search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
inet6: only mark autoconf addresses tentative if detached
[dragonfly.git] / crypto / libressl / ssl / s3_lib.c
blob989165b207805a82ba466b67c537523f8feb4e9f
1 /* $OpenBSD: s3_lib.c,v 1.238 2022/08/21 19:39:44 jsing Exp $ */
2 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 * All rights reserved.
4 *
5 * This package is an SSL implementation written
6 * by Eric Young (eay@cryptsoft.com).
7 * The implementation was written so as to conform with Netscapes SSL.
8 *
9 * This library is free for commercial and non-commercial use as long as
10 * the following conditions are aheared to. The following conditions
11 * apply to all code found in this distribution, be it the RC4, RSA,
12 * lhash, DES, etc., code; not just the SSL code. The SSL documentation
13 * included with this distribution is covered by the same copyright terms
14 * except that the holder is Tim Hudson (tjh@cryptsoft.com).
15 *
16 * Copyright remains Eric Young's, and as such any Copyright notices in
17 * the code are not to be removed.
18 * If this package is used in a product, Eric Young should be given attribution
19 * as the author of the parts of the library used.
20 * This can be in the form of a textual message at program startup or
21 * in documentation (online or textual) provided with the package.
22 *
23 * Redistribution and use in source and binary forms, with or without
24 * modification, are permitted provided that the following conditions
25 * are met:
26 * 1. Redistributions of source code must retain the copyright
27 * notice, this list of conditions and the following disclaimer.
28 * 2. Redistributions in binary form must reproduce the above copyright
29 * notice, this list of conditions and the following disclaimer in the
30 * documentation and/or other materials provided with the distribution.
31 * 3. All advertising materials mentioning features or use of this software
32 * must display the following acknowledgement:
33 * "This product includes cryptographic software written by
34 * Eric Young (eay@cryptsoft.com)"
35 * The word 'cryptographic' can be left out if the rouines from the library
36 * being used are not cryptographic related :-).
37 * 4. If you include any Windows specific code (or a derivative thereof) from
38 * the apps directory (application code) you must include an acknowledgement:
39 * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
40 *
41 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
42 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
43 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
44 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
45 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
46 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
47 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
48 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
49 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
50 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
51 * SUCH DAMAGE.
52 *
53 * The licence and distribution terms for any publically available version or
54 * derivative of this code cannot be changed. i.e. this code cannot simply be
55 * copied and put under another distribution licence
56 * [including the GNU Public Licence.]
57 */
58 /* ====================================================================
59 * Copyright (c) 1998-2007 The OpenSSL Project. All rights reserved.
60 *
61 * Redistribution and use in source and binary forms, with or without
62 * modification, are permitted provided that the following conditions
63 * are met:
64 *
65 * 1. Redistributions of source code must retain the above copyright
66 * notice, this list of conditions and the following disclaimer.
67 *
68 * 2. Redistributions in binary form must reproduce the above copyright
69 * notice, this list of conditions and the following disclaimer in
70 * the documentation and/or other materials provided with the
71 * distribution.
72 *
73 * 3. All advertising materials mentioning features or use of this
74 * software must display the following acknowledgment:
75 * "This product includes software developed by the OpenSSL Project
76 * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
77 *
78 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
79 * endorse or promote products derived from this software without
80 * prior written permission. For written permission, please contact
81 * openssl-core@openssl.org.
82 *
83 * 5. Products derived from this software may not be called "OpenSSL"
84 * nor may "OpenSSL" appear in their names without prior written
85 * permission of the OpenSSL Project.
86 *
87 * 6. Redistributions of any form whatsoever must retain the following
88 * acknowledgment:
89 * "This product includes software developed by the OpenSSL Project
90 * for use in the OpenSSL Toolkit (http://www.openssl.org/)"
91 *
92 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
93 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
94 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
95 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
96 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
97 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
98 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
99 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
100 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
101 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
102 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
103 * OF THE POSSIBILITY OF SUCH DAMAGE.
104 * ====================================================================
105 *
106 * This product includes cryptographic software written by Eric Young
107 * (eay@cryptsoft.com). This product includes software written by Tim
108 * Hudson (tjh@cryptsoft.com).
109 *
110 */
111 /* ====================================================================
112 * Copyright 2002 Sun Microsystems, Inc. ALL RIGHTS RESERVED.
113 *
114 * Portions of the attached software ("Contribution") are developed by
115 * SUN MICROSYSTEMS, INC., and are contributed to the OpenSSL project.
116 *
117 * The Contribution is licensed pursuant to the OpenSSL open source
118 * license provided above.
119 *
120 * ECC cipher suite support in OpenSSL originally written by
121 * Vipul Gupta and Sumit Gupta of Sun Microsystems Laboratories.
122 *
123 */
124 /* ====================================================================
125 * Copyright 2005 Nokia. All rights reserved.
126 *
127 * The portions of the attached software ("Contribution") is developed by
128 * Nokia Corporation and is licensed pursuant to the OpenSSL open source
129 * license.
130 *
131 * The Contribution, originally written by Mika Kousa and Pasi Eronen of
132 * Nokia Corporation, consists of the "PSK" (Pre-Shared Key) ciphersuites
133 * support (see RFC 4279) to OpenSSL.
134 *
135 * No patent licenses or other rights except those expressly stated in
136 * the OpenSSL open source license shall be deemed granted or received
137 * expressly, by implication, estoppel, or otherwise.
138 *
139 * No assurances are provided by Nokia that the Contribution does not
140 * infringe the patent or other intellectual property rights of any third
141 * party or that the license provides you with all the necessary rights
142 * to make use of the Contribution.
143 *
144 * THE SOFTWARE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. IN
145 * ADDITION TO THE DISCLAIMERS INCLUDED IN THE LICENSE, NOKIA
146 * SPECIFICALLY DISCLAIMS ANY LIABILITY FOR CLAIMS BROUGHT BY YOU OR ANY
147 * OTHER ENTITY BASED ON INFRINGEMENT OF INTELLECTUAL PROPERTY RIGHTS OR
148 * OTHERWISE.
149 */
150
151 #include <limits.h>
152 #include <stdio.h>
153
154 #include <openssl/bn.h>
155 #include <openssl/curve25519.h>
156 #include <openssl/dh.h>
157 #include <openssl/md5.h>
158 #include <openssl/objects.h>
159 #include <openssl/opensslconf.h>
160
161 #include "bytestring.h"
162 #include "dtls_locl.h"
163 #include "ssl_locl.h"
164 #include "ssl_sigalgs.h"
165 #include "ssl_tlsext.h"
166
167 #define SSL3_NUM_CIPHERS (sizeof(ssl3_ciphers) / sizeof(SSL_CIPHER))
168
169 /*
170 * FIXED_NONCE_LEN is a macro that provides in the correct value to set the
171 * fixed nonce length in algorithms2. It is the inverse of the
172 * SSL_CIPHER_AEAD_FIXED_NONCE_LEN macro.
173 */
174 #define FIXED_NONCE_LEN(x) (((x / 2) & 0xf) << 24)
175
176 /* list of available SSLv3 ciphers (sorted by id) */
177 const SSL_CIPHER ssl3_ciphers[] = {
178
179 /* The RSA ciphers */
180 /* Cipher 01 */
181 {
182 .valid = 1,
183 .name = SSL3_TXT_RSA_NULL_MD5,
184 .id = SSL3_CK_RSA_NULL_MD5,
185 .algorithm_mkey = SSL_kRSA,
186 .algorithm_auth = SSL_aRSA,
187 .algorithm_enc = SSL_eNULL,
188 .algorithm_mac = SSL_MD5,
189 .algorithm_ssl = SSL_SSLV3,
190 .algo_strength = SSL_STRONG_NONE,
191 .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
192 .strength_bits = 0,
193 .alg_bits = 0,
194 },
195
196 /* Cipher 02 */
197 {
198 .valid = 1,
199 .name = SSL3_TXT_RSA_NULL_SHA,
200 .id = SSL3_CK_RSA_NULL_SHA,
201 .algorithm_mkey = SSL_kRSA,
202 .algorithm_auth = SSL_aRSA,
203 .algorithm_enc = SSL_eNULL,
204 .algorithm_mac = SSL_SHA1,
205 .algorithm_ssl = SSL_SSLV3,
206 .algo_strength = SSL_STRONG_NONE,
207 .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
208 .strength_bits = 0,
209 .alg_bits = 0,
210 },
211
212 /* Cipher 04 */
213 {
214 .valid = 1,
215 .name = SSL3_TXT_RSA_RC4_128_MD5,
216 .id = SSL3_CK_RSA_RC4_128_MD5,
217 .algorithm_mkey = SSL_kRSA,
218 .algorithm_auth = SSL_aRSA,
219 .algorithm_enc = SSL_RC4,
220 .algorithm_mac = SSL_MD5,
221 .algorithm_ssl = SSL_SSLV3,
222 .algo_strength = SSL_LOW,
223 .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
224 .strength_bits = 128,
225 .alg_bits = 128,
226 },
227
228 /* Cipher 05 */
229 {
230 .valid = 1,
231 .name = SSL3_TXT_RSA_RC4_128_SHA,
232 .id = SSL3_CK_RSA_RC4_128_SHA,
233 .algorithm_mkey = SSL_kRSA,
234 .algorithm_auth = SSL_aRSA,
235 .algorithm_enc = SSL_RC4,
236 .algorithm_mac = SSL_SHA1,
237 .algorithm_ssl = SSL_SSLV3,
238 .algo_strength = SSL_LOW,
239 .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
240 .strength_bits = 128,
241 .alg_bits = 128,
242 },
243
244 /* Cipher 0A */
245 {
246 .valid = 1,
247 .name = SSL3_TXT_RSA_DES_192_CBC3_SHA,
248 .id = SSL3_CK_RSA_DES_192_CBC3_SHA,
249 .algorithm_mkey = SSL_kRSA,
250 .algorithm_auth = SSL_aRSA,
251 .algorithm_enc = SSL_3DES,
252 .algorithm_mac = SSL_SHA1,
253 .algorithm_ssl = SSL_SSLV3,
254 .algo_strength = SSL_MEDIUM,
255 .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
256 .strength_bits = 112,
257 .alg_bits = 168,
258 },
259
260 /*
261 * Ephemeral DH (DHE) ciphers.
262 */
263
264 /* Cipher 16 */
265 {
266 .valid = 1,
267 .name = SSL3_TXT_EDH_RSA_DES_192_CBC3_SHA,
268 .id = SSL3_CK_EDH_RSA_DES_192_CBC3_SHA,
269 .algorithm_mkey = SSL_kDHE,
270 .algorithm_auth = SSL_aRSA,
271 .algorithm_enc = SSL_3DES,
272 .algorithm_mac = SSL_SHA1,
273 .algorithm_ssl = SSL_SSLV3,
274 .algo_strength = SSL_MEDIUM,
275 .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
276 .strength_bits = 112,
277 .alg_bits = 168,
278 },
279
280 /* Cipher 18 */
281 {
282 .valid = 1,
283 .name = SSL3_TXT_ADH_RC4_128_MD5,
284 .id = SSL3_CK_ADH_RC4_128_MD5,
285 .algorithm_mkey = SSL_kDHE,
286 .algorithm_auth = SSL_aNULL,
287 .algorithm_enc = SSL_RC4,
288 .algorithm_mac = SSL_MD5,
289 .algorithm_ssl = SSL_SSLV3,
290 .algo_strength = SSL_LOW,
291 .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
292 .strength_bits = 128,
293 .alg_bits = 128,
294 },
295
296 /* Cipher 1B */
297 {
298 .valid = 1,
299 .name = SSL3_TXT_ADH_DES_192_CBC_SHA,
300 .id = SSL3_CK_ADH_DES_192_CBC_SHA,
301 .algorithm_mkey = SSL_kDHE,
302 .algorithm_auth = SSL_aNULL,
303 .algorithm_enc = SSL_3DES,
304 .algorithm_mac = SSL_SHA1,
305 .algorithm_ssl = SSL_SSLV3,
306 .algo_strength = SSL_MEDIUM,
307 .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
308 .strength_bits = 112,
309 .alg_bits = 168,
310 },
311
312 /*
313 * AES ciphersuites.
