search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
update libressl to 2.8.2
[unleashed.git] / lib / libssl / s3_lib.c
blob02e6c66a4722e52721c71f435e8e71f1a5cd75be
1 /* $OpenBSD: s3_lib.c,v 1.170 2018/09/06 16:40:45 jsing Exp $ */
2 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 * All rights reserved.
4 *
5 * This package is an SSL implementation written
6 * by Eric Young (eay@cryptsoft.com).
7 * The implementation was written so as to conform with Netscapes SSL.
8 *
9 * This library is free for commercial and non-commercial use as long as
10 * the following conditions are aheared to. The following conditions
11 * apply to all code found in this distribution, be it the RC4, RSA,
12 * lhash, DES, etc., code; not just the SSL code. The SSL documentation
13 * included with this distribution is covered by the same copyright terms
14 * except that the holder is Tim Hudson (tjh@cryptsoft.com).
15 *
16 * Copyright remains Eric Young's, and as such any Copyright notices in
17 * the code are not to be removed.
18 * If this package is used in a product, Eric Young should be given attribution
19 * as the author of the parts of the library used.
20 * This can be in the form of a textual message at program startup or
21 * in documentation (online or textual) provided with the package.
22 *
23 * Redistribution and use in source and binary forms, with or without
24 * modification, are permitted provided that the following conditions
25 * are met:
26 * 1. Redistributions of source code must retain the copyright
27 * notice, this list of conditions and the following disclaimer.
28 * 2. Redistributions in binary form must reproduce the above copyright
29 * notice, this list of conditions and the following disclaimer in the
30 * documentation and/or other materials provided with the distribution.
31 * 3. All advertising materials mentioning features or use of this software
32 * must display the following acknowledgement:
33 * "This product includes cryptographic software written by
34 * Eric Young (eay@cryptsoft.com)"
35 * The word 'cryptographic' can be left out if the rouines from the library
36 * being used are not cryptographic related :-).
37 * 4. If you include any Windows specific code (or a derivative thereof) from
38 * the apps directory (application code) you must include an acknowledgement:
39 * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
40 *
41 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
42 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
43 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
44 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
45 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
46 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
47 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
48 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
49 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
50 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
51 * SUCH DAMAGE.
52 *
53 * The licence and distribution terms for any publically available version or
54 * derivative of this code cannot be changed. i.e. this code cannot simply be
55 * copied and put under another distribution licence
56 * [including the GNU Public Licence.]
57 */
58 /* ====================================================================
59 * Copyright (c) 1998-2007 The OpenSSL Project. All rights reserved.
60 *
61 * Redistribution and use in source and binary forms, with or without
62 * modification, are permitted provided that the following conditions
63 * are met:
64 *
65 * 1. Redistributions of source code must retain the above copyright
66 * notice, this list of conditions and the following disclaimer.
67 *
68 * 2. Redistributions in binary form must reproduce the above copyright
69 * notice, this list of conditions and the following disclaimer in
70 * the documentation and/or other materials provided with the
71 * distribution.
72 *
73 * 3. All advertising materials mentioning features or use of this
74 * software must display the following acknowledgment:
75 * "This product includes software developed by the OpenSSL Project
76 * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
77 *
78 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
79 * endorse or promote products derived from this software without
80 * prior written permission. For written permission, please contact
81 * openssl-core@openssl.org.
82 *
83 * 5. Products derived from this software may not be called "OpenSSL"
84 * nor may "OpenSSL" appear in their names without prior written
85 * permission of the OpenSSL Project.
86 *
87 * 6. Redistributions of any form whatsoever must retain the following
88 * acknowledgment:
89 * "This product includes software developed by the OpenSSL Project
90 * for use in the OpenSSL Toolkit (http://www.openssl.org/)"
91 *
92 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
93 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
94 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
95 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
96 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
97 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
98 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
99 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
100 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
101 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
102 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
103 * OF THE POSSIBILITY OF SUCH DAMAGE.
104 * ====================================================================
105 *
106 * This product includes cryptographic software written by Eric Young
107 * (eay@cryptsoft.com). This product includes software written by Tim
108 * Hudson (tjh@cryptsoft.com).
