT; Authentication : tlscsaDSS; Cipher : tlscscDES40_CBC; Hash : tlscshSHA; Rec : (B1: $00; B2: $11); ServerSupport : False; ClientSupport : False; ), ( // DHE_DSS_WITH_DES_CBC_SHA Name : 'DHE_DSS_WITH_DES_CBC_SHA'; KeyExchange : tlscskeDHE_DSS; Authentication : tlscsaDSS; Cipher : tlscscDES_CBC; Hash : tlscshSHA; Rec : (B1: $00; B2: $12); ServerSupport : False; ClientSupport : False; ), ( // DHE_DSS_WITH_3DES_EDE_CBC_SHA Name : 'DHE_DSS_WITH_3DES_EDE_CBC_SHA'; KeyExchange : tlscskeDHE_DSS; Authentication : tlscsaDSS; Cipher : tlscsc3DES_EDE_CBC; Hash : tlscshSHA; Rec : (B1: $00; B2: $13); ServerSupport : False; ClientSupport : False; ), ( // DHE_DSS_WITH_RC4_128_SHA Name : 'DHE_DSS_WITH_RC4_128_SHA'; KeyExchange : tlscskeDHE_DSS; Authentication : tlscsaDSS; Cipher : tlscscRC4_128; Hash : tlscshSHA; Rec : (B1: $00; B2: $66); ServerSupport : False; ClientSupport : False; ), ( // DHE_RSA_EXPORT_WITH_DES40_CBC_SHA Name : 'DHE_RSA_EXPORT_WITH_DES40_CBC_SHA'; KeyExchange : tlscskeDHE_RSA_EXPORT; Authentication : tlscsaRSA; Cipher : tlscscDES40_CBC; Hash : tlscshSHA; Rec : (B1: $00; B2: $14); ServerSupport : False; ClientSupport : False; ), ( // DHE_RSA_WITH_DES_CBC_SHA Name : 'DHE_RSA_WITH_DES_CBC_SHA'; KeyExchange : tlscskeDHE_RSA; Authentication : tlscsaRSA; Cipher : tlscscDES_CBC; Hash : tlscshSHA; Rec : (B1: $00; B2: $15); ServerSupport : True; ClientSupport : True; ), ( // DHE_RSA_WITH_3DES_EDE_CBC_SHA Name : 'DHE_RSA_WITH_3DES_EDE_CBC_SHA'; KeyExchange : tlscskeDHE_RSA; Authentication : tlscsaRSA; Cipher : tlscsc3DES_EDE_CBC; Hash : tlscshSHA; Rec : (B1: $00; B2: $16); ServerSupport : False; ClientSupport : False; ), ( // DHE_DSS_WITH_AES_128_CBC_SHA Name : 'DHE_DSS_WITH_AES_128_CBC_SHA '; KeyExchange : tlscskeDHE_DSS; Authentication : tlscsaDSS; Cipher : tlscscAES_128_CBC; Hash : tlscshSHA; Rec : (B1: $00; B2: $32); ServerSupport : False; ClientSupport : False; ), ( // DHE_DSS_WITH_AES_256_CBC_SHA Name : 'DHE_DSS_WITH_AES_256_CBC_SHA'; KeyExchange : tlscskeDHE_DSS; Authentication : tlscsaDSS; Cipher : tlscscAES_256_CBC; Hash : tlscshSHA; Rec : (B1: $00; B2: $38); ServerSupport : False; ClientSupport : False; ), ( // DHE_DSS_WITH_AES_128_CBC_SHA256 Name : 'DHE_DSS_WITH_AES_128_CBC_SHA256'; KeyExchange : tlscskeDHE_DSS; Authentication : tlscsaDSS; Cipher : tlscscAES_128_CBC; Hash : tlscshSHA256; Rec : (B1: $00; B2: $40); ServerSupport : False; ClientSupport : False; ), ( // DHE_DSS_WITH_AES_256_CBC_SHA256 Name : 'DHE_DSS_WITH_AES_256_CBC_SHA256'; KeyExchange : tlscskeDHE_DSS; Authentication : tlscsaDSS; Cipher : tlscscAES_256_CBC; Hash : tlscshSHA256; Rec : (B1: $00; B2: $6A); ServerSupport : False; ClientSupport : False; ), ( // DHE_RSA_WITH_AES_128_CBC_SHA Name : 'DHE_RSA_WITH_AES_128_CBC_SHA'; KeyExchange : tlscskeDHE_RSA; Authentication : tlscsaRSA; Cipher : tlscscAES_128_CBC; Hash : tlscshSHA; Rec : (B1: $00; B2: $33); ServerSupport : True; ClientSupport : True; ), ( // DHE_RSA_WITH_AES_256_CBC_SHA Name : 'DHE_RSA_WITH_AES_256_CBC_SHA'; KeyExchange : tlscskeDHE_RSA; Authentication : tlscsaRSA; Cipher : tlscscAES_256_CBC; Hash : tlscshSHA; Rec : (B1: $00; B2: $39); ServerSupport : True; ClientSupport : True; ), ( // DHE_RSA_WITH_AES_128_CBC_SHA256 Name : 'DHE_RSA_WITH_AES_128_CBC_SHA256'; KeyExchange : tlscskeDHE_RSA; Authentication : tlscsaRSA; Cipher : tlscscAES_128_CBC; Hash : tlscshSHA256; Rec : (B1: $00; B2: $67); ServerSupport : True; ClientSupport : True; ), ( // DHE_RSA_WITH_AES_256_CBC_SHA256 Name : 'DHE_RSA_WITH_AES_256_CBC_SHA256'; KeyExchange : tlscskeDHE_RSA; Authentication : tlscsaRSA; Cipher : tlscscAES_256_CBC; Hash : tlscshSHA256; Rec : (B1: $00; B2: $6B); ServerSupport : True; ClientSupport : True; ), ( // ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 Name : 'ECDHE_ECDSA_WITH_AES_128_CBC_SHA256'; KeyExchange : tlscskeECDHE_ECDSA; Authentication : tlscsaECDSA; Cipher : tlscscAES_128_CBC; Hash : tlscshSHA256; Rec : (B1: $C0; B2: $23); ServerSupport : False; ClientSupport : False; ), ( // ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 Name : 'ECDHE_ECDSA_WITH_AES_256_CBC_SHA384'; KeyExchange : tlscskeECDHE_ECDSA; Authentication : tlscsaECDSA; Cipher : tlscscAES_256_CBC; Hash : tlscshSHA384; Rec : (B1: $C0; B2: $24); ServerSupport : False; ClientSupport : False; ), ( // ECDH_ECDSA_WITH_AES_128_CBC_SHA256 Name : 'ECDH_ECDSA_WITH_AES_128_CBC_SHA256'; KeyExchange : tlscskeECDH_ECDSA; Authentication : tlscsaECDSA; Cipher : tlscscAES_128_CBC; Hash : tlscshSHA256; Rec : (B1: $C0; B2: $25); ServerSupport : False; ClientSupport : False; ), ( // ECDH_ECDSA_WITH_AES_256_CBC_SHA384 Name : 'ECDH_ECDSA_WITH_AES_256_CBC_SHA384'; KeyExchange : tlscskeECDH_ECDSA; Authentication : tlscsaECDSA; Cipher : tlscscAES_256_CBC; Hash : tlscshSHA384; Rec : (B1: $C0; B2: $26); ServerSupport : False; ClientSupport : False; ), ( // ECDHE_RSA_WITH_AES_128_CBC_SHA256 Name : 'ECDHE_RSA_WITH_AES_128_CBC_SHA256'; KeyExchange : tlscskeECDHE_RSA; Authentication : tlscsaRSA; Cipher : tlscscAES_128_CBC; Hash : tlscshSHA256; Rec : (B1: $C0; B2: $27); ServerSupport : False; ClientSupport : False; ), ( // ECDHE_RSA_WITH_AES_256_CBC_SHA384 Name : 'ECDHE_RSA_WITH_AES_256_CBC_SHA384'; KeyExchange : tlscskeECDHE_RSA; Authentication : tlscsaRSA; Cipher : tlscscAES_256_CBC; Hash : tlscshSHA384; Rec : (B1: $C0; B2: $28); ServerSupport : False; ClientSupport : False; ), ( // ECDH_RSA_WITH_AES_128_CBC_SHA256 Name : 'ECDH_RSA_WITH_AES_128_CBC_SHA256'; KeyExchange : tlscskeECDH_RSA; Authentication : tlscsaRSA; Cipher : tlscscAES_128_CBC; Hash : tlscshSHA256; Rec : (B1: $C0; B2: $29); ServerSupport : False; ClientSupport : False; ), ( // ECDH_RSA_WITH_AES_256_CBC_SHA384 Name : 'ECDH_RSA_WITH_AES_256_CBC_SHA384'; KeyExchange : tlscskeECDH_RSA; Authentication : tlscsaRSA; Cipher : tlscscAES_256_CBC; Hash : tlscshSHA384; Rec : (B1: $C0; B2: $2A); ServerSupport : False; ClientSupport : False; ) ); function GetCipherSuiteByRec(const B1, B2: Byte): TTLSCipherSuite; function GetCipherSuiteByName(const Name: RawByteString): TTLSCipherSuite; type TTLSCipherSuiteKeyExchangeInfo = record Name : RawByteString; Algorithm : TTLSKeyExchangeAlgorithm; Exportable : Boolean; end; PTLSCipherSuiteKeyExchangeInfo = ^TTLSCipherSuiteKeyExchangeInfo; const TLSCipherSuiteKeyExchangeInfo : array[TTLSCipherSuiteKeyExchange] of TTLSCipherSuiteKeyExchangeInfo = ( ( // None Name : ''; Algorithm : tlskeaNone; Exportable : True; ), ( // NULL Name : 'NULL'; Algorithm : tlskeaNULL; Exportable : True; ), ( // RSA Name : 'RSA'; Algorithm : tlskeaRSA; Exportable : False; ), ( // RSA_EXPORT Name : 'RSA_EXPORT'; Algorithm : tlskeaRSA; Exportable : True; ), ( // RSA_EXPORT1024 Name : 'RSA_EXPORT1024'; Algorithm : tlskeaRSA; Exportable : True; ), ( // DH_DSS_EXPORT Name : 'DH_DSS_EXPORT'; Algorithm : tlskeaDH_DSS; Exportable : True; ), ( // DH_DSS Name : 'DH_DSS'; Algorithm : tlskeaDH_DSS; Exportable : False; ), ( // DH_RSA_EXPORT Name : 'DH_RSA_EXPORT'; Algorithm : tlskeaDH_RSA; Exportable : True; ), ( // DH_RSA Name : 'DH_RSA'; Algorithm : tlskeaDH_RSA; Exportable : False; ), ( // DHE_DSS_EXPORT Name : 'DHE_DSS_EXPORT'; Algorithm : tlskeaDHE_DSS; Exportable : True; ), ( // DHE_DSS Name : 'DHE_DSS'; Algorithm : tlskeaDHE_DSS; Exportable : False; ), ( // DHE_RSA_EXPORT Name : 'DHE_RSA_EXPORT'; Algorithm : tlskeaDHE_RSA; Exportable : True; ), ( // DHE_RSA Name : 'DHE_RSA'; Algorithm : tlskeaDHE_RSA; Exportable : False; ), ( // DH_anon_EXPORT Name : 'DH_anon_EXPORT'; Algorithm : tlskeaDH_Anon; Exportable : True; ), ( // DH_anon Name : 'DH_anon'; Algorithm : tlskeaDH_Anon; Exportable : False; ), ( // ECDHE_ECDSA Name : 'ECDHE_ECDSA'; Algorithm : tlskeaECDHE_ECDSA; Exportable : False; ), ( // ECDH_ECDSA Name : 'ECDH_ECDSA'; Algorithm : tlskeaECDH_ECDSA; Exportable : False; ), ( // ECDHE_RSA Name : 'ECDHE_RSA'; Algorithm : tlskeaECDHE_RSA; Exportable : False; ), ( // ECDH_RSA Name : 'ECDH_RSA'; Algorithm : tlskeaECDH_RSA; Exportable : False; ) ); { } { Cipher Suite Cipher } { } type TTLSCipherSuiteCipherType = ( tlscsctNone, tlscsctNULL, tlscsctStream, tlscsctBlock ); TTLSCipherSuiteBulkCipher = ( tlscsbcNone, tlscsbcNULL, tlscsbcRC4, tlscsbcRC2, tlscsbcDES, tlscsbc3DES, tlscsbcIDEA, tlscsbcDES40, tlscsbcAES ); TTLSCipherSuiteCipherInfo = record Name : RawByteString; CipherType : TTLSCipherSuiteCipherType; BulkCipher : TTLSCipherSuiteBulkCipher; KeyBits : Integer; KeyMaterial : Integer; ExpKeyMat : Integer; // expanded key material IVSize : Integer; BlockSize : Integer; Exportable : Boolean; Supported : Boolean; // Not used end; PTLSCipherSuiteCipherInfo = ^TTLSCipherSuiteCipherInfo; const TLSCipherSuiteCipherInfo : array[TTLSCipherSuiteCipher] of TTLSCipherSuiteCipherInfo = ( ( // None Name : ''; CipherType : tlscsctNone; BulkCipher : tlscsbcNone; KeyBits : 0; KeyMaterial : 0; ExpKeyMat : 0; IVSize : 0; BlockSize : 0; Exportable : True; Supported : False; ), ( // NULL Name : 'NULL'; CipherType : tlscsctNULL; BulkCipher : tlscsbcNULL; KeyBits : 0; KeyMaterial : 0; ExpKeyMat : 0; IVSize : 0; BlockSize : 0; Exportable : True; Supported : True; ), ( // RC2_CBC_40 Name : 'RC2_CBC_40'; CipherType : tlscsctBlock; BulkCipher : tlscsbcRC2; KeyBits : 40; KeyMaterial : 5; ExpKeyMat : 16; IVSize : 8; BlockSize : 8; Exportable : True; Supported : False; ), ( // RC4_40 Name : 'RC4_40'; CipherType : tlscsctStream; BulkCipher : tlscsbcRC4; KeyBits : 40; KeyMaterial : 5; ExpKeyMat : 16; IVSize : 0; BlockSize : 0; Exportable : True; Supported : False; ), ( // RC4_56 Name : 'RC4_56'; CipherType : tlscsctStream; BulkCipher : tlscsbcRC4; KeyBits : 56; KeyMaterial : 7; ExpKeyMat : 16; IVSize : 0; BlockSize : 0; Exportable : True; Supported : False; ), ( // RC4_128 Name : 'RC4_128'; CipherType : tlscsctStream; BulkCipher : tlscsbcRC4; KeyBits : 128; KeyMaterial : 16; ExpKeyMat : 16; IVSize : 0; BlockSize : 0; Exportable : False; Supported : True; ), ( // IDEA_CBC Name : 'IDEA_CBC'; CipherType : tlscsctBlock; BulkCipher : tlscsbcIDEA; KeyBits : 128; KeyMaterial : 16; ExpKeyMat : 16; IVSize : 8; BlockSize : 8; Exportable : False; Supported : False; ), ( // DES40_CBC Name : 'DES40_CBC'; CipherType : tlscsctBlock; BulkCipher : tlscsbcDES40; KeyBits : 40; KeyMaterial : 5; ExpKeyMat : 8; IVSize : 8; BlockSize : 8; Exportable : True; Supported : False; ), ( // DES_CBC Name : 'DES_CBC'; CipherType : tlscsctBlock; BulkCipher : tlscsbcDES; KeyBits : 64; KeyMaterial : 8; ExpKeyMat : 8; IVSize : 8; BlockSize : 8; Exportable : False; Supported : True; ), ( // 3DES_EDE_CBC Name : '3DES_EDE_CBC'; CipherType : tlscsctBlock; BulkCipher : tlscsbc3DES; KeyBits : 128; KeyMaterial : 24; ExpKeyMat : 24; IVSize : 8; BlockSize : 8; Exportable : False; Supported : False; ), ( // AES_128_CBC Name : 'AES_128_CBC'; CipherType : tlscsctBlock; BulkCipher : tlscsbcAES; KeyBits : 128; KeyMaterial : 16; ExpKeyMat : 16; IVSize : 16; BlockSize : 16; Exportable : False; Supported : True; ), ( // AES_256_CBC Name : 'AES_256_CBC'; CipherType : tlscsctBlock; BulkCipher : tlscsbcAES; KeyBits : 256; KeyMaterial : 32; ExpKeyMat : 32; IVSize : 16; BlockSize : 16; Exportable : False; Supported : True; ) ); TLS_CIPHERSUITE_MaxBlockSize = 16; TLS_CIPHERSUITE_MaxIVSize = 16; { } { Cipher Suite Hash } { } type TTLSCipherSuiteHashInfo = record Name : RawByteString; HashSize : Integer; KeyLength : Integer; MACAlgorithm : TTLSMACAlgorithm; Supported : Boolean; // Not used end; PTLSCipherSuiteHashInfo = ^TTLSCipherSuiteHashInfo; const TLSCipherSuiteHashInfo : array[TTLSCipherSuiteHash] of TTLSCipherSuiteHashInfo = ( ( // None Name : ''; HashSize : 0; KeyLength : 0; MACAlgorithm : tlsmaNone; Supported : False; ), ( // NULL Name : 'NULL'; HashSize : 0; KeyLength : 0; MACAlgorithm : tlsmaNULL; Supported : True; ), ( // SHA Name : 'SHA'; HashSize : 160; KeyLength : 160; MACAlgorithm : tlsmaHMAC_SHA1; Supported : True; ), ( // SHA256 Name : 'SHA256'; HashSize : 256; KeyLength : 256; MACAlgorithm : tlsmaHMAC_SHA256; Supported : True; ), ( // SHA384 Name : 'SHA384'; HashSize : 384; KeyLength : 384; MACAlgorithm : tlsmaHMAC_SHA384; Supported : True; ), ( // MD5 Name : 'MD5'; HashSize : 128; KeyLength : 128; MACAlgorithm : tlsmaHMAC_MD5; Supported : True; ) ); { } { Cipher Suite Details } { } type TTLSCipherSuiteDetails = record CipherSuite : TTLSCipherSuite; CipherSuiteInfo : PTLSCipherSuiteInfo; CipherInfo : PTLSCipherSuiteCipherInfo; HashInfo : PTLSCipherSuiteHashInfo; KeyExchangeInfo : PTLSCipherSuiteKeyExchangeInfo; end; procedure InitTLSCipherSuiteDetails(var A: TTLSCipherSuiteDetails; const CipherSuite: TTLSCipherSuite); procedure InitTLSCipherSuiteDetailsNULL(var A: TTLSCipherSuiteDetails); implementation { } { Cipher Suite } { } function GetCipherSuiteByRec(const B1, B2: Byte): TTLSCipherSuite; var C : TTLSCipherSuite; D : PTLSCipherSuiteInfo; begin for C := Low(TTLSCipherSuite) to High(TTLSCipherSuite) do begin D := @TLSCipherSuiteInfo[C]; if (D^.Rec.B1 = B1) and (D^.Rec.B2 = B2) then begin Result := C; exit; end; end; Result := tlscsNone; end; function GetCipherSuiteByName(const Name: RawByteString): TTLSCipherSuite; var C : TTLSCipherSuite; D : PTLSCipherSuiteInfo; begin for C := Low(TTLSCipherSuite) to High(TTLSCipherSuite) do begin D := @TLSCipherSuiteInfo[C]; if D^.Name = Name then begin Result := C; exit; end; end; Result := tlscsNone; end; { } { Cipher Suite Details } { } procedure InitTLSCipherSuiteDetails(var A: TTLSCipherSuiteDetails; const CipherSuite: TTLSCipherSuite); var C : PTLSCipherSuiteInfo; begin C := @TLSCipherSuiteInfo[CipherSuite]; A.CipherSuite := CipherSuite; A.CipherSuiteInfo := C; A.CipherInfo := @TLSCipherSuiteCipherInfo[C^.Cipher]; A.HashInfo := @TLSCipherSuiteHashInfo[C^.Hash]; A.KeyExchangeInfo := @TLSCipherSuiteKeyExchangeInfo[C^.KeyExchange]; end; procedure InitTLSCipherSuiteDetailsNULL(var A: TTLSCipherSuiteDetails); begin InitTLSCipherSuiteDetails(A, tlscsNULL_WITH_NULL_NULL); end; end.