314 */
315
316 /* Cipher 2F */
317 {
318 .valid = 1,
319 .name = TLS1_TXT_RSA_WITH_AES_128_SHA,
320 .id = TLS1_CK_RSA_WITH_AES_128_SHA,
321 .algorithm_mkey = SSL_kRSA,
322 .algorithm_auth = SSL_aRSA,
323 .algorithm_enc = SSL_AES128,
324 .algorithm_mac = SSL_SHA1,
325 .algorithm_ssl = SSL_TLSV1,
326 .algo_strength = SSL_HIGH,
327 .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
328 .strength_bits = 128,
329 .alg_bits = 128,
330 },
331
332 /* Cipher 33 */
333 {
334 .valid = 1,
335 .name = TLS1_TXT_DHE_RSA_WITH_AES_128_SHA,
336 .id = TLS1_CK_DHE_RSA_WITH_AES_128_SHA,
337 .algorithm_mkey = SSL_kDHE,
338 .algorithm_auth = SSL_aRSA,
339 .algorithm_enc = SSL_AES128,
340 .algorithm_mac = SSL_SHA1,
341 .algorithm_ssl = SSL_TLSV1,
342 .algo_strength = SSL_HIGH,
343 .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
344 .strength_bits = 128,
345 .alg_bits = 128,
346 },
347
348 /* Cipher 34 */
349 {
350 .valid = 1,
351 .name = TLS1_TXT_ADH_WITH_AES_128_SHA,
352 .id = TLS1_CK_ADH_WITH_AES_128_SHA,
353 .algorithm_mkey = SSL_kDHE,
354 .algorithm_auth = SSL_aNULL,
355 .algorithm_enc = SSL_AES128,
356 .algorithm_mac = SSL_SHA1,
357 .algorithm_ssl = SSL_TLSV1,
358 .algo_strength = SSL_HIGH,
359 .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
360 .strength_bits = 128,
361 .alg_bits = 128,
362 },
363
364 /* Cipher 35 */
365 {
366 .valid = 1,
367 .name = TLS1_TXT_RSA_WITH_AES_256_SHA,
368 .id = TLS1_CK_RSA_WITH_AES_256_SHA,
369 .algorithm_mkey = SSL_kRSA,
370 .algorithm_auth = SSL_aRSA,
371 .algorithm_enc = SSL_AES256,
372 .algorithm_mac = SSL_SHA1,
373 .algorithm_ssl = SSL_TLSV1,
374 .algo_strength = SSL_HIGH,
375 .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
376 .strength_bits = 256,
377 .alg_bits = 256,
378 },
379
380 /* Cipher 39 */
381 {
382 .valid = 1,
383 .name = TLS1_TXT_DHE_RSA_WITH_AES_256_SHA,
384 .id = TLS1_CK_DHE_RSA_WITH_AES_256_SHA,
385 .algorithm_mkey = SSL_kDHE,
386 .algorithm_auth = SSL_aRSA,
387 .algorithm_enc = SSL_AES256,
388 .algorithm_mac = SSL_SHA1,
389 .algorithm_ssl = SSL_TLSV1,
390 .algo_strength = SSL_HIGH,
391 .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
392 .strength_bits = 256,
393 .alg_bits = 256,
394 },
395
396 /* Cipher 3A */
397 {
398 .valid = 1,
399 .name = TLS1_TXT_ADH_WITH_AES_256_SHA,
400 .id = TLS1_CK_ADH_WITH_AES_256_SHA,
401 .algorithm_mkey = SSL_kDHE,
402 .algorithm_auth = SSL_aNULL,
403 .algorithm_enc = SSL_AES256,
404 .algorithm_mac = SSL_SHA1,
405 .algorithm_ssl = SSL_TLSV1,
406 .algo_strength = SSL_HIGH,
407 .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
408 .strength_bits = 256,
409 .alg_bits = 256,
410 },
411
412 /* TLS v1.2 ciphersuites */
413 /* Cipher 3B */
414 {
415 .valid = 1,
416 .name = TLS1_TXT_RSA_WITH_NULL_SHA256,
417 .id = TLS1_CK_RSA_WITH_NULL_SHA256,
418 .algorithm_mkey = SSL_kRSA,
419 .algorithm_auth = SSL_aRSA,
420 .algorithm_enc = SSL_eNULL,
421 .algorithm_mac = SSL_SHA256,
422 .algorithm_ssl = SSL_TLSV1_2,
423 .algo_strength = SSL_STRONG_NONE,
424 .algorithm2 = SSL_HANDSHAKE_MAC_SHA256|TLS1_PRF_SHA256,
425 .strength_bits = 0,
426 .alg_bits = 0,
427 },
428
429 /* Cipher 3C */
430 {
431 .valid = 1,
432 .name = TLS1_TXT_RSA_WITH_AES_128_SHA256,
433 .id = TLS1_CK_RSA_WITH_AES_128_SHA256,
434 .algorithm_mkey = SSL_kRSA,
435 .algorithm_auth = SSL_aRSA,
436 .algorithm_enc = SSL_AES128,
437 .algorithm_mac = SSL_SHA256,
438 .algorithm_ssl = SSL_TLSV1_2,
439 .algo_strength = SSL_HIGH,
440 .algorithm2 = SSL_HANDSHAKE_MAC_SHA256|TLS1_PRF_SHA256,
441 .strength_bits = 128,
442 .alg_bits = 128,
443 },
444
445 /* Cipher 3D */
446 {
447 .valid = 1,
448 .name = TLS1_TXT_RSA_WITH_AES_256_SHA256,
449 .id = TLS1_CK_RSA_WITH_AES_256_SHA256,
450 .algorithm_mkey = SSL_kRSA,
451 .algorithm_auth = SSL_aRSA,
452 .algorithm_enc = SSL_AES256,
453 .algorithm_mac = SSL_SHA256,
454 .algorithm_ssl = SSL_TLSV1_2,
455 .algo_strength = SSL_HIGH,
456 .algorithm2 = SSL_HANDSHAKE_MAC_SHA256|TLS1_PRF_SHA256,
457 .strength_bits = 256,
458 .alg_bits = 256,
459 },
460
461 #ifndef OPENSSL_NO_CAMELLIA
462 /* Camellia ciphersuites from RFC4132 (128-bit portion) */
463
464 /* Cipher 41 */
465 {
466 .valid = 1,
467 .name = TLS1_TXT_RSA_WITH_CAMELLIA_128_CBC_SHA,
468 .id = TLS1_CK_RSA_WITH_CAMELLIA_128_CBC_SHA,
469 .algorithm_mkey = SSL_kRSA,
470 .algorithm_auth = SSL_aRSA,
471 .algorithm_enc = SSL_CAMELLIA128,
472 .algorithm_mac = SSL_SHA1,
473 .algorithm_ssl = SSL_TLSV1,
474 .algo_strength = SSL_HIGH,
475 .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
476 .strength_bits = 128,
477 .alg_bits = 128,
478 },
479
480 /* Cipher 45 */
481 {
482 .valid = 1,
483 .name = TLS1_TXT_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA,
484 .id = TLS1_CK_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA,
485 .algorithm_mkey = SSL_kDHE,
486 .algorithm_auth = SSL_aRSA,
487 .algorithm_enc = SSL_CAMELLIA128,
488 .algorithm_mac = SSL_SHA1,
489 .algorithm_ssl = SSL_TLSV1,
490 .algo_strength = SSL_HIGH,
491 .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
492 .strength_bits = 128,
493 .alg_bits = 128,
494 },
495
496 /* Cipher 46 */
497 {
498 .valid = 1,
499 .name = TLS1_TXT_ADH_WITH_CAMELLIA_128_CBC_SHA,
500 .id = TLS1_CK_ADH_WITH_CAMELLIA_128_CBC_SHA,
501 .algorithm_mkey = SSL_kDHE,
502 .algorithm_auth = SSL_aNULL,
503 .algorithm_enc = SSL_CAMELLIA128,
504 .algorithm_mac = SSL_SHA1,
505 .algorithm_ssl = SSL_TLSV1,
506 .algo_strength = SSL_HIGH,
507 .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
508 .strength_bits = 128,
509 .alg_bits = 128,
510 },
511 #endif /* OPENSSL_NO_CAMELLIA */
512
513 /* TLS v1.2 ciphersuites */
514 /* Cipher 67 */
515 {
516 .valid = 1,
517 .name = TLS1_TXT_DHE_RSA_WITH_AES_128_SHA256,
518 .id = TLS1_CK_DHE_RSA_WITH_AES_128_SHA256,
519 .algorithm_mkey = SSL_kDHE,
520 .algorithm_auth = SSL_aRSA,
521 .algorithm_enc = SSL_AES128,
522 .algorithm_mac = SSL_SHA256,
523 .algorithm_ssl = SSL_TLSV1_2,
524 .algo_strength = SSL_HIGH,
525 .algorithm2 = SSL_HANDSHAKE_MAC_SHA256|TLS1_PRF_SHA256,
526 .strength_bits = 128,
527 .alg_bits = 128,
528 },
529
530 /* Cipher 6B */
531 {
532 .valid = 1,
533 .name = TLS1_TXT_DHE_RSA_WITH_AES_256_SHA256,
534 .id = TLS1_CK_DHE_RSA_WITH_AES_256_SHA256,
535 .algorithm_mkey = SSL_kDHE,
536 .algorithm_auth = SSL_aRSA,
537 .algorithm_enc = SSL_AES256,
538 .algorithm_mac = SSL_SHA256,
539 .algorithm_ssl = SSL_TLSV1_2,
540 .algo_strength = SSL_HIGH,
541 .algorithm2 = SSL_HANDSHAKE_MAC_SHA256|TLS1_PRF_SHA256,
542 .strength_bits = 256,
543 .alg_bits = 256,
544 },
545
546 /* Cipher 6C */
547 {
548 .valid = 1,
549 .name = TLS1_TXT_ADH_WITH_AES_128_SHA256,
550 .id = TLS1_CK_ADH_WITH_AES_128_SHA256,
551 .algorithm_mkey = SSL_kDHE,
552 .algorithm_auth = SSL_aNULL,
553 .algorithm_enc = SSL_AES128,
554 .algorithm_mac = SSL_SHA256,
555 .algorithm_ssl = SSL_TLSV1_2,
556 .algo_strength = SSL_HIGH,
557 .algorithm2 = SSL_HANDSHAKE_MAC_SHA256|TLS1_PRF_SHA256,
558 .strength_bits = 128,
559 .alg_bits = 128,
560 },
561
562 /* Cipher 6D */
563 {
564 .valid = 1,
565 .name = TLS1_TXT_ADH_WITH_AES_256_SHA256,
566 .id = TLS1_CK_ADH_WITH_AES_256_SHA256,
567 .algorithm_mkey = SSL_kDHE,
568 .algorithm_auth = SSL_aNULL,
569 .algorithm_enc = SSL_AES256,
570 .algorithm_mac = SSL_SHA256,
571 .algorithm_ssl = SSL_TLSV1_2,
572 .algo_strength = SSL_HIGH,
573 .algorithm2 = SSL_HANDSHAKE_MAC_SHA256|TLS1_PRF_SHA256,
574 .strength_bits = 256,
575 .alg_bits = 256,
576 },
577
578 /* GOST Ciphersuites */
579
580 /* Cipher 81 */
581 {
582 .valid = 1,
583 .name = "GOST2001-GOST89-GOST89",
584 .id = 0x3000081,
585 .algorithm_mkey = SSL_kGOST,
586 .algorithm_auth = SSL_aGOST01,
587 .algorithm_enc = SSL_eGOST2814789CNT,
588 .algorithm_mac = SSL_GOST89MAC,
589 .algorithm_ssl = SSL_TLSV1,
590 .algo_strength = SSL_HIGH,
591 .algorithm2 = SSL_HANDSHAKE_MAC_GOST94|TLS1_PRF_GOST94|
592 TLS1_STREAM_MAC,
593 .strength_bits = 256,
594 .alg_bits = 256
595 },
596
597 /* Cipher 83 */
598 {
599 .valid = 1,
600 .name = "GOST2001-NULL-GOST94",
601 .id = 0x3000083,
602 .algorithm_mkey = SSL_kGOST,
603 .algorithm_auth = SSL_aGOST01,
604 .algorithm_enc = SSL_eNULL,
605 .algorithm_mac = SSL_GOST94,
606 .algorithm_ssl = SSL_TLSV1,
607 .algo_strength = SSL_STRONG_NONE,
608 .algorithm2 = SSL_HANDSHAKE_MAC_GOST94|TLS1_PRF_GOST94,
609 .strength_bits = 0,
610 .alg_bits = 0
611 },
612
613 #ifndef OPENSSL_NO_CAMELLIA
614 /* Camellia ciphersuites from RFC4132 (256-bit portion) */
615
616 /* Cipher 84 */
617 {
618 .valid = 1,
619 .name = TLS1_TXT_RSA_WITH_CAMELLIA_256_CBC_SHA,
620 .id = TLS1_CK_RSA_WITH_CAMELLIA_256_CBC_SHA,
621 .algorithm_mkey = SSL_kRSA,
622 .algorithm_auth = SSL_aRSA,
623 .algorithm_enc = SSL_CAMELLIA256,
624 .algorithm_mac = SSL_SHA1,
625 .algorithm_ssl = SSL_TLSV1,
626 .algo_strength = SSL_HIGH,
627 .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
628 .strength_bits = 256,
629 .alg_bits = 256,
630 },
631
632 /* Cipher 88 */
633 {
634 .valid = 1,
635 .name = TLS1_TXT_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA,
636 .id = TLS1_CK_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA,
637 .algorithm_mkey = SSL_kDHE,
638 .algorithm_auth = SSL_aRSA,
639 .algorithm_enc = SSL_CAMELLIA256,
640 .algorithm_mac = SSL_SHA1,
641 .algorithm_ssl = SSL_TLSV1,
642 .algo_strength = SSL_HIGH,
643 .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
644 .strength_bits = 256,
645 .alg_bits = 256,
646 },
647
648 /* Cipher 89 */
649 {
650 .valid = 1,
651 .name = TLS1_TXT_ADH_WITH_CAMELLIA_256_CBC_SHA,
652 .id = TLS1_CK_ADH_WITH_CAMELLIA_256_CBC_SHA,
653 .algorithm_mkey = SSL_kDHE,
654 .algorithm_auth = SSL_aNULL,
655 .algorithm_enc = SSL_CAMELLIA256,
656 .algorithm_mac = SSL_SHA1,
657 .algorithm_ssl = SSL_TLSV1,
658 .algo_strength = SSL_HIGH,
659 .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
660 .strength_bits = 256,
661 .alg_bits = 256,
662 },
663 #endif /* OPENSSL_NO_CAMELLIA */
664
665 /*
666 * GCM ciphersuites from RFC5288.