109 *
110 */
111 /* ====================================================================
112 * Copyright 2002 Sun Microsystems, Inc. ALL RIGHTS RESERVED.
113 *
114 * Portions of the attached software ("Contribution") are developed by
115 * SUN MICROSYSTEMS, INC., and are contributed to the OpenSSL project.
116 *
117 * The Contribution is licensed pursuant to the OpenSSL open source
118 * license provided above.
119 *
120 * ECC cipher suite support in OpenSSL originally written by
121 * Vipul Gupta and Sumit Gupta of Sun Microsystems Laboratories.
122 *
123 */
124 /* ====================================================================
125 * Copyright 2005 Nokia. All rights reserved.
126 *
127 * The portions of the attached software ("Contribution") is developed by
128 * Nokia Corporation and is licensed pursuant to the OpenSSL open source
129 * license.
130 *
131 * The Contribution, originally written by Mika Kousa and Pasi Eronen of
132 * Nokia Corporation, consists of the "PSK" (Pre-Shared Key) ciphersuites
133 * support (see RFC 4279) to OpenSSL.
134 *
135 * No patent licenses or other rights except those expressly stated in
136 * the OpenSSL open source license shall be deemed granted or received
137 * expressly, by implication, estoppel, or otherwise.
138 *
139 * No assurances are provided by Nokia that the Contribution does not
140 * infringe the patent or other intellectual property rights of any third
141 * party or that the license provides you with all the necessary rights
142 * to make use of the Contribution.
143 *
144 * THE SOFTWARE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. IN
145 * ADDITION TO THE DISCLAIMERS INCLUDED IN THE LICENSE, NOKIA
146 * SPECIFICALLY DISCLAIMS ANY LIABILITY FOR CLAIMS BROUGHT BY YOU OR ANY
147 * OTHER ENTITY BASED ON INFRINGEMENT OF INTELLECTUAL PROPERTY RIGHTS OR
148 * OTHERWISE.
149 */
150
151 #include <limits.h>
152 #include <stdio.h>
153
154 #include <openssl/bn.h>
155 #include <openssl/curve25519.h>
156 #include <openssl/dh.h>
157 #include <openssl/md5.h>
158 #include <openssl/objects.h>
159
160 #include "ssl_locl.h"
161 #include "bytestring.h"
162
163 #define SSL3_NUM_CIPHERS (sizeof(ssl3_ciphers) / sizeof(SSL_CIPHER))
164
165 /*
166 * FIXED_NONCE_LEN is a macro that provides in the correct value to set the
167 * fixed nonce length in algorithms2. It is the inverse of the
168 * SSL_CIPHER_AEAD_FIXED_NONCE_LEN macro.
169 */
170 #define FIXED_NONCE_LEN(x) (((x / 2) & 0xf) << 24)
171
172 /* list of available SSLv3 ciphers (sorted by id) */
173 SSL_CIPHER ssl3_ciphers[] = {
174
175 /* The RSA ciphers */
176 /* Cipher 01 */
177 {
178 .valid = 1,
179 .name = SSL3_TXT_RSA_NULL_MD5,
180 .id = SSL3_CK_RSA_NULL_MD5,
181 .algorithm_mkey = SSL_kRSA,
182 .algorithm_auth = SSL_aRSA,
183 .algorithm_enc = SSL_eNULL,
184 .algorithm_mac = SSL_MD5,
185 .algorithm_ssl = SSL_SSLV3,
186 .algo_strength = SSL_STRONG_NONE,
187 .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
188 .strength_bits = 0,
189 .alg_bits = 0,
190 },
191
192 /* Cipher 02 */