667 */
668
669 /* Cipher 9C */
670 {
671 .valid = 1,
672 .name = TLS1_TXT_RSA_WITH_AES_128_GCM_SHA256,
673 .id = TLS1_CK_RSA_WITH_AES_128_GCM_SHA256,
674 .algorithm_mkey = SSL_kRSA,
675 .algorithm_auth = SSL_aRSA,
676 .algorithm_enc = SSL_AES128GCM,
677 .algorithm_mac = SSL_AEAD,
678 .algorithm_ssl = SSL_TLSV1_2,
679 .algo_strength = SSL_HIGH,
680 .algorithm2 = SSL_HANDSHAKE_MAC_SHA256|TLS1_PRF_SHA256|
681 FIXED_NONCE_LEN(4)|
682 SSL_CIPHER_ALGORITHM2_VARIABLE_NONCE_IN_RECORD,
683 .strength_bits = 128,
684 .alg_bits = 128,
685 },
686
687 /* Cipher 9D */
688 {
689 .valid = 1,
690 .name = TLS1_TXT_RSA_WITH_AES_256_GCM_SHA384,
691 .id = TLS1_CK_RSA_WITH_AES_256_GCM_SHA384,
692 .algorithm_mkey = SSL_kRSA,
693 .algorithm_auth = SSL_aRSA,
694 .algorithm_enc = SSL_AES256GCM,
695 .algorithm_mac = SSL_AEAD,
696 .algorithm_ssl = SSL_TLSV1_2,
697 .algo_strength = SSL_HIGH,
698 .algorithm2 = SSL_HANDSHAKE_MAC_SHA384|TLS1_PRF_SHA384|
699 FIXED_NONCE_LEN(4)|
700 SSL_CIPHER_ALGORITHM2_VARIABLE_NONCE_IN_RECORD,
701 .strength_bits = 256,
702 .alg_bits = 256,
703 },
704
705 /* Cipher 9E */
706 {
707 .valid = 1,
708 .name = TLS1_TXT_DHE_RSA_WITH_AES_128_GCM_SHA256,
709 .id = TLS1_CK_DHE_RSA_WITH_AES_128_GCM_SHA256,
710 .algorithm_mkey = SSL_kDHE,
711 .algorithm_auth = SSL_aRSA,
712 .algorithm_enc = SSL_AES128GCM,
713 .algorithm_mac = SSL_AEAD,
714 .algorithm_ssl = SSL_TLSV1_2,
715 .algo_strength = SSL_HIGH,
716 .algorithm2 = SSL_HANDSHAKE_MAC_SHA256|TLS1_PRF_SHA256|
717 FIXED_NONCE_LEN(4)|
718 SSL_CIPHER_ALGORITHM2_VARIABLE_NONCE_IN_RECORD,
719 .strength_bits = 128,
720 .alg_bits = 128,
721 },
722
723 /* Cipher 9F */
724 {
725 .valid = 1,
726 .name = TLS1_TXT_DHE_RSA_WITH_AES_256_GCM_SHA384,
727 .id = TLS1_CK_DHE_RSA_WITH_AES_256_GCM_SHA384,
728 .algorithm_mkey = SSL_kDHE,
729 .algorithm_auth = SSL_aRSA,
730 .algorithm_enc = SSL_AES256GCM,
731 .algorithm_mac = SSL_AEAD,
732 .algorithm_ssl = SSL_TLSV1_2,
733 .algo_strength = SSL_HIGH,
734 .algorithm2 = SSL_HANDSHAKE_MAC_SHA384|TLS1_PRF_SHA384|
735 FIXED_NONCE_LEN(4)|
736 SSL_CIPHER_ALGORITHM2_VARIABLE_NONCE_IN_RECORD,
737 .strength_bits = 256,
738 .alg_bits = 256,
739 },
740
741 /* Cipher A6 */
742 {
743 .valid = 1,
744 .name = TLS1_TXT_ADH_WITH_AES_128_GCM_SHA256,
745 .id = TLS1_CK_ADH_WITH_AES_128_GCM_SHA256,
746 .algorithm_mkey = SSL_kDHE,
747 .algorithm_auth = SSL_aNULL,
748 .algorithm_enc = SSL_AES128GCM,
749 .algorithm_mac = SSL_AEAD,
750 .algorithm_ssl = SSL_TLSV1_2,
751 .algo_strength = SSL_HIGH,
752 .algorithm2 = SSL_HANDSHAKE_MAC_SHA256|TLS1_PRF_SHA256|
753 FIXED_NONCE_LEN(4)|
754 SSL_CIPHER_ALGORITHM2_VARIABLE_NONCE_IN_RECORD,
755 .strength_bits = 128,
756 .alg_bits = 128,
757 },
758
759 /* Cipher A7 */
760 {
761 .valid = 1,
762 .name = TLS1_TXT_ADH_WITH_AES_256_GCM_SHA384,
763 .id = TLS1_CK_ADH_WITH_AES_256_GCM_SHA384,
764 .algorithm_mkey = SSL_kDHE,
765 .algorithm_auth = SSL_aNULL,
766 .algorithm_enc = SSL_AES256GCM,
767 .algorithm_mac = SSL_AEAD,
768 .algorithm_ssl = SSL_TLSV1_2,
769 .algo_strength = SSL_HIGH,
770 .algorithm2 = SSL_HANDSHAKE_MAC_SHA384|TLS1_PRF_SHA384|
771 FIXED_NONCE_LEN(4)|
772 SSL_CIPHER_ALGORITHM2_VARIABLE_NONCE_IN_RECORD,
773 .strength_bits = 256,
774 .alg_bits = 256,
775 },
776
777 #ifndef OPENSSL_NO_CAMELLIA
778 /* TLS 1.2 Camellia SHA-256 ciphersuites from RFC5932 */
779
780 /* Cipher BA */
781 {
782 .valid = 1,
783 .name = TLS1_TXT_RSA_WITH_CAMELLIA_128_CBC_SHA256,
784 .id = TLS1_CK_RSA_WITH_CAMELLIA_128_CBC_SHA256,
785 .algorithm_mkey = SSL_kRSA,
786 .algorithm_auth = SSL_aRSA,
787 .algorithm_enc = SSL_CAMELLIA128,
788 .algorithm_mac = SSL_SHA256,
789 .algorithm_ssl = SSL_TLSV1_2,
790 .algo_strength = SSL_HIGH,
791 .algorithm2 = SSL_HANDSHAKE_MAC_SHA256|TLS1_PRF_SHA256,
792 .strength_bits = 128,
793 .alg_bits = 128,
794 },
795
796 /* Cipher BE */
797 {
798 .valid = 1,
799 .name = TLS1_TXT_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA256,
800 .id = TLS1_CK_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA256,
801 .algorithm_mkey = SSL_kDHE,
802 .algorithm_auth = SSL_aRSA,
803 .algorithm_enc = SSL_CAMELLIA128,
804 .algorithm_mac = SSL_SHA256,
805 .algorithm_ssl = SSL_TLSV1_2,
806 .algo_strength = SSL_HIGH,
807 .algorithm2 = SSL_HANDSHAKE_MAC_SHA256|TLS1_PRF_SHA256,
808 .strength_bits = 128,
809 .alg_bits = 128,
810 },
811
812 /* Cipher BF */
813 {
814 .valid = 1,
815 .name = TLS1_TXT_ADH_WITH_CAMELLIA_128_CBC_SHA256,
816 .id = TLS1_CK_ADH_WITH_CAMELLIA_128_CBC_SHA256,
817 .algorithm_mkey = SSL_kDHE,
818 .algorithm_auth = SSL_aNULL,
819 .algorithm_enc = SSL_CAMELLIA128,
820 .algorithm_mac = SSL_SHA256,
821 .algorithm_ssl = SSL_TLSV1_2,
822 .algo_strength = SSL_HIGH,
823 .algorithm2 = SSL_HANDSHAKE_MAC_SHA256|TLS1_PRF_SHA256,
824 .strength_bits = 128,
825 .alg_bits = 128,
826 },
827
828 /* Cipher C0 */
829 {
830 .valid = 1,
831 .name = TLS1_TXT_RSA_WITH_CAMELLIA_256_CBC_SHA256,
832 .id = TLS1_CK_RSA_WITH_CAMELLIA_256_CBC_SHA256,
833 .algorithm_mkey = SSL_kRSA,
834 .algorithm_auth = SSL_aRSA,
835 .algorithm_enc = SSL_CAMELLIA256,
836 .algorithm_mac = SSL_SHA256,
837 .algorithm_ssl = SSL_TLSV1_2,
838 .algo_strength = SSL_HIGH,
839 .algorithm2 = SSL_HANDSHAKE_MAC_SHA256|TLS1_PRF_SHA256,
840 .strength_bits = 256,
841 .alg_bits = 256,
842 },
843
844 /* Cipher C4 */
845 {
846 .valid = 1,
847 .name = TLS1_TXT_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA256,
848 .id = TLS1_CK_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA256,
849 .algorithm_mkey = SSL_kDHE,
850 .algorithm_auth = SSL_aRSA,
851 .algorithm_enc = SSL_CAMELLIA256,
852 .algorithm_mac = SSL_SHA256,
853 .algorithm_ssl = SSL_TLSV1_2,
854 .algo_strength = SSL_HIGH,
855 .algorithm2 = SSL_HANDSHAKE_MAC_SHA256|TLS1_PRF_SHA256,
856 .strength_bits = 256,
857 .alg_bits = 256,
858 },
859
860 /* Cipher C5 */
861 {
862 .valid = 1,
863 .name = TLS1_TXT_ADH_WITH_CAMELLIA_256_CBC_SHA256,
864 .id = TLS1_CK_ADH_WITH_CAMELLIA_256_CBC_SHA256,
865 .algorithm_mkey = SSL_kDHE,
866 .algorithm_auth = SSL_aNULL,
867 .algorithm_enc = SSL_CAMELLIA256,
868 .algorithm_mac = SSL_SHA256,
869 .algorithm_ssl = SSL_TLSV1_2,
870 .algo_strength = SSL_HIGH,
871 .algorithm2 = SSL_HANDSHAKE_MAC_SHA256|TLS1_PRF_SHA256,
872 .strength_bits = 256,
873 .alg_bits = 256,
874 },
875 #endif /* OPENSSL_NO_CAMELLIA */
876
877 /*
878 * TLSv1.3 cipher suites.
879 */
880
881 #ifdef LIBRESSL_HAS_TLS1_3
882 /* Cipher 1301 */
883 {
884 .valid = 1,
885 .name = TLS1_3_RFC_AES_128_GCM_SHA256,
886 .id = TLS1_3_CK_AES_128_GCM_SHA256,
887 .algorithm_mkey = SSL_kTLS1_3,
888 .algorithm_auth = SSL_aTLS1_3,
889 .algorithm_enc = SSL_AES128GCM,
890 .algorithm_mac = SSL_AEAD,
891 .algorithm_ssl = SSL_TLSV1_3,
892 .algo_strength = SSL_HIGH,
893 .algorithm2 = SSL_HANDSHAKE_MAC_SHA256, /* XXX */
894 .strength_bits = 128,
895 .alg_bits = 128,
896 },
897
898 /* Cipher 1302 */
899 {
900 .valid = 1,
901 .name = TLS1_3_RFC_AES_256_GCM_SHA384,
902 .id = TLS1_3_CK_AES_256_GCM_SHA384,
903 .algorithm_mkey = SSL_kTLS1_3,
904 .algorithm_auth = SSL_aTLS1_3,
905 .algorithm_enc = SSL_AES256GCM,
906 .algorithm_mac = SSL_AEAD,
907 .algorithm_ssl = SSL_TLSV1_3,
908 .algo_strength = SSL_HIGH,
909 .algorithm2 = SSL_HANDSHAKE_MAC_SHA384, /* XXX */
910 .strength_bits = 256,
911 .alg_bits = 256,
912 },
913
914 /* Cipher 1303 */
915 {
916 .valid = 1,
917 .name = TLS1_3_RFC_CHACHA20_POLY1305_SHA256,
918 .id = TLS1_3_CK_CHACHA20_POLY1305_SHA256,
919 .algorithm_mkey = SSL_kTLS1_3,
920 .algorithm_auth = SSL_aTLS1_3,
921 .algorithm_enc = SSL_CHACHA20POLY1305,
922 .algorithm_mac = SSL_AEAD,
923 .algorithm_ssl = SSL_TLSV1_3,
924 .algo_strength = SSL_HIGH,
925 .algorithm2 = SSL_HANDSHAKE_MAC_SHA256, /* XXX */
926 .strength_bits = 256,
927 .alg_bits = 256,
928 },
929 #endif
930
931 /* Cipher C006 */
932 {
933 .valid = 1,
934 .name = TLS1_TXT_ECDHE_ECDSA_WITH_NULL_SHA,
935 .id = TLS1_CK_ECDHE_ECDSA_WITH_NULL_SHA,
936 .algorithm_mkey = SSL_kECDHE,
937 .algorithm_auth = SSL_aECDSA,
938 .algorithm_enc = SSL_eNULL,
939 .algorithm_mac = SSL_SHA1,
940 .algorithm_ssl = SSL_TLSV1,
941 .algo_strength = SSL_STRONG_NONE,
942 .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
943 .strength_bits = 0,
944 .alg_bits = 0,
945 },
946
947 /* Cipher C007 */
948 {
949 .valid = 1,
950 .name = TLS1_TXT_ECDHE_ECDSA_WITH_RC4_128_SHA,
951 .id = TLS1_CK_ECDHE_ECDSA_WITH_RC4_128_SHA,
952 .algorithm_mkey = SSL_kECDHE,
953 .algorithm_auth = SSL_aECDSA,
954 .algorithm_enc = SSL_RC4,
955 .algorithm_mac = SSL_SHA1,
956 .algorithm_ssl = SSL_TLSV1,
957 .algo_strength = SSL_LOW,
958 .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
959 .strength_bits = 128,
960 .alg_bits = 128,
961 },
962
963 /* Cipher C008 */
964 {
965 .valid = 1,
966 .name = TLS1_TXT_ECDHE_ECDSA_WITH_DES_192_CBC3_SHA,
967 .id = TLS1_CK_ECDHE_ECDSA_WITH_DES_192_CBC3_SHA,
968 .algorithm_mkey = SSL_kECDHE,
969 .algorithm_auth = SSL_aECDSA,
970 .algorithm_enc = SSL_3DES,
971 .algorithm_mac = SSL_SHA1,
972 .algorithm_ssl = SSL_TLSV1,
973 .algo_strength = SSL_MEDIUM,
974 .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
975 .strength_bits = 112,
976 .alg_bits = 168,
977 },
978
979 /* Cipher C009 */
980 {
981 .valid = 1,
982 .name = TLS1_TXT_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,
983 .id = TLS1_CK_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,
984 .algorithm_mkey = SSL_kECDHE,
985 .algorithm_auth = SSL_aECDSA,
986 .algorithm_enc = SSL_AES128,
987 .algorithm_mac = SSL_SHA1,
988 .algorithm_ssl = SSL_TLSV1,
989 .algo_strength = SSL_HIGH,
990 .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
991 .strength_bits = 128,
992 .alg_bits = 128,
993 },
994
995 /* Cipher C00A */
996 {
997 .valid = 1,
998 .name = TLS1_TXT_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,
999 .id = TLS1_CK_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,
1000 .algorithm_mkey = SSL_kECDHE,
1001 .algorithm_auth = SSL_aECDSA,
1002 .algorithm_enc = SSL_AES256,
1003 .algorithm_mac = SSL_SHA1,
1004 .algorithm_ssl = SSL_TLSV1,
1005 .algo_strength = SSL_HIGH,
1006 .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
1007 .strength_bits = 256,
1008 .alg_bits = 256,
1009 },
1010
1011 /* Cipher C010 */
1012 {
1013 .valid = 1,
1014 .name = TLS1_TXT_ECDHE_RSA_WITH_NULL_SHA,
1015 .id = TLS1_CK_ECDHE_RSA_WITH_NULL_SHA,
1016 .algorithm_mkey = SSL_kECDHE,
1017 .algorithm_auth = SSL_aRSA,
1018 .algorithm_enc = SSL_eNULL,
1019 .algorithm_mac = SSL_SHA1,
1020 .algorithm_ssl = SSL_TLSV1,
1021 .algo_strength = SSL_STRONG_NONE,
1022 .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
1023 .strength_bits = 0,
1024 .alg_bits = 0,
1025 },
1026
1027 /* Cipher C011 */
1028 {
1029 .valid = 1,
1030 .name = TLS1_TXT_ECDHE_RSA_WITH_RC4_128_SHA,
1031 .id = TLS1_CK_ECDHE_RSA_WITH_RC4_128_SHA,
1032 .algorithm_mkey = SSL_kECDHE,
1033 .algorithm_auth = SSL_aRSA,
1034 .algorithm_enc = SSL_RC4,
1035 .algorithm_mac = SSL_SHA1,
1036 .algorithm_ssl = SSL_TLSV1,
1037 .algo_strength = SSL_LOW,
1038 .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
1039 .strength_bits = 128,
1040 .alg_bits = 128,
1041 },
1042
1043 /* Cipher C012 */
1044 {
1045 .valid = 1,
1046 .name = TLS1_TXT_ECDHE_RSA_WITH_DES_192_CBC3_SHA,
1047 .id = TLS1_CK_ECDHE_RSA_WITH_DES_192_CBC3_SHA,
1048 .algorithm_mkey = SSL_kECDHE,
1049 .algorithm_auth = SSL_aRSA,
1050 .algorithm_enc = SSL_3DES,
1051 .algorithm_mac = SSL_SHA1,
1052 .algorithm_ssl = SSL_TLSV1,
1053 .algo_strength = SSL_MEDIUM,
1054 .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
1055 .strength_bits = 112,
1056 .alg_bits = 168,
1057 },
1058
1059 /* Cipher C013 */
1060 {
1061 .valid = 1,
1062 .name = TLS1_TXT_ECDHE_RSA_WITH_AES_128_CBC_SHA,
1063 .id = TLS1_CK_ECDHE_RSA_WITH_AES_128_CBC_SHA,
1064 .algorithm_mkey = SSL_kECDHE,
1065 .algorithm_auth = SSL_aRSA,
1066 .algorithm_enc = SSL_AES128,
1067 .algorithm_mac = SSL_SHA1,
1068 .algorithm_ssl = SSL_TLSV1,
1069 .algo_strength = SSL_HIGH,
1070 .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
1071 .strength_bits = 128,
1072 .alg_bits = 128,
1073 },
1074
1075 /* Cipher C014 */
1076 {
1077 .valid = 1,
1078 .name = TLS1_TXT_ECDHE_RSA_WITH_AES_256_CBC_SHA,
1079 .id = TLS1_CK_ECDHE_RSA_WITH_AES_256_CBC_SHA,
1080 .algorithm_mkey = SSL_kECDHE,
1081 .algorithm_auth = SSL_aRSA,
1082 .algorithm_enc = SSL_AES256,
1083 .algorithm_mac = SSL_SHA1,
1084 .algorithm_ssl = SSL_TLSV1,
1085 .algo_strength = SSL_HIGH,
1086 .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
1087 .strength_bits = 256,
1088 .alg_bits = 256,
1089 },
1090
1091 /* Cipher C015 */
1092 {
1093 .valid = 1,
1094 .name = TLS1_TXT_ECDH_anon_WITH_NULL_SHA,
1095 .id = TLS1_CK_ECDH_anon_WITH_NULL_SHA,
1096 .algorithm_mkey = SSL_kECDHE,
1097 .algorithm_auth = SSL_aNULL,
1098 .algorithm_enc = SSL_eNULL,
1099 .algorithm_mac = SSL_SHA1,
1100 .algorithm_ssl = SSL_TLSV1,
1101 .algo_strength = SSL_STRONG_NONE,
1102 .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
1103 .strength_bits = 0,
1104 .alg_bits = 0,
1105 },
1106
1107 /* Cipher C016 */
1108 {
1109 .valid = 1,
1110 .name = TLS1_TXT_ECDH_anon_WITH_RC4_128_SHA,
1111 .id = TLS1_CK_ECDH_anon_WITH_RC4_128_SHA,
1112 .algorithm_mkey = SSL_kECDHE,
1113 .algorithm_auth = SSL_aNULL,
1114 .algorithm_enc = SSL_RC4,
1115 .algorithm_mac = SSL_SHA1,
1116 .algorithm_ssl = SSL_TLSV1,
1117 .algo_strength = SSL_LOW,
1118 .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
1119 .strength_bits = 128,
1120 .alg_bits = 128,
1121 },
1122
1123 /* Cipher C017 */
1124 {
1125 .valid = 1,
1126 .name = TLS1_TXT_ECDH_anon_WITH_DES_192_CBC3_SHA,
1127 .id = TLS1_CK_ECDH_anon_WITH_DES_192_CBC3_SHA,
1128 .algorithm_mkey = SSL_kECDHE,
1129 .algorithm_auth = SSL_aNULL,
1130 .algorithm_enc = SSL_3DES,
1131 .algorithm_mac = SSL_SHA1,
1132 .algorithm_ssl = SSL_TLSV1,
1133 .algo_strength = SSL_MEDIUM,
1134 .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
1135 .strength_bits = 112,
1136 .alg_bits = 168,
1137 },
1138
1139 /* Cipher C018 */
1140 {
1141 .valid = 1,
1142 .name = TLS1_TXT_ECDH_anon_WITH_AES_128_CBC_SHA,
1143 .id = TLS1_CK_ECDH_anon_WITH_AES_128_CBC_SHA,
1144 .algorithm_mkey = SSL_kECDHE,
1145 .algorithm_auth = SSL_aNULL,
1146 .algorithm_enc = SSL_AES128,
1147 .algorithm_mac = SSL_SHA1,
1148 .algorithm_ssl = SSL_TLSV1,
1149 .algo_strength = SSL_HIGH,
1150 .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
1151 .strength_bits = 128,
1152 .alg_bits = 128,
1153 },
1154
1155 /* Cipher C019 */
1156 {
1157 .valid = 1,
1158 .name = TLS1_TXT_ECDH_anon_WITH_AES_256_CBC_SHA,
1159 .id = TLS1_CK_ECDH_anon_WITH_AES_256_CBC_SHA,
1160 .algorithm_mkey = SSL_kECDHE,
1161 .algorithm_auth = SSL_aNULL,
1162 .algorithm_enc = SSL_AES256,
1163 .algorithm_mac = SSL_SHA1,
1164 .algorithm_ssl = SSL_TLSV1,
1165 .algo_strength = SSL_HIGH,
1166 .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
1167 .strength_bits = 256,
1168 .alg_bits = 256,
1169 },
1170
1171
1172 /* HMAC based TLS v1.2 ciphersuites from RFC5289 */
1173
1174 /* Cipher C023 */
1175 {
1176 .valid = 1,
1177 .name = TLS1_TXT_ECDHE_ECDSA_WITH_AES_128_SHA256,
1178 .id = TLS1_CK_ECDHE_ECDSA_WITH_AES_128_SHA256,
1179 .algorithm_mkey = SSL_kECDHE,
1180 .algorithm_auth = SSL_aECDSA,
1181 .algorithm_enc = SSL_AES128,
1182 .algorithm_mac = SSL_SHA256,
1183 .algorithm_ssl = SSL_TLSV1_2,
1184 .algo_strength = SSL_HIGH,
1185 .algorithm2 = SSL_HANDSHAKE_MAC_SHA256|TLS1_PRF_SHA256,
1186 .strength_bits = 128,
1187 .alg_bits = 128,
1188 },
1189
1190 /* Cipher C024 */
1191 {
1192 .valid = 1,
1193 .name = TLS1_TXT_ECDHE_ECDSA_WITH_AES_256_SHA384,
1194 .id = TLS1_CK_ECDHE_ECDSA_WITH_AES_256_SHA384,
1195 .algorithm_mkey = SSL_kECDHE,
1196 .algorithm_auth = SSL_aECDSA,
1197 .algorithm_enc = SSL_AES256,
1198 .algorithm_mac = SSL_SHA384,
1199 .algorithm_ssl = SSL_TLSV1_2,
1200 .algo_strength = SSL_HIGH,
1201 .algorithm2 = SSL_HANDSHAKE_MAC_SHA384|TLS1_PRF_SHA384,
1202 .strength_bits = 256,
1203 .alg_bits = 256,
1204 },
1205
1206 /* Cipher C027 */
1207 {
1208 .valid = 1,
1209 .name = TLS1_TXT_ECDHE_RSA_WITH_AES_128_SHA256,
1210 .id = TLS1_CK_ECDHE_RSA_WITH_AES_128_SHA256,
1211 .algorithm_mkey = SSL_kECDHE,
1212 .algorithm_auth = SSL_aRSA,
1213 .algorithm_enc = SSL_AES128,
1214 .algorithm_mac = SSL_SHA256,
1215 .algorithm_ssl = SSL_TLSV1_2,
1216 .algo_strength = SSL_HIGH,
1217 .algorithm2 = SSL_HANDSHAKE_MAC_SHA256|TLS1_PRF_SHA256,
1218 .strength_bits = 128,
1219 .alg_bits = 128,
1220 },
1221
1222 /* Cipher C028 */
1223 {
1224 .valid = 1,
1225 .name = TLS1_TXT_ECDHE_RSA_WITH_AES_256_SHA384,
1226 .id = TLS1_CK_ECDHE_RSA_WITH_AES_256_SHA384,
1227 .algorithm_mkey = SSL_kECDHE,
1228 .algorithm_auth = SSL_aRSA,
1229 .algorithm_enc = SSL_AES256,
1230 .algorithm_mac = SSL_SHA384,
1231 .algorithm_ssl = SSL_TLSV1_2,
1232 .algo_strength = SSL_HIGH,
1233 .algorithm2 = SSL_HANDSHAKE_MAC_SHA384|TLS1_PRF_SHA384,
1234 .strength_bits = 256,
1235 .alg_bits = 256,
1236 },
1237
1238 /* GCM based TLS v1.2 ciphersuites from RFC5289 */
1239
1240 /* Cipher C02B */
1241 {
1242 .valid = 1,
1243 .name = TLS1_TXT_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
1244 .id = TLS1_CK_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
1245 .algorithm_mkey = SSL_kECDHE,
1246 .algorithm_auth = SSL_aECDSA,
1247 .algorithm_enc = SSL_AES128GCM,
1248 .algorithm_mac = SSL_AEAD,
1249 .algorithm_ssl = SSL_TLSV1_2,
1250 .algo_strength = SSL_HIGH,
1251 .algorithm2 = SSL_HANDSHAKE_MAC_SHA256|TLS1_PRF_SHA256|
1252 FIXED_NONCE_LEN(4)|
1253 SSL_CIPHER_ALGORITHM2_VARIABLE_NONCE_IN_RECORD,
1254 .strength_bits = 128,
1255 .alg_bits = 128,
1256 },
1257
1258 /* Cipher C02C */
1259 {
1260 .valid = 1,
1261 .name = TLS1_TXT_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
1262 .id = TLS1_CK_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
1263 .algorithm_mkey = SSL_kECDHE,
1264 .algorithm_auth = SSL_aECDSA,
1265 .algorithm_enc = SSL_AES256GCM,
1266 .algorithm_mac = SSL_AEAD,
1267 .algorithm_ssl = SSL_TLSV1_2,
1268 .algo_strength = SSL_HIGH,
1269 .algorithm2 = SSL_HANDSHAKE_MAC_SHA384|TLS1_PRF_SHA384|
1270 FIXED_NONCE_LEN(4)|
1271 SSL_CIPHER_ALGORITHM2_VARIABLE_NONCE_IN_RECORD,
1272 .strength_bits = 256,
1273 .alg_bits = 256,
1274 },
1275
1276 /* Cipher C02F */
1277 {
1278 .valid = 1,
1279 .name = TLS1_TXT_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
1280 .id = TLS1_CK_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
1281 .algorithm_mkey = SSL_kECDHE,
1282 .algorithm_auth = SSL_aRSA,
1283 .algorithm_enc = SSL_AES128GCM,
1284 .algorithm_mac = SSL_AEAD,
1285 .algorithm_ssl = SSL_TLSV1_2,
1286 .algo_strength = SSL_HIGH,
1287 .algorithm2 = SSL_HANDSHAKE_MAC_SHA256|TLS1_PRF_SHA256|
1288 FIXED_NONCE_LEN(4)|
1289 SSL_CIPHER_ALGORITHM2_VARIABLE_NONCE_IN_RECORD,
1290 .strength_bits = 128,
1291 .alg_bits = 128,
1292 },
1293
1294 /* Cipher C030 */
1295 {
1296 .valid = 1,
1297 .name = TLS1_TXT_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
1298 .id = TLS1_CK_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
1299 .algorithm_mkey = SSL_kECDHE,
1300 .algorithm_auth = SSL_aRSA,
1301 .algorithm_enc = SSL_AES256GCM,
1302 .algorithm_mac = SSL_AEAD,
1303 .algorithm_ssl = SSL_TLSV1_2,
1304 .algo_strength = SSL_HIGH,
1305 .algorithm2 = SSL_HANDSHAKE_MAC_SHA384|TLS1_PRF_SHA384|
1306 FIXED_NONCE_LEN(4)|
1307 SSL_CIPHER_ALGORITHM2_VARIABLE_NONCE_IN_RECORD,
1308 .strength_bits = 256,
1309 .alg_bits = 256,
1310 },
1311
1312 /* Cipher CCA8 */
1313 {
1314 .valid = 1,
1315 .name = TLS1_TXT_ECDHE_RSA_WITH_CHACHA20_POLY1305,
1316 .id = TLS1_CK_ECDHE_RSA_CHACHA20_POLY1305,
1317 .algorithm_mkey = SSL_kECDHE,
1318 .algorithm_auth = SSL_aRSA,
1319 .algorithm_enc = SSL_CHACHA20POLY1305,
1320 .algorithm_mac = SSL_AEAD,
1321 .algorithm_ssl = SSL_TLSV1_2,
1322 .algo_strength = SSL_HIGH,
1323 .algorithm2 = SSL_HANDSHAKE_MAC_SHA256|TLS1_PRF_SHA256|
1324 FIXED_NONCE_LEN(12),
1325 .strength_bits = 256,
1326 .alg_bits = 256,
1327 },
1328
1329 /* Cipher CCA9 */
1330 {
1331 .valid = 1,
1332 .name = TLS1_TXT_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,
1333 .id = TLS1_CK_ECDHE_ECDSA_CHACHA20_POLY1305,