193 {
194 .valid = 1,
195 .name = SSL3_TXT_RSA_NULL_SHA,
196 .id = SSL3_CK_RSA_NULL_SHA,
197 .algorithm_mkey = SSL_kRSA,
198 .algorithm_auth = SSL_aRSA,
199 .algorithm_enc = SSL_eNULL,
200 .algorithm_mac = SSL_SHA1,
201 .algorithm_ssl = SSL_SSLV3,
202 .algo_strength = SSL_STRONG_NONE,
203 .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
204 .strength_bits = 0,
205 .alg_bits = 0,
206 },
207
208 /* Cipher 04 */
209 {
210 .valid = 1,
211 .name = SSL3_TXT_RSA_RC4_128_MD5,
212 .id = SSL3_CK_RSA_RC4_128_MD5,
213 .algorithm_mkey = SSL_kRSA,
214 .algorithm_auth = SSL_aRSA,
215 .algorithm_enc = SSL_RC4,
216 .algorithm_mac = SSL_MD5,
217 .algorithm_ssl = SSL_SSLV3,
218 .algo_strength = SSL_LOW,
219 .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
220 .strength_bits = 128,
221 .alg_bits = 128,
222 },
223
224 /* Cipher 05 */
225 {
226 .valid = 1,
227 .name = SSL3_TXT_RSA_RC4_128_SHA,
228 .id = SSL3_CK_RSA_RC4_128_SHA,
229 .algorithm_mkey = SSL_kRSA,
230 .algorithm_auth = SSL_aRSA,
231 .algorithm_enc = SSL_RC4,
232 .algorithm_mac = SSL_SHA1,
233 .algorithm_ssl = SSL_SSLV3,
234 .algo_strength = SSL_LOW,
235 .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
236 .strength_bits = 128,
237 .alg_bits = 128,
238 },
239
240 /* Cipher 0A */
241 {
242 .valid = 1,
243 .name = SSL3_TXT_RSA_DES_192_CBC3_SHA,
244 .id = SSL3_CK_RSA_DES_192_CBC3_SHA,
245 .algorithm_mkey = SSL_kRSA,
246 .algorithm_auth = SSL_aRSA,
247 .algorithm_enc = SSL_3DES,
248 .algorithm_mac = SSL_SHA1,
249 .algorithm_ssl = SSL_SSLV3,
250 .algo_strength = SSL_MEDIUM,
251 .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
252 .strength_bits = 112,
253 .alg_bits = 168,
254 },
255
256 /*
257 * Ephemeral DH (DHE) ciphers.
258 */
259
260 /* Cipher 16 */
261 {
262 .valid = 1,
263 .name = SSL3_TXT_EDH_RSA_DES_192_CBC3_SHA,
264 .id = SSL3_CK_EDH_RSA_DES_192_CBC3_SHA,
265 .algorithm_mkey = SSL_kDHE,
266 .algorithm_auth = SSL_aRSA,
267 .algorithm_enc = SSL_3DES,
268 .algorithm_mac = SSL_SHA1,
269 .algorithm_ssl = SSL_SSLV3,
270 .algo_strength = SSL_MEDIUM,
271 .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
272 .strength_bits = 112,
273 .alg_bits = 168,
274 },
275
276 /* Cipher 18 */
277 {
278 .valid = 1,
279 .name = SSL3_TXT_ADH_RC4_128_MD5,
280 .id = SSL3_CK_ADH_RC4_128_MD5,
281 .algorithm_mkey = SSL_kDHE,
282 .algorithm_auth = SSL_aNULL,
283 .algorithm_enc = SSL_RC4,
284 .algorithm_mac = SSL_MD5,
285 .algorithm_ssl = SSL_SSLV3,
286 .algo_strength = SSL_LOW,
287 .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
288 .strength_bits = 128,
289 .alg_bits = 128,
290 },
291
292 /* Cipher 1B */
293 {
294 .valid = 1,
295 .name = SSL3_TXT_ADH_DES_192_CBC_SHA,
296 .id = SSL3_CK_ADH_DES_192_CBC_SHA,
297 .algorithm_mkey = SSL_kDHE,
298 .algorithm_auth = SSL_aNULL,
299 .algorithm_enc = SSL_3DES,
300 .algorithm_mac = SSL_SHA1,
301 .algorithm_ssl = SSL_SSLV3,
302 .algo_strength = SSL_MEDIUM,
303 .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
304 .strength_bits = 112,
305 .alg_bits = 168,
306 },
307
308 /*
309 * AES ciphersuites.
310 */
311
312 /* Cipher 2F */
313 {
314 .valid = 1,
315 .name = TLS1_TXT_RSA_WITH_AES_128_SHA,
316 .id = TLS1_CK_RSA_WITH_AES_128_SHA,
317 .algorithm_mkey = SSL_kRSA,
318 .algorithm_auth = SSL_aRSA,
319 .algorithm_enc = SSL_AES128,
320 .algorithm_mac = SSL_SHA1,
321 .algorithm_ssl = SSL_TLSV1,
322 .algo_strength = SSL_HIGH,
323 .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
324 .strength_bits = 128,
325 .alg_bits = 128,
326 },
327
328 /* Cipher 33 */
329 {
330 .valid = 1,
331 .name = TLS1_TXT_DHE_RSA_WITH_AES_128_SHA,
332 .id = TLS1_CK_DHE_RSA_WITH_AES_128_SHA,
333 .algorithm_mkey = SSL_kDHE,
334 .algorithm_auth = SSL_aRSA,
335 .algorithm_enc = SSL_AES128,
336 .algorithm_mac = SSL_SHA1,
337 .algorithm_ssl = SSL_TLSV1,
338 .algo_strength = SSL_HIGH,
339 .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
340 .strength_bits = 128,
341 .alg_bits = 128,
342 },
343
344 /* Cipher 34 */
345 {
346 .valid = 1,
347 .name = TLS1_TXT_ADH_WITH_AES_128_SHA,
348 .id = TLS1_CK_ADH_WITH_AES_128_SHA,
349 .algorithm_mkey = SSL_kDHE,
350 .algorithm_auth = SSL_aNULL,
351 .algorithm_enc = SSL_AES128,
352 .algorithm_mac = SSL_SHA1,
353 .algorithm_ssl = SSL_TLSV1,
354 .algo_strength = SSL_HIGH,
355 .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
356 .strength_bits = 128,
357 .alg_bits = 128,
358 },
359
360 /* Cipher 35 */
361 {
362 .valid = 1,
363 .name = TLS1_TXT_RSA_WITH_AES_256_SHA,
364 .id = TLS1_CK_RSA_WITH_AES_256_SHA,
365 .algorithm_mkey = SSL_kRSA,
366 .algorithm_auth = SSL_aRSA,
367 .algorithm_enc = SSL_AES256,
368 .algorithm_mac = SSL_SHA1,
369 .algorithm_ssl = SSL_TLSV1,
370 .algo_strength = SSL_HIGH,
371 .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
372 .strength_bits = 256,
373 .alg_bits = 256,
374 },
375
376 /* Cipher 39 */
377 {
378 .valid = 1,
379 .name = TLS1_TXT_DHE_RSA_WITH_AES_256_SHA,
380 .id = TLS1_CK_DHE_RSA_WITH_AES_256_SHA,
381 .algorithm_mkey = SSL_kDHE,
382 .algorithm_auth = SSL_aRSA,
383 .algorithm_enc = SSL_AES256,
384 .algorithm_mac = SSL_SHA1,
385 .algorithm_ssl = SSL_TLSV1,
386 .algo_strength = SSL_HIGH,
387 .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
388 .strength_bits = 256,
389 .alg_bits = 256,
390 },
391
392 /* Cipher 3A */
393 {
394 .valid = 1,
395 .name = TLS1_TXT_ADH_WITH_AES_256_SHA,
396 .id = TLS1_CK_ADH_WITH_AES_256_SHA,
397 .algorithm_mkey = SSL_kDHE,
398 .algorithm_auth = SSL_aNULL,
399 .algorithm_enc = SSL_AES256,
400 .algorithm_mac = SSL_SHA1,
401 .algorithm_ssl = SSL_TLSV1,
402 .algo_strength = SSL_HIGH,
403 .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
404 .strength_bits = 256,
405 .alg_bits = 256,
406 },
407
408 /* TLS v1.2 ciphersuites */
409 /* Cipher 3B */
410 {
411 .valid = 1,
412 .name = TLS1_TXT_RSA_WITH_NULL_SHA256,