1334 .algorithm_mkey = SSL_kECDHE,
1335 .algorithm_auth = SSL_aECDSA,
1336 .algorithm_enc = SSL_CHACHA20POLY1305,
1337 .algorithm_mac = SSL_AEAD,
1338 .algorithm_ssl = SSL_TLSV1_2,
1339 .algo_strength = SSL_HIGH,
1340 .algorithm2 = SSL_HANDSHAKE_MAC_SHA256|TLS1_PRF_SHA256|
1341 FIXED_NONCE_LEN(12),
1342 .strength_bits = 256,
1343 .alg_bits = 256,
1344 },
1345
1346 /* Cipher CCAA */
1347 {
1348 .valid = 1,
1349 .name = TLS1_TXT_DHE_RSA_WITH_CHACHA20_POLY1305,
1350 .id = TLS1_CK_DHE_RSA_CHACHA20_POLY1305,
1351 .algorithm_mkey = SSL_kDHE,
1352 .algorithm_auth = SSL_aRSA,
1353 .algorithm_enc = SSL_CHACHA20POLY1305,
1354 .algorithm_mac = SSL_AEAD,
1355 .algorithm_ssl = SSL_TLSV1_2,
1356 .algo_strength = SSL_HIGH,
1357 .algorithm2 = SSL_HANDSHAKE_MAC_SHA256|TLS1_PRF_SHA256|
1358 FIXED_NONCE_LEN(12),
1359 .strength_bits = 256,
1360 .alg_bits = 256,
1361 },
1362
1363 /* Cipher FF85 FIXME IANA */
1364 {
1365 .valid = 1,
1366 .name = "GOST2012256-GOST89-GOST89",
1367 .id = 0x300ff85, /* FIXME IANA */
1368 .algorithm_mkey = SSL_kGOST,
1369 .algorithm_auth = SSL_aGOST01,
1370 .algorithm_enc = SSL_eGOST2814789CNT,
1371 .algorithm_mac = SSL_GOST89MAC,
1372 .algorithm_ssl = SSL_TLSV1,
1373 .algo_strength = SSL_HIGH,
1374 .algorithm2 = SSL_HANDSHAKE_MAC_STREEBOG256|TLS1_PRF_STREEBOG256|
1375 TLS1_STREAM_MAC,
1376 .strength_bits = 256,
1377 .alg_bits = 256
1378 },
1379
1380 /* Cipher FF87 FIXME IANA */
1381 {
1382 .valid = 1,
1383 .name = "GOST2012256-NULL-STREEBOG256",
1384 .id = 0x300ff87, /* FIXME IANA */
1385 .algorithm_mkey = SSL_kGOST,
1386 .algorithm_auth = SSL_aGOST01,
1387 .algorithm_enc = SSL_eNULL,
1388 .algorithm_mac = SSL_STREEBOG256,
1389 .algorithm_ssl = SSL_TLSV1,
1390 .algo_strength = SSL_STRONG_NONE,
1391 .algorithm2 = SSL_HANDSHAKE_MAC_STREEBOG256|TLS1_PRF_STREEBOG256,
1392 .strength_bits = 0,
1393 .alg_bits = 0
1394 },
1395
1396
1397 /* end of list */
1398 };
1399
1400 int
1401 ssl3_num_ciphers(void)
1402 {
1403 return (SSL3_NUM_CIPHERS);
1404 }
1405
1406 const SSL_CIPHER *
1407 ssl3_get_cipher(unsigned int u)
1408 {
1409 if (u < SSL3_NUM_CIPHERS)
1410 return (&(ssl3_ciphers[SSL3_NUM_CIPHERS - 1 - u]));
1411 else
1412 return (NULL);
1413 }
1414
1415 const SSL_CIPHER *
1416 ssl3_get_cipher_by_id(unsigned int id)
1417 {
1418 const SSL_CIPHER *cp;
1419 SSL_CIPHER c;
1420
1421 c.id = id;
1422 cp = OBJ_bsearch_ssl_cipher_id(&c, ssl3_ciphers, SSL3_NUM_CIPHERS);
1423 if (cp != NULL && cp->valid == 1)
1424 return (cp);
1425
1426 return (NULL);
1427 }
1428
1429 const SSL_CIPHER *
1430 ssl3_get_cipher_by_value(uint16_t value)
1431 {
1432 return ssl3_get_cipher_by_id(SSL3_CK_ID | value);
1433 }
1434
1435 uint16_t
1436 ssl3_cipher_get_value(const SSL_CIPHER *c)
1437 {
1438 return (c->id & SSL3_CK_VALUE_MASK);
1439 }
1440
1441 int
1442 ssl3_pending(const SSL *s)
1443 {
1444 if (s->internal->rstate == SSL_ST_READ_BODY)
1445 return 0;
1446
1447 return (s->s3->rrec.type == SSL3_RT_APPLICATION_DATA) ?
1448 s->s3->rrec.length : 0;
1449 }
1450
1451 int
1452 ssl3_handshake_msg_hdr_len(SSL *s)
1453 {
1454 return (SSL_is_dtls(s) ? DTLS1_HM_HEADER_LENGTH :
1455 SSL3_HM_HEADER_LENGTH);
1456 }
1457
1458 int
1459 ssl3_handshake_msg_start(SSL *s, CBB *handshake, CBB *body, uint8_t msg_type)
1460 {
1461 int ret = 0;
1462
1463 if (!CBB_init(handshake, SSL3_RT_MAX_PLAIN_LENGTH))
1464 goto err;
1465 if (!CBB_add_u8(handshake, msg_type))
1466 goto err;
1467 if (SSL_is_dtls(s)) {
1468 unsigned char *data;
1469
1470 if (!CBB_add_space(handshake, &data, DTLS1_HM_HEADER_LENGTH -
1471 SSL3_HM_HEADER_LENGTH))
1472 goto err;
1473 }
1474 if (!CBB_add_u24_length_prefixed(handshake, body))
1475 goto err;
1476
1477 ret = 1;
1478
1479 err:
1480 return (ret);
1481 }
1482
1483 int
1484 ssl3_handshake_msg_finish(SSL *s, CBB *handshake)
1485 {
1486 unsigned char *data = NULL;
1487 size_t outlen;
1488 int ret = 0;
1489
1490 if (!CBB_finish(handshake, &data, &outlen))
1491 goto err;
1492
1493 if (outlen > INT_MAX)
1494 goto err;
1495
1496 if (!BUF_MEM_grow_clean(s->internal->init_buf, outlen))
1497 goto err;
1498
1499 memcpy(s->internal->init_buf->data, data, outlen);
1500
1501 s->internal->init_num = (int)outlen;
1502 s->internal->init_off = 0;
1503
1504 if (SSL_is_dtls(s)) {
1505 unsigned long len;
1506 uint8_t msg_type;
1507 CBS cbs;
1508
1509 CBS_init(&cbs, data, outlen);
1510 if (!CBS_get_u8(&cbs, &msg_type))
1511 goto err;
1512
1513 len = outlen - ssl3_handshake_msg_hdr_len(s);
1514
1515 dtls1_set_message_header(s, msg_type, len, 0, len);
1516 dtls1_buffer_message(s, 0);
1517 }
1518
1519 ret = 1;
1520
1521 err:
1522 free(data);
1523
1524 return (ret);
1525 }
1526
1527 int
1528 ssl3_handshake_write(SSL *s)
1529 {
1530 return ssl3_record_write(s, SSL3_RT_HANDSHAKE);
1531 }
1532
1533 int
1534 ssl3_record_write(SSL *s, int type)
1535 {
1536 if (SSL_is_dtls(s))
1537 return dtls1_do_write(s, type);
1538
1539 return ssl3_do_write(s, type);
1540 }
1541
1542 int
1543 ssl3_new(SSL *s)
1544 {
1545 if ((s->s3 = calloc(1, sizeof(*s->s3))) == NULL)
1546 return (0);
1547
1548 s->method->ssl_clear(s);
1549
1550 return (1);
1551 }
1552
1553 void
1554 ssl3_free(SSL *s)
1555 {
1556 if (s == NULL)
1557 return;
1558
1559 tls1_cleanup_key_block(s);
1560 ssl3_release_read_buffer(s);
1561 ssl3_release_write_buffer(s);
1562
1563 freezero(s->s3->hs.sigalgs, s->s3->hs.sigalgs_len);
1564 sk_X509_pop_free(s->s3->hs.peer_certs, X509_free);
1565 sk_X509_pop_free(s->s3->hs.peer_certs_no_leaf, X509_free);
1566 tls_key_share_free(s->s3->hs.key_share);
1567
1568 tls13_secrets_destroy(s->s3->hs.tls13.secrets);
1569 freezero(s->s3->hs.tls13.cookie, s->s3->hs.tls13.cookie_len);
1570 tls13_clienthello_hash_clear(&s->s3->hs.tls13);
1571
1572 tls_buffer_free(s->s3->hs.tls13.quic_read_buffer);
1573
1574 sk_X509_NAME_pop_free(s->s3->hs.tls12.ca_names, X509_NAME_free);
1575 sk_X509_pop_free(s->internal->verified_chain, X509_free);
1576
1577 tls1_transcript_free(s);
1578 tls1_transcript_hash_free(s);
1579
1580 free(s->s3->alpn_selected);
1581
1582 freezero(s->s3->peer_quic_transport_params,
1583 s->s3->peer_quic_transport_params_len);
1584
1585 freezero(s->s3, sizeof(*s->s3));
1586
1587 s->s3 = NULL;
1588 }
1589
1590 void
1591 ssl3_clear(SSL *s)
1592 {
1593 unsigned char *rp, *wp;
1594 size_t rlen, wlen;
1595
1596 tls1_cleanup_key_block(s);
1597 sk_X509_NAME_pop_free(s->s3->hs.tls12.ca_names, X509_NAME_free);
1598 sk_X509_pop_free(s->internal->verified_chain, X509_free);
1599 s->internal->verified_chain = NULL;
1600
1601 freezero(s->s3->hs.sigalgs, s->s3->hs.sigalgs_len);
1602 s->s3->hs.sigalgs = NULL;
1603 s->s3->hs.sigalgs_len = 0;
1604
1605 sk_X509_pop_free(s->s3->hs.peer_certs, X509_free);
1606 s->s3->hs.peer_certs = NULL;
1607 sk_X509_pop_free(s->s3->hs.peer_certs_no_leaf, X509_free);
1608 s->s3->hs.peer_certs_no_leaf = NULL;
1609
1610 tls_key_share_free(s->s3->hs.key_share);
1611 s->s3->hs.key_share = NULL;
1612
1613 tls13_secrets_destroy(s->s3->hs.tls13.secrets);
1614 s->s3->hs.tls13.secrets = NULL;
1615 freezero(s->s3->hs.tls13.cookie, s->s3->hs.tls13.cookie_len);
1616 s->s3->hs.tls13.cookie = NULL;
1617 s->s3->hs.tls13.cookie_len = 0;
1618 tls13_clienthello_hash_clear(&s->s3->hs.tls13);
1619
1620 tls_buffer_free(s->s3->hs.tls13.quic_read_buffer);
1621 s->s3->hs.tls13.quic_read_buffer = NULL;
1622 s->s3->hs.tls13.quic_read_level = ssl_encryption_initial;
1623 s->s3->hs.tls13.quic_write_level = ssl_encryption_initial;
1624
1625 s->s3->hs.extensions_seen = 0;
1626
1627 rp = s->s3->rbuf.buf;
1628 wp = s->s3->wbuf.buf;
1629 rlen = s->s3->rbuf.len;
1630 wlen = s->s3->wbuf.len;
1631
1632 tls1_transcript_free(s);
1633 tls1_transcript_hash_free(s);
1634
1635 free(s->s3->alpn_selected);
1636 s->s3->alpn_selected = NULL;
1637 s->s3->alpn_selected_len = 0;
1638
1639 freezero(s->s3->peer_quic_transport_params,
1640 s->s3->peer_quic_transport_params_len);
1641 s->s3->peer_quic_transport_params = NULL;
1642 s->s3->peer_quic_transport_params_len = 0;
1643
1644 memset(s->s3, 0, sizeof(*s->s3));
1645
1646 s->s3->rbuf.buf = rp;
1647 s->s3->wbuf.buf = wp;
1648 s->s3->rbuf.len = rlen;
1649 s->s3->wbuf.len = wlen;
1650
1651 ssl_free_wbio_buffer(s);
1652
1653 /* Not needed... */
1654 s->s3->renegotiate = 0;
1655 s->s3->total_renegotiations = 0;
1656 s->s3->num_renegotiations = 0;
1657 s->s3->in_read_app_data = 0;
1658
1659 s->internal->packet_length = 0;
1660 s->version = TLS1_VERSION;
1661
1662 s->s3->hs.state = SSL_ST_BEFORE|((s->server) ? SSL_ST_ACCEPT : SSL_ST_CONNECT);
1663 }
1664
1665 long
1666 _SSL_get_shared_group(SSL *s, long n)
1667 {
1668 size_t count;
1669 int nid;
1670
1671 /* OpenSSL document that they return -1 for clients. They return 0. */
1672 if (!s->server)
1673 return 0;
1674
1675 if (n == -1) {
1676 if (!tls1_count_shared_groups(s, &count))
1677 return 0;
1678
1679 if (count > LONG_MAX)
1680 count = LONG_MAX;
1681
1682 return count;
1683 }
1684
1685 /* Undocumented special case added for Suite B profile support. */
1686 if (n == -2)
1687 n = 0;
1688
1689 if (n < 0)
1690 return 0;
1691
1692 if (!tls1_get_shared_group_by_index(s, n, &nid))
1693 return NID_undef;
1694
1695 return nid;
1696 }
1697
1698 long
1699 _SSL_get_peer_tmp_key(SSL *s, EVP_PKEY **key)
1700 {
1701 EVP_PKEY *pkey = NULL;
1702 int ret = 0;
1703
1704 *key = NULL;
1705
1706 if (s->s3->hs.key_share == NULL)
1707 goto err;
1708
1709 if ((pkey = EVP_PKEY_new()) == NULL)
1710 goto err;
1711 if (!tls_key_share_peer_pkey(s->s3->hs.key_share, pkey))
1712 goto err;
1713
1714 *key = pkey;
1715 pkey = NULL;
1716
1717 ret = 1;
1718
1719 err:
1720 EVP_PKEY_free(pkey);
1721
1722 return (ret);
1723 }
1724
1725 static int
1726 _SSL_session_reused(SSL *s)
1727 {
1728 return s->internal->hit;
1729 }
1730
1731 static int
1732 _SSL_num_renegotiations(SSL *s)
1733 {
1734 return s->s3->num_renegotiations;
1735 }
1736
1737 static int
1738 _SSL_clear_num_renegotiations(SSL *s)
1739 {
1740 int renegs;
1741
1742 renegs = s->s3->num_renegotiations;
1743 s->s3->num_renegotiations = 0;
1744
1745 return renegs;
1746 }
1747
1748 static int
1749 _SSL_total_renegotiations(SSL *s)
1750 {
1751 return s->s3->total_renegotiations;
1752 }
1753
1754 static int
1755 _SSL_set_tmp_dh(SSL *s, DH *dh)
1756 {
1757 DH *dhe_params;
1758
1759 if (dh == NULL) {
1760 SSLerror(s, ERR_R_PASSED_NULL_PARAMETER);
1761 return 0;
1762 }
1763
1764 if (!ssl_security_dh(s, dh)) {
1765 SSLerror(s, SSL_R_DH_KEY_TOO_SMALL);
1766 return 0;
1767 }
1768
1769 if ((dhe_params = DHparams_dup(dh)) == NULL) {
1770 SSLerror(s, ERR_R_DH_LIB);
1771 return 0;
1772 }
1773
1774 DH_free(s->cert->dhe_params);
1775 s->cert->dhe_params = dhe_params;
1776
1777 return 1;
1778 }
1779
1780 static int
1781 _SSL_set_dh_auto(SSL *s, int state)
1782 {
1783 s->cert->dhe_params_auto = state;
1784 return 1;
1785 }
1786
1787 static int
1788 _SSL_set_tmp_ecdh(SSL *s, EC_KEY *ecdh)
1789 {
1790 const EC_GROUP *group;
1791 int nid;
1792
1793 if (ecdh == NULL)
1794 return 0;
1795 if ((group = EC_KEY_get0_group(ecdh)) == NULL)
1796 return 0;
1797
1798 nid = EC_GROUP_get_curve_name(group);
1799 return SSL_set1_groups(s, &nid, 1);
1800 }
1801
1802 static int
1803 _SSL_set_ecdh_auto(SSL *s, int state)
1804 {
1805 return 1;
1806 }
1807
1808 static int
1809 _SSL_set_tlsext_host_name(SSL *s, const char *name)
1810 {
1811 int is_ip;
1812 CBS cbs;
1813
1814 free(s->tlsext_hostname);
1815 s->tlsext_hostname = NULL;
1816
1817 if (name == NULL)
1818 return 1;
1819
1820 CBS_init(&cbs, name, strlen(name));
1821
1822 if (!tlsext_sni_is_valid_hostname(&cbs, &is_ip)) {
1823 SSLerror(s, SSL_R_SSL3_EXT_INVALID_SERVERNAME);
1824 return 0;
1825 }
1826 if ((s->tlsext_hostname = strdup(name)) == NULL) {
1827 SSLerror(s, ERR_R_INTERNAL_ERROR);
1828 return 0;
1829 }
1830
1831 return 1;
1832 }
1833
1834 static int
1835 _SSL_set_tlsext_debug_arg(SSL *s, void *arg)
1836 {
1837 s->internal->tlsext_debug_arg = arg;
1838 return 1;
1839 }
1840
1841 static int
1842 _SSL_get_tlsext_status_type(SSL *s)
1843 {
1844 return s->tlsext_status_type;
1845 }
1846
1847 static int
1848 _SSL_set_tlsext_status_type(SSL *s, int type)
1849 {
1850 s->tlsext_status_type = type;
1851 return 1;
1852 }
1853
1854 static int
1855 _SSL_get_tlsext_status_exts(SSL *s, STACK_OF(X509_EXTENSION) **exts)
1856 {
1857 *exts = s->internal->tlsext_ocsp_exts;
1858 return 1;
1859 }
1860
1861 static int
1862 _SSL_set_tlsext_status_exts(SSL *s, STACK_OF(X509_EXTENSION) *exts)
1863 {
1864 /* XXX - leak... */
1865 s->internal->tlsext_ocsp_exts = exts;
1866 return 1;
1867 }
1868
1869 static int
1870 _SSL_get_tlsext_status_ids(SSL *s, STACK_OF(OCSP_RESPID) **ids)
1871 {
1872 *ids = s->internal->tlsext_ocsp_ids;
1873 return 1;
1874 }
1875
1876 static int
1877 _SSL_set_tlsext_status_ids(SSL *s, STACK_OF(OCSP_RESPID) *ids)
1878 {
1879 /* XXX - leak... */
1880 s->internal->tlsext_ocsp_ids = ids;
1881 return 1;
1882 }
1883
1884 static int
1885 _SSL_get_tlsext_status_ocsp_resp(SSL *s, unsigned char **resp)
1886 {
1887 if (s->internal->tlsext_ocsp_resp != NULL &&
1888 s->internal->tlsext_ocsp_resp_len < INT_MAX) {
1889 *resp = s->internal->tlsext_ocsp_resp;
1890 return (int)s->internal->tlsext_ocsp_resp_len;
1891 }
1892
1893 *resp = NULL;
1894
1895 return -1;
1896 }
1897
1898 static int
1899 _SSL_set_tlsext_status_ocsp_resp(SSL *s, unsigned char *resp, int resp_len)
1900 {
1901 free(s->internal->tlsext_ocsp_resp);
1902 s->internal->tlsext_ocsp_resp = NULL;
1903 s->internal->tlsext_ocsp_resp_len = 0;
1904
1905 if (resp_len < 0)
1906 return 0;
1907
1908 s->internal->tlsext_ocsp_resp = resp;
1909 s->internal->tlsext_ocsp_resp_len = (size_t)resp_len;
1910
1911 return 1;
1912 }
1913
1914 int
1915 SSL_set0_chain(SSL *ssl, STACK_OF(X509) *chain)
1916 {
1917 return ssl_cert_set0_chain(NULL, ssl, chain);
1918 }
1919
1920 int
1921 SSL_set1_chain(SSL *ssl, STACK_OF(X509) *chain)
1922 {
1923 return ssl_cert_set1_chain(NULL, ssl, chain);
1924 }
1925
1926 int
1927 SSL_add0_chain_cert(SSL *ssl, X509 *x509)
1928 {
1929 return ssl_cert_add0_chain_cert(NULL, ssl, x509);
1930 }
1931
1932 int
1933 SSL_add1_chain_cert(SSL *ssl, X509 *x509)
1934 {
1935 return ssl_cert_add1_chain_cert(NULL, ssl, x509);
1936 }
1937
1938 int
1939 SSL_get0_chain_certs(const SSL *ssl, STACK_OF(X509) **out_chain)
1940 {
1941 *out_chain = NULL;
1942
1943 if (ssl->cert->key != NULL)
1944 *out_chain = ssl->cert->key->chain;
1945
1946 return 1;
1947 }
1948
1949 int
1950 SSL_clear_chain_certs(SSL *ssl)
1951 {
1952 return ssl_cert_set0_chain(NULL, ssl, NULL);
1953 }
1954
1955 int
1956 SSL_set1_groups(SSL *s, const int *groups, size_t groups_len)
1957 {
1958 return tls1_set_groups(&s->internal->tlsext_supportedgroups,
1959 &s->internal->tlsext_supportedgroups_length, groups, groups_len);
1960 }
1961
1962 int
1963 SSL_set1_groups_list(SSL *s, const char *groups)
1964 {
1965 return tls1_set_group_list(&s->internal->tlsext_supportedgroups,
1966 &s->internal->tlsext_supportedgroups_length, groups);
1967 }
1968
1969 static int
1970 _SSL_get_signature_nid(SSL *s, int *nid)
1971 {
1972 const struct ssl_sigalg *sigalg;
1973
1974 if ((sigalg = s->s3->hs.our_sigalg) == NULL)
1975 return 0;
1976
1977 *nid = EVP_MD_type(sigalg->md());
1978
1979 return 1;
1980 }
1981
1982 static int
1983 _SSL_get_peer_signature_nid(SSL *s, int *nid)
1984 {
1985 const struct ssl_sigalg *sigalg;
1986
1987 if ((sigalg = s->s3->hs.peer_sigalg) == NULL)
1988 return 0;
1989
1990 *nid = EVP_MD_type(sigalg->md());
1991
1992 return 1;
1993 }
1994
1995 int
1996 SSL_get_signature_type_nid(const SSL *s, int *nid)
1997 {
1998 const struct ssl_sigalg *sigalg;
1999
2000 if ((sigalg = s->s3->hs.our_sigalg) == NULL)
2001 return 0;
2002
2003 *nid = sigalg->key_type;
2004 if (sigalg->key_type == EVP_PKEY_RSA &&
2005 (sigalg->flags & SIGALG_FLAG_RSA_PSS))
2006 *nid = EVP_PKEY_RSA_PSS;
2007
2008 return 1;
2009 }
2010
2011 int
2012 SSL_get_peer_signature_type_nid(const SSL *s, int *nid)
2013 {
2014 const struct ssl_sigalg *sigalg;
2015
2016 if ((sigalg = s->s3->hs.peer_sigalg) == NULL)
2017 return 0;
2018
2019 *nid = sigalg->key_type;
2020 if (sigalg->key_type == EVP_PKEY_RSA &&
2021 (sigalg->flags & SIGALG_FLAG_RSA_PSS))
2022 *nid = EVP_PKEY_RSA_PSS;
2023
2024 return 1;
2025 }
2026
2027 long
2028 ssl3_ctrl(SSL *s, int cmd, long larg, void *parg)
2029 {
2030 switch (cmd) {
2031 case SSL_CTRL_GET_SESSION_REUSED:
2032 return _SSL_session_reused(s);
2033
2034 case SSL_CTRL_GET_NUM_RENEGOTIATIONS:
2035 return _SSL_num_renegotiations(s);
2036
2037 case SSL_CTRL_CLEAR_NUM_RENEGOTIATIONS:
2038 return _SSL_clear_num_renegotiations(s);
2039
2040 case SSL_CTRL_GET_TOTAL_RENEGOTIATIONS:
2041 return _SSL_total_renegotiations(s);
2042
2043 case SSL_CTRL_SET_TMP_DH:
2044 return _SSL_set_tmp_dh(s, parg);
2045
2046 case SSL_CTRL_SET_TMP_DH_CB:
2047 SSLerror(s, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
2048 return 0;
2049
2050 case SSL_CTRL_SET_DH_AUTO:
2051 return _SSL_set_dh_auto(s, larg);
2052
2053 case SSL_CTRL_SET_TMP_ECDH:
2054 return _SSL_set_tmp_ecdh(s, parg);
2055
2056 case SSL_CTRL_SET_TMP_ECDH_CB:
2057 SSLerror(s, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
2058 return 0;
2059
2060 case SSL_CTRL_SET_ECDH_AUTO:
2061 return _SSL_set_ecdh_auto(s, larg);
2062
2063 case SSL_CTRL_SET_TLSEXT_HOSTNAME:
2064 if (larg != TLSEXT_NAMETYPE_host_name) {
2065 SSLerror(s, SSL_R_SSL3_EXT_INVALID_SERVERNAME_TYPE);
2066 return 0;
2067 }
2068 return _SSL_set_tlsext_host_name(s, parg);
2069
2070 case SSL_CTRL_SET_TLSEXT_DEBUG_ARG:
2071 return _SSL_set_tlsext_debug_arg(s, parg);
2072
2073 case SSL_CTRL_GET_TLSEXT_STATUS_REQ_TYPE:
2074 return _SSL_get_tlsext_status_type(s);
2075
2076 case SSL_CTRL_SET_TLSEXT_STATUS_REQ_TYPE:
2077 return _SSL_set_tlsext_status_type(s, larg);
2078
2079 case SSL_CTRL_GET_TLSEXT_STATUS_REQ_EXTS:
2080 return _SSL_get_tlsext_status_exts(s, parg);
2081
2082 case SSL_CTRL_SET_TLSEXT_STATUS_REQ_EXTS:
2083 return _SSL_set_tlsext_status_exts(s, parg);
2084
2085 case SSL_CTRL_GET_TLSEXT_STATUS_REQ_IDS:
2086 return _SSL_get_tlsext_status_ids(s, parg);
2087
2088 case SSL_CTRL_SET_TLSEXT_STATUS_REQ_IDS:
2089 return _SSL_set_tlsext_status_ids(s, parg);
2090
2091 case SSL_CTRL_GET_TLSEXT_STATUS_REQ_OCSP_RESP:
2092 return _SSL_get_tlsext_status_ocsp_resp(s, parg);
2093
2094 case SSL_CTRL_SET_TLSEXT_STATUS_REQ_OCSP_RESP:
2095 return _SSL_set_tlsext_status_ocsp_resp(s, parg, larg);
2096
2097 case SSL_CTRL_CHAIN:
2098 if (larg == 0)
2099 return SSL_set0_chain(s, (STACK_OF(X509) *)parg);
2100 else
2101 return SSL_set1_chain(s, (STACK_OF(X509) *)parg);
2102
2103 case SSL_CTRL_CHAIN_CERT:
2104 if (larg == 0)
2105 return SSL_add0_chain_cert(s, (X509 *)parg);
2106 else
2107 return SSL_add1_chain_cert(s, (X509 *)parg);
2108
2109 case SSL_CTRL_GET_CHAIN_CERTS:
2110 return SSL_get0_chain_certs(s, (STACK_OF(X509) **)parg);
2111
2112 case SSL_CTRL_SET_GROUPS:
2113 return SSL_set1_groups(s, parg, larg);
2114
2115 case SSL_CTRL_SET_GROUPS_LIST:
2116 return SSL_set1_groups_list(s, parg);
2117
2118 case SSL_CTRL_GET_SHARED_GROUP:
2119 return _SSL_get_shared_group(s, larg);
2120
2121 /* XXX - rename to SSL_CTRL_GET_PEER_TMP_KEY and remove server check. */
2122 case SSL_CTRL_GET_SERVER_TMP_KEY:
2123 if (s->server != 0)
2124 return 0;
2125 return _SSL_get_peer_tmp_key(s, parg);
2126
2127 case SSL_CTRL_GET_MIN_PROTO_VERSION:
2128 return SSL_get_min_proto_version(s);
2129
2130 case SSL_CTRL_GET_MAX_PROTO_VERSION:
2131 return SSL_get_max_proto_version(s);
2132
2133 case SSL_CTRL_SET_MIN_PROTO_VERSION:
2134 if (larg < 0 || larg > UINT16_MAX)
2135 return 0;
2136 return SSL_set_min_proto_version(s, larg);
2137
2138 case SSL_CTRL_SET_MAX_PROTO_VERSION:
2139 if (larg < 0 || larg > UINT16_MAX)
2140 return 0;
2141 return SSL_set_max_proto_version(s, larg);
2142
2143 case SSL_CTRL_GET_SIGNATURE_NID:
2144 return _SSL_get_signature_nid(s, parg);
2145
2146 case SSL_CTRL_GET_PEER_SIGNATURE_NID:
2147 return _SSL_get_peer_signature_nid(s, parg);
2148
2149 /*
2150 * Legacy controls that should eventually be removed.
2151 */
2152 case SSL_CTRL_GET_CLIENT_CERT_REQUEST:
2153 return 0;
2154
2155 case SSL_CTRL_GET_FLAGS:
2156 return (int)(s->s3->flags);
2157
2158 case SSL_CTRL_NEED_TMP_RSA:
2159 return 0;
2160
2161 case SSL_CTRL_SET_TMP_RSA:
2162 case SSL_CTRL_SET_TMP_RSA_CB:
2163 SSLerror(s, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
2164 return 0;
2165 }
2166
2167 return 0;
2168 }
2169
2170 long
2171 ssl3_callback_ctrl(SSL *s, int cmd, void (*fp)(void))
2172 {
2173 switch (cmd) {
2174 case SSL_CTRL_SET_TMP_RSA_CB:
2175 SSLerror(s, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
2176 return 0;
2177
2178 case SSL_CTRL_SET_TMP_DH_CB:
2179 s->cert->dhe_params_cb = (DH *(*)(SSL *, int, int))fp;
2180 return 1;
2181
2182 case SSL_CTRL_SET_TMP_ECDH_CB:
2183 return 1;
2184
2185 case SSL_CTRL_SET_TLSEXT_DEBUG_CB:
2186 s->internal->tlsext_debug_cb = (void (*)(SSL *, int , int,
2187 unsigned char *, int, void *))fp;
2188 return 1;
2189 }
2190
2191 return 0;
2192 }
2193
2194 static int
2195 _SSL_CTX_set_tmp_dh(SSL_CTX *ctx, DH *dh)
2196 {
2197 DH *dhe_params;
2198
2199 if (dh == NULL) {
2200 SSLerrorx(ERR_R_PASSED_NULL_PARAMETER);
2201 return 0;
2202 }
2203
2204 if (!ssl_ctx_security_dh(ctx, dh)) {
2205 SSLerrorx(SSL_R_DH_KEY_TOO_SMALL);
2206 return 0;
2207 }
2208
2209 if ((dhe_params = DHparams_dup(dh)) == NULL) {
2210 SSLerrorx(ERR_R_DH_LIB);
2211 return 0;
2212 }
2213
2214 DH_free(ctx->internal->cert->dhe_params);
2215 ctx->internal->cert->dhe_params = dhe_params;
2216
2217 return 1;
2218 }
2219
2220 static int
2221 _SSL_CTX_set_dh_auto(SSL_CTX *ctx, int state)
2222 {
2223 ctx->internal->cert->dhe_params_auto = state;
2224 return 1;
2225 }
2226
2227 static int
2228 _SSL_CTX_set_tmp_ecdh(SSL_CTX *ctx, EC_KEY *ecdh)
2229 {
2230 const EC_GROUP *group;
2231 int nid;
2232
2233 if (ecdh == NULL)
2234 return 0;
2235 if ((group = EC_KEY_get0_group(ecdh)) == NULL)
2236 return 0;
2237
2238 nid = EC_GROUP_get_curve_name(group);
2239 return SSL_CTX_set1_groups(ctx, &nid, 1);
2240 }
2241
2242 static int
2243 _SSL_CTX_set_ecdh_auto(SSL_CTX *ctx, int state)
2244 {
2245 return 1;
2246 }
2247
2248 static int
2249 _SSL_CTX_set_tlsext_servername_arg(SSL_CTX *ctx, void *arg)
2250 {
2251 ctx->internal->tlsext_servername_arg = arg;
2252 return 1;
2253 }
2254
2255 static int
2256 _SSL_CTX_get_tlsext_ticket_keys(SSL_CTX *ctx, unsigned char *keys, int keys_len)
2257 {
2258 if (keys == NULL)
2259 return 48;
2260
2261 if (keys_len != 48) {
2262 SSLerrorx(SSL_R_INVALID_TICKET_KEYS_LENGTH);
2263 return 0;
2264 }
2265
2266 memcpy(keys, ctx->internal->tlsext_tick_key_name, 16);
2267 memcpy(keys + 16, ctx->internal->tlsext_tick_hmac_key, 16);
2268 memcpy(keys + 32, ctx->internal->tlsext_tick_aes_key, 16);
2269
2270 return 1;
2271 }
2272
2273 static int
2274 _SSL_CTX_set_tlsext_ticket_keys(SSL_CTX *ctx, unsigned char *keys, int keys_len)
2275 {
2276 if (keys == NULL)
2277 return 48;
2278
2279 if (keys_len != 48) {
2280 SSLerrorx(SSL_R_INVALID_TICKET_KEYS_LENGTH);
2281 return 0;
2282 }
2283
2284 memcpy(ctx->internal->tlsext_tick_key_name, keys, 16);
2285 memcpy(ctx->internal->tlsext_tick_hmac_key, keys + 16, 16);
2286 memcpy(ctx->internal->tlsext_tick_aes_key, keys + 32, 16);
2287
2288 return 1;
2289 }
2290
2291 static int
2292 _SSL_CTX_get_tlsext_status_arg(SSL_CTX *ctx, void **arg)
2293 {
2294 *arg = ctx->internal->tlsext_status_arg;
2295 return 1;
2296 }
2297
2298 static int
2299 _SSL_CTX_set_tlsext_status_arg(SSL_CTX *ctx, void *arg)
2300 {
2301 ctx->internal->tlsext_status_arg = arg;
2302 return 1;
2303 }
2304
2305 int
2306 SSL_CTX_set0_chain(SSL_CTX *ctx, STACK_OF(X509) *chain)
2307 {
2308 return ssl_cert_set0_chain(ctx, NULL, chain);
2309 }
2310
2311 int
2312 SSL_CTX_set1_chain(SSL_CTX *ctx, STACK_OF(X509) *chain)
2313 {
2314 return ssl_cert_set1_chain(ctx, NULL, chain);
2315 }
2316
2317 int
2318 SSL_CTX_add0_chain_cert(SSL_CTX *ctx, X509 *x509)
2319 {
2320 return ssl_cert_add0_chain_cert(ctx, NULL, x509);
2321 }
2322
2323 int
2324 SSL_CTX_add1_chain_cert(SSL_CTX *ctx, X509 *x509)
2325 {
2326 return ssl_cert_add1_chain_cert(ctx, NULL, x509);
2327 }
2328
2329 int
2330 SSL_CTX_get0_chain_certs(const SSL_CTX *ctx, STACK_OF(X509) **out_chain)
2331 {
2332 *out_chain = NULL;
2333
2334 if (ctx->internal->cert->key != NULL)
2335 *out_chain = ctx->internal->cert->key->chain;
2336
2337 return 1;
2338 }
2339
2340 int
2341 SSL_CTX_clear_chain_certs(SSL_CTX *ctx)
2342 {
2343 return ssl_cert_set0_chain(ctx, NULL, NULL);
2344 }
2345
2346 static int
2347 _SSL_CTX_add_extra_chain_cert(SSL_CTX *ctx, X509 *cert)
2348 {
2349 if (ctx->extra_certs == NULL) {
2350 if ((ctx->extra_certs = sk_X509_new_null()) == NULL)
2351 return 0;
2352 }
2353 if (sk_X509_push(ctx->extra_certs, cert) == 0)
2354 return 0;
2355
2356 return 1;
2357 }
2358
2359 static int
2360 _SSL_CTX_get_extra_chain_certs(SSL_CTX *ctx, STACK_OF(X509) **certs)
2361 {
2362 *certs = ctx->extra_certs;
2363 if (*certs == NULL)
2364 *certs = ctx->internal->cert->key->chain;
2365
2366 return 1;
2367 }
2368
2369 static int
2370 _SSL_CTX_get_extra_chain_certs_only(SSL_CTX *ctx, STACK_OF(X509) **certs)
2371 {
2372 *certs = ctx->extra_certs;
2373 return 1;
2374 }
2375
2376 static int
2377 _SSL_CTX_clear_extra_chain_certs(SSL_CTX *ctx)
2378 {
2379 sk_X509_pop_free(ctx->extra_certs, X509_free);
2380 ctx->extra_certs = NULL;
2381 return 1;
2382 }
2383
2384 int
2385 SSL_CTX_set1_groups(SSL_CTX *ctx, const int *groups, size_t groups_len)
2386 {
2387 return tls1_set_groups(&ctx->internal->tlsext_supportedgroups,
2388 &ctx->internal->tlsext_supportedgroups_length, groups, groups_len);
2389 }
2390
2391 int
2392 SSL_CTX_set1_groups_list(SSL_CTX *ctx, const char *groups)
2393 {
2394 return tls1_set_group_list(&ctx->internal->tlsext_supportedgroups,
2395 &ctx->internal->tlsext_supportedgroups_length, groups);
2396 }
2397
2398 long
2399 ssl3_ctx_ctrl(SSL_CTX *ctx, int cmd, long larg, void *parg)
2400 {
2401 switch (cmd) {
2402 case SSL_CTRL_SET_TMP_DH:
2403 return _SSL_CTX_set_tmp_dh(ctx, parg);
2404
2405 case SSL_CTRL_SET_TMP_DH_CB:
2406 SSLerrorx(ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
2407 return 0;
2408
2409 case SSL_CTRL_SET_DH_AUTO:
2410 return _SSL_CTX_set_dh_auto(ctx, larg);
2411
2412 case SSL_CTRL_SET_TMP_ECDH:
2413 return _SSL_CTX_set_tmp_ecdh(ctx, parg);
2414
2415 case SSL_CTRL_SET_TMP_ECDH_CB:
2416 SSLerrorx(ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
2417 return 0;
2418
2419 case SSL_CTRL_SET_ECDH_AUTO:
2420 return _SSL_CTX_set_ecdh_auto(ctx, larg);
2421
2422 case SSL_CTRL_SET_TLSEXT_SERVERNAME_ARG:
2423 return _SSL_CTX_set_tlsext_servername_arg(ctx, parg);
2424
2425 case SSL_CTRL_GET_TLSEXT_TICKET_KEYS:
2426 return _SSL_CTX_get_tlsext_ticket_keys(ctx, parg, larg);
2427
2428 case SSL_CTRL_SET_TLSEXT_TICKET_KEYS:
2429 return _SSL_CTX_set_tlsext_ticket_keys(ctx, parg, larg);
2430
2431 case SSL_CTRL_GET_TLSEXT_STATUS_REQ_CB_ARG:
2432 return _SSL_CTX_get_tlsext_status_arg(ctx, parg);
2433
2434 case SSL_CTRL_SET_TLSEXT_STATUS_REQ_CB_ARG:
2435 return _SSL_CTX_set_tlsext_status_arg(ctx, parg);
2436
2437 case SSL_CTRL_CHAIN:
2438 if (larg == 0)
2439 return SSL_CTX_set0_chain(ctx, (STACK_OF(X509) *)parg);
2440 else
2441 return SSL_CTX_set1_chain(ctx, (STACK_OF(X509) *)parg);
2442
2443 case SSL_CTRL_CHAIN_CERT:
2444 if (larg == 0)
2445 return SSL_CTX_add0_chain_cert(ctx, (X509 *)parg);
2446 else
2447 return SSL_CTX_add1_chain_cert(ctx, (X509 *)parg);
2448
2449 case SSL_CTRL_GET_CHAIN_CERTS:
2450 return SSL_CTX_get0_chain_certs(ctx, (STACK_OF(X509) **)parg);
2451
2452 case SSL_CTRL_EXTRA_CHAIN_CERT:
2453 return _SSL_CTX_add_extra_chain_cert(ctx, parg);
2454
2455 case SSL_CTRL_GET_EXTRA_CHAIN_CERTS:
2456 if (larg == 0)
2457 return _SSL_CTX_get_extra_chain_certs(ctx, parg);
2458 else
2459 return _SSL_CTX_get_extra_chain_certs_only(ctx, parg);
2460
2461 case SSL_CTRL_CLEAR_EXTRA_CHAIN_CERTS:
2462 return _SSL_CTX_clear_extra_chain_certs(ctx);
2463
2464 case SSL_CTRL_SET_GROUPS:
2465 return SSL_CTX_set1_groups(ctx, parg, larg);
2466
2467 case SSL_CTRL_SET_GROUPS_LIST:
2468 return SSL_CTX_set1_groups_list(ctx, parg);
2469
2470 case SSL_CTRL_GET_MIN_PROTO_VERSION:
2471 return SSL_CTX_get_min_proto_version(ctx);
2472
2473 case SSL_CTRL_GET_MAX_PROTO_VERSION:
2474 return SSL_CTX_get_max_proto_version(ctx);
2475
2476 case SSL_CTRL_SET_MIN_PROTO_VERSION:
2477 if (larg < 0 || larg > UINT16_MAX)
2478 return 0;
2479 return SSL_CTX_set_min_proto_version(ctx, larg);
2480
2481 case SSL_CTRL_SET_MAX_PROTO_VERSION:
2482 if (larg < 0 || larg > UINT16_MAX)
2483 return 0;
2484 return SSL_CTX_set_max_proto_version(ctx, larg);
2485
2486 /*
2487 * Legacy controls that should eventually be removed.
2488 */
2489 case SSL_CTRL_NEED_TMP_RSA:
2490 return 0;
2491
2492 case SSL_CTRL_SET_TMP_RSA:
2493 case SSL_CTRL_SET_TMP_RSA_CB:
2494 SSLerrorx(ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
2495 return 0;
2496 }
2497
2498 return 0;
2499 }
2500
2501 long
2502 ssl3_ctx_callback_ctrl(SSL_CTX *ctx, int cmd, void (*fp)(void))
2503 {
2504 switch (cmd) {
2505 case SSL_CTRL_SET_TMP_RSA_CB:
2506 SSLerrorx(ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
2507 return 0;
2508
2509 case SSL_CTRL_SET_TMP_DH_CB:
2510 ctx->internal->cert->dhe_params_cb =
2511 (DH *(*)(SSL *, int, int))fp;
2512 return 1;
2513
2514 case SSL_CTRL_SET_TMP_ECDH_CB:
2515 return 1;
2516
2517 case SSL_CTRL_SET_TLSEXT_SERVERNAME_CB:
2518 ctx->internal->tlsext_servername_callback =
2519 (int (*)(SSL *, int *, void *))fp;
2520 return 1;
2521
2522 case SSL_CTRL_GET_TLSEXT_STATUS_REQ_CB:
2523 *(int (**)(SSL *, void *))fp = ctx->internal->tlsext_status_cb;
2524 return 1;
2525
2526 case SSL_CTRL_SET_TLSEXT_STATUS_REQ_CB:
2527 ctx->internal->tlsext_status_cb = (int (*)(SSL *, void *))fp;
2528 return 1;
2529
2530 case SSL_CTRL_SET_TLSEXT_TICKET_KEY_CB:
2531 ctx->internal->tlsext_ticket_key_cb = (int (*)(SSL *, unsigned char *,
2532 unsigned char *, EVP_CIPHER_CTX *, HMAC_CTX *, int))fp;
2533 return 1;
2534 }
2535
2536 return 0;
2537 }
2538
2539 SSL_CIPHER *
2540 ssl3_choose_cipher(SSL *s, STACK_OF(SSL_CIPHER) *clnt,
2541 STACK_OF(SSL_CIPHER) *srvr)
2542 {
2543 unsigned long alg_k, alg_a, mask_k, mask_a;
2544 STACK_OF(SSL_CIPHER) *prio, *allow;
2545 SSL_CIPHER *c, *ret = NULL;
2546 int can_use_ecc;
2547 int i, ii, nid, ok;
2548 SSL_CERT *cert;
2549
2550 /* Let's see which ciphers we can support */
2551 cert = s->cert;
2552
2553 can_use_ecc = tls1_get_supported_group(s, &nid);
2554
2555 /*
2556 * Do not set the compare functions, because this may lead to a
2557 * reordering by "id". We want to keep the original ordering.
2558 * We may pay a price in performance during sk_SSL_CIPHER_find(),
2559 * but would have to pay with the price of sk_SSL_CIPHER_dup().
2560 */
2561
2562 if (s->internal->options & SSL_OP_CIPHER_SERVER_PREFERENCE) {
2563 prio = srvr;
2564 allow = clnt;
2565 } else {
2566 prio = clnt;
2567 allow = srvr;
2568 }
2569
2570 for (i = 0; i < sk_SSL_CIPHER_num(prio); i++) {
2571 c = sk_SSL_CIPHER_value(prio, i);
2572
2573 /* Skip TLS v1.2 only ciphersuites if not supported. */
2574 if ((c->algorithm_ssl & SSL_TLSV1_2) &&
2575 !SSL_USE_TLS1_2_CIPHERS(s))
2576 continue;
2577
2578 /* Skip TLS v1.3 only ciphersuites if not supported. */
2579 if ((c->algorithm_ssl & SSL_TLSV1_3) &&
2580 !SSL_USE_TLS1_3_CIPHERS(s))
2581 continue;
2582
2583 /* If TLS v1.3, only allow TLS v1.3 ciphersuites. */
2584 if (SSL_USE_TLS1_3_CIPHERS(s) &&
2585 !(c->algorithm_ssl & SSL_TLSV1_3))
2586 continue;
2587
2588 if (!ssl_security_shared_cipher(s, c))
2589 continue;
2590
2591 ssl_set_cert_masks(cert, c);
2592 mask_k = cert->mask_k;
2593 mask_a = cert->mask_a;
2594
2595 alg_k = c->algorithm_mkey;
2596 alg_a = c->algorithm_auth;
2597
2598 ok = (alg_k & mask_k) && (alg_a & mask_a);
2599
2600 /*
2601 * If we are considering an ECC cipher suite that uses our
2602 * certificate check it.
2603 */
2604 if (alg_a & SSL_aECDSA)
2605 ok = ok && tls1_check_ec_server_key(s);
2606 /*
2607 * If we are considering an ECC cipher suite that uses
2608 * an ephemeral EC key check it.
2609 */
2610 if (alg_k & SSL_kECDHE)
2611 ok = ok && can_use_ecc;
2612
2613 if (!ok)
2614 continue;
2615 ii = sk_SSL_CIPHER_find(allow, c);
2616 if (ii >= 0) {
2617 ret = sk_SSL_CIPHER_value(allow, ii);
2618 break;
2619 }
2620 }
2621 return (ret);
2622 }
2623
2624 int
2625 ssl3_get_req_cert_types(SSL *s, CBB *cbb)
2626 {
2627 unsigned long alg_k;
2628
2629 alg_k = s->s3->hs.cipher->algorithm_mkey;
2630
2631 #ifndef OPENSSL_NO_GOST
2632 if ((alg_k & SSL_kGOST) != 0) {
2633 if (!CBB_add_u8(cbb, TLS_CT_GOST01_SIGN))
2634 return 0;
2635 if (!CBB_add_u8(cbb, TLS_CT_GOST12_256_SIGN))
2636 return 0;
2637 if (!CBB_add_u8(cbb, TLS_CT_GOST12_512_SIGN))
2638 return 0;
2639 if (!CBB_add_u8(cbb, TLS_CT_GOST12_256_SIGN_COMPAT))
2640 return 0;
2641 if (!CBB_add_u8(cbb, TLS_CT_GOST12_512_SIGN_COMPAT))
2642 return 0;
2643 }
2644 #endif
2645
2646 if ((alg_k & SSL_kDHE) != 0) {
2647 if (!CBB_add_u8(cbb, SSL3_CT_RSA_FIXED_DH))
2648 return 0;
2649 }
2650
2651 if (!CBB_add_u8(cbb, SSL3_CT_RSA_SIGN))
2652 return 0;
2653
2654 /*
2655 * ECDSA certs can be used with RSA cipher suites as well
2656 * so we don't need to check for SSL_kECDH or SSL_kECDHE.
2657 */
2658 if (!CBB_add_u8(cbb, TLS_CT_ECDSA_SIGN))
2659 return 0;
2660
2661 return 1;
2662 }
2663
2664 int
2665 ssl3_shutdown(SSL *s)
2666 {
2667 int ret;
2668
2669 /*
2670 * Don't do anything much if we have not done the handshake or
2671 * we don't want to send messages :-)
2672 */
2673 if ((s->internal->quiet_shutdown) || (s->s3->hs.state == SSL_ST_BEFORE)) {
2674 s->internal->shutdown = (SSL_SENT_SHUTDOWN|SSL_RECEIVED_SHUTDOWN);
2675 return (1);
2676 }
2677
2678 if (!(s->internal->shutdown & SSL_SENT_SHUTDOWN)) {
2679 s->internal->shutdown|=SSL_SENT_SHUTDOWN;
2680 ssl3_send_alert(s, SSL3_AL_WARNING, SSL_AD_CLOSE_NOTIFY);
2681 /*
2682 * Our shutdown alert has been sent now, and if it still needs
2683 * to be written, s->s3->alert_dispatch will be true
2684 */
2685 if (s->s3->alert_dispatch)
2686 return (-1); /* return WANT_WRITE */
2687 } else if (s->s3->alert_dispatch) {
2688 /* resend it if not sent */
2689 ret = ssl3_dispatch_alert(s);
2690 if (ret == -1) {
2691 /*
2692 * We only get to return -1 here the 2nd/Nth
2693 * invocation, we must have already signalled
2694 * return 0 upon a previous invoation,
2695 * return WANT_WRITE
2696 */
2697 return (ret);
2698 }
2699 } else if (!(s->internal->shutdown & SSL_RECEIVED_SHUTDOWN)) {
2700 /* If we are waiting for a close from our peer, we are closed */
2701 s->method->ssl_read_bytes(s, 0, NULL, 0, 0);
2702 if (!(s->internal->shutdown & SSL_RECEIVED_SHUTDOWN)) {
2703 return (-1); /* return WANT_READ */
2704 }
2705 }
2706
2707 if ((s->internal->shutdown == (SSL_SENT_SHUTDOWN|SSL_RECEIVED_SHUTDOWN)) &&
2708 !s->s3->alert_dispatch)
2709 return (1);
2710 else
2711 return (0);
2712 }
2713
2714 int
2715 ssl3_write(SSL *s, const void *buf, int len)
2716 {
2717 errno = 0;
2718
2719 if (s->s3->renegotiate)
2720 ssl3_renegotiate_check(s);
2721
2722 return s->method->ssl_write_bytes(s, SSL3_RT_APPLICATION_DATA,
2723 buf, len);
2724 }
2725
2726 static int
2727 ssl3_read_internal(SSL *s, void *buf, int len, int peek)
2728 {
2729 int ret;
2730
2731 errno = 0;
2732 if (s->s3->renegotiate)
2733 ssl3_renegotiate_check(s);
2734 s->s3->in_read_app_data = 1;
2735
2736 ret = s->method->ssl_read_bytes(s, SSL3_RT_APPLICATION_DATA, buf, len,
2737 peek);
2738 if ((ret == -1) && (s->s3->in_read_app_data == 2)) {
2739 /*
2740 * ssl3_read_bytes decided to call s->internal->handshake_func,
2741 * which called ssl3_read_bytes to read handshake data.
2742 * However, ssl3_read_bytes actually found application data
2743 * and thinks that application data makes sense here; so disable
2744 * handshake processing and try to read application data again.
2745 */
2746 s->internal->in_handshake++;
2747 ret = s->method->ssl_read_bytes(s, SSL3_RT_APPLICATION_DATA,
2748 buf, len, peek);
2749 s->internal->in_handshake--;
2750 } else
2751 s->s3->in_read_app_data = 0;
2752
2753 return (ret);
2754 }
2755
2756 int
2757 ssl3_read(SSL *s, void *buf, int len)
2758 {
2759 return ssl3_read_internal(s, buf, len, 0);
2760 }
2761
2762 int
2763 ssl3_peek(SSL *s, void *buf, int len)
2764 {
2765 return ssl3_read_internal(s, buf, len, 1);
2766 }
2767
2768 int
2769 ssl3_renegotiate(SSL *s)
2770 {
2771 if (s->internal->handshake_func == NULL)
2772 return 1;
2773
2774 if (s->s3->flags & SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS)
2775 return 0;
2776
2777 s->s3->renegotiate = 1;
2778
2779 return 1;
2780 }
2781
2782 int
2783 ssl3_renegotiate_check(SSL *s)
2784 {
2785 if (!s->s3->renegotiate)
2786 return 0;
2787 if (SSL_in_init(s) || s->s3->rbuf.left != 0 || s->s3->wbuf.left != 0)
2788 return 0;
2789
2790 s->s3->hs.state = SSL_ST_RENEGOTIATE;
2791 s->s3->renegotiate = 0;
2792 s->s3->num_renegotiations++;
2793 s->s3->total_renegotiations++;
2794
2795 return 1;
2796 }
DragonFly BSD