413 .id = TLS1_CK_RSA_WITH_NULL_SHA256,
414 .algorithm_mkey = SSL_kRSA,
415 .algorithm_auth = SSL_aRSA,
416 .algorithm_enc = SSL_eNULL,
417 .algorithm_mac = SSL_SHA256,
418 .algorithm_ssl = SSL_TLSV1_2,
419 .algo_strength = SSL_STRONG_NONE,
420 .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
421 .strength_bits = 0,
422 .alg_bits = 0,
423 },
424
425 /* Cipher 3C */
426 {
427 .valid = 1,
428 .name = TLS1_TXT_RSA_WITH_AES_128_SHA256,
429 .id = TLS1_CK_RSA_WITH_AES_128_SHA256,
430 .algorithm_mkey = SSL_kRSA,
431 .algorithm_auth = SSL_aRSA,
432 .algorithm_enc = SSL_AES128,
433 .algorithm_mac = SSL_SHA256,
434 .algorithm_ssl = SSL_TLSV1_2,
435 .algo_strength = SSL_HIGH,
436 .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
437 .strength_bits = 128,
438 .alg_bits = 128,
439 },
440
441 /* Cipher 3D */
442 {
443 .valid = 1,
444 .name = TLS1_TXT_RSA_WITH_AES_256_SHA256,
445 .id = TLS1_CK_RSA_WITH_AES_256_SHA256,
446 .algorithm_mkey = SSL_kRSA,
447 .algorithm_auth = SSL_aRSA,
448 .algorithm_enc = SSL_AES256,
449 .algorithm_mac = SSL_SHA256,
450 .algorithm_ssl = SSL_TLSV1_2,
451 .algo_strength = SSL_HIGH,
452 .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
453 .strength_bits = 256,
454 .alg_bits = 256,
455 },
456
457 #ifndef OPENSSL_NO_CAMELLIA
458 /* Camellia ciphersuites from RFC4132 (128-bit portion) */
459
460 /* Cipher 41 */
461 {
462 .valid = 1,
463 .name = TLS1_TXT_RSA_WITH_CAMELLIA_128_CBC_SHA,
464 .id = TLS1_CK_RSA_WITH_CAMELLIA_128_CBC_SHA,
465 .algorithm_mkey = SSL_kRSA,
466 .algorithm_auth = SSL_aRSA,
467 .algorithm_enc = SSL_CAMELLIA128,
468 .algorithm_mac = SSL_SHA1,
469 .algorithm_ssl = SSL_TLSV1,
470 .algo_strength = SSL_HIGH,
471 .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
472 .strength_bits = 128,
473 .alg_bits = 128,
474 },
475
476 /* Cipher 45 */
477 {
478 .valid = 1,
479 .name = TLS1_TXT_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA,
480 .id = TLS1_CK_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA,
481 .algorithm_mkey = SSL_kDHE,
482 .algorithm_auth = SSL_aRSA,
483 .algorithm_enc = SSL_CAMELLIA128,
484 .algorithm_mac = SSL_SHA1,
485 .algorithm_ssl = SSL_TLSV1,
486 .algo_strength = SSL_HIGH,
487 .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
488 .strength_bits = 128,
489 .alg_bits = 128,
490 },
491
492 /* Cipher 46 */
493 {
494 .valid = 1,
495 .name = TLS1_TXT_ADH_WITH_CAMELLIA_128_CBC_SHA,
496 .id = TLS1_CK_ADH_WITH_CAMELLIA_128_CBC_SHA,
497 .algorithm_mkey = SSL_kDHE,
498 .algorithm_auth = SSL_aNULL,
499 .algorithm_enc = SSL_CAMELLIA128,
500 .algorithm_mac = SSL_SHA1,
501 .algorithm_ssl = SSL_TLSV1,
502 .algo_strength = SSL_HIGH,
503 .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
504 .strength_bits = 128,
505 .alg_bits = 128,
506 },
507 #endif /* OPENSSL_NO_CAMELLIA */
508
509 /* TLS v1.2 ciphersuites */
510 /* Cipher 67 */
511 {
512 .valid = 1,
513 .name = TLS1_TXT_DHE_RSA_WITH_AES_128_SHA256,
514 .id = TLS1_CK_DHE_RSA_WITH_AES_128_SHA256,
515 .algorithm_mkey = SSL_kDHE,
516 .algorithm_auth = SSL_aRSA,
517 .algorithm_enc = SSL_AES128,
518 .algorithm_mac = SSL_SHA256,
519 .algorithm_ssl = SSL_TLSV1_2,
520 .algo_strength = SSL_HIGH,
521 .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
522 .strength_bits = 128,
523 .alg_bits = 128,
524 },
525
526 /* Cipher 6B */
527 {
528 .valid = 1,
529 .name = TLS1_TXT_DHE_RSA_WITH_AES_256_SHA256,
530 .id = TLS1_CK_DHE_RSA_WITH_AES_256_SHA256,
531 .algorithm_mkey = SSL_kDHE,
532 .algorithm_auth = SSL_aRSA,
533 .algorithm_enc = SSL_AES256,
534 .algorithm_mac = SSL_SHA256,
535 .algorithm_ssl = SSL_TLSV1_2,
536 .algo_strength = SSL_HIGH,
537 .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
538 .strength_bits = 256,
539 .alg_bits = 256,
540 },
541
542 /* Cipher 6C */
543 {
544 .valid = 1,
545 .name = TLS1_TXT_ADH_WITH_AES_128_SHA256,
546 .id = TLS1_CK_ADH_WITH_AES_128_SHA256,
547 .algorithm_mkey = SSL_kDHE,
548 .algorithm_auth = SSL_aNULL,
549 .algorithm_enc = SSL_AES128,
550 .algorithm_mac = SSL_SHA256,
551 .algorithm_ssl = SSL_TLSV1_2,
552 .algo_strength = SSL_HIGH,
553 .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
554 .strength_bits = 128,
555 .alg_bits = 128,
556 },
557
558 /* Cipher 6D */
559 {
560 .valid = 1,
561 .name = TLS1_TXT_ADH_WITH_AES_256_SHA256,
562 .id = TLS1_CK_ADH_WITH_AES_256_SHA256,
563 .algorithm_mkey = SSL_kDHE,
564 .algorithm_auth = SSL_aNULL,
565 .algorithm_enc = SSL_AES256,
566 .algorithm_mac = SSL_SHA256,
567 .algorithm_ssl = SSL_TLSV1_2,
568 .algo_strength = SSL_HIGH,
569 .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
570 .strength_bits = 256,
571 .alg_bits = 256,
572 },
573
574 /* GOST Ciphersuites */
575
576 /* Cipher 81 */
577 {
578 .valid = 1,
579 .name = "GOST2001-GOST89-GOST89",
580 .id = 0x3000081,
581 .algorithm_mkey = SSL_kGOST,
582 .algorithm_auth = SSL_aGOST01,
583 .algorithm_enc = SSL_eGOST2814789CNT,
584 .algorithm_mac = SSL_GOST89MAC,
585 .algorithm_ssl = SSL_TLSV1,
586 .algo_strength = SSL_HIGH,
587 .algorithm2 = SSL_HANDSHAKE_MAC_GOST94|TLS1_PRF_GOST94|
588 TLS1_STREAM_MAC,
589 .strength_bits = 256,
590 .alg_bits = 256
591 },
592
593 /* Cipher 83 */
594 {
595 .valid = 1,
596 .name = "GOST2001-NULL-GOST94",
597 .id = 0x3000083,
598 .algorithm_mkey = SSL_kGOST,
599 .algorithm_auth = SSL_aGOST01,
600 .algorithm_enc = SSL_eNULL,
601 .algorithm_mac = SSL_GOST94,
602 .algorithm_ssl = SSL_TLSV1,
603 .algo_strength = SSL_STRONG_NONE,
604 .algorithm2 = SSL_HANDSHAKE_MAC_GOST94|TLS1_PRF_GOST94,
605 .strength_bits = 0,
606 .alg_bits = 0
607 },
608
609 #ifndef OPENSSL_NO_CAMELLIA
610 /* Camellia ciphersuites from RFC4132 (256-bit portion) */
611
612 /* Cipher 84 */
613 {
614 .valid = 1,
615 .name = TLS1_TXT_RSA_WITH_CAMELLIA_256_CBC_SHA,
616 .id = TLS1_CK_RSA_WITH_CAMELLIA_256_CBC_SHA,
617 .algorithm_mkey = SSL_kRSA,
618 .algorithm_auth = SSL_aRSA,
619 .algorithm_enc = SSL_CAMELLIA256,
620 .algorithm_mac = SSL_SHA1,
621 .algorithm_ssl = SSL_TLSV1,
622 .algo_strength = SSL_HIGH,
623 .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
624 .strength_bits = 256,
625 .alg_bits = 256,
626 },
627
628 /* Cipher 88 */
629 {
630 .valid = 1,
631 .name = TLS1_TXT_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA,
632 .id = TLS1_CK_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA,
633 .algorithm_mkey = SSL_kDHE,
634 .algorithm_auth = SSL_aRSA,
635 .algorithm_enc = SSL_CAMELLIA256,
636 .algorithm_mac = SSL_SHA1,
637 .algorithm_ssl = SSL_TLSV1,
638 .algo_strength = SSL_HIGH,
639 .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
640 .strength_bits = 256,
641 .alg_bits = 256,
642 },
643
644 /* Cipher 89 */
645 {
646 .valid = 1,
647 .name = TLS1_TXT_ADH_WITH_CAMELLIA_256_CBC_SHA,
648 .id = TLS1_CK_ADH_WITH_CAMELLIA_256_CBC_SHA,
649 .algorithm_mkey = SSL_kDHE,
650 .algorithm_auth = SSL_aNULL,
651 .algorithm_enc = SSL_CAMELLIA256,
652 .algorithm_mac = SSL_SHA1,
653 .algorithm_ssl = SSL_TLSV1,
654 .algo_strength = SSL_HIGH,
655 .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
656 .strength_bits = 256,
657 .alg_bits = 256,
658 },
659 #endif /* OPENSSL_NO_CAMELLIA */
660
661 /*
662 * GCM ciphersuites from RFC5288.
663 */
664
665 /* Cipher 9C */
666 {
667 .valid = 1,
668 .name = TLS1_TXT_RSA_WITH_AES_128_GCM_SHA256,
669 .id = TLS1_CK_RSA_WITH_AES_128_GCM_SHA256,
670 .algorithm_mkey = SSL_kRSA,
671 .algorithm_auth = SSL_aRSA,
672 .algorithm_enc = SSL_AES128GCM,
673 .algorithm_mac = SSL_AEAD,
674 .algorithm_ssl = SSL_TLSV1_2,
675 .algo_strength = SSL_HIGH,
676 .algorithm2 = SSL_HANDSHAKE_MAC_SHA256|TLS1_PRF_SHA256|
677 FIXED_NONCE_LEN(4)|
678 SSL_CIPHER_ALGORITHM2_VARIABLE_NONCE_IN_RECORD,
679 .strength_bits = 128,
680 .alg_bits = 128,
681 },
682
683 /* Cipher 9D */
684 {
685 .valid = 1,
686 .name = TLS1_TXT_RSA_WITH_AES_256_GCM_SHA384,
687 .id = TLS1_CK_RSA_WITH_AES_256_GCM_SHA384,
688 .algorithm_mkey = SSL_kRSA,
689 .algorithm_auth = SSL_aRSA,
690 .algorithm_enc = SSL_AES256GCM,
691 .algorithm_mac = SSL_AEAD,
692 .algorithm_ssl = SSL_TLSV1_2,
693 .algo_strength = SSL_HIGH,
694 .algorithm2 = SSL_HANDSHAKE_MAC_SHA384|TLS1_PRF_SHA384|
695 FIXED_NONCE_LEN(4)|
696 SSL_CIPHER_ALGORITHM2_VARIABLE_NONCE_IN_RECORD,
697 .strength_bits = 256,
698 .alg_bits = 256,
699 },
700
701 /* Cipher 9E */
702 {
703 .valid = 1,
704 .name = TLS1_TXT_DHE_RSA_WITH_AES_128_GCM_SHA256,
705 .id = TLS1_CK_DHE_RSA_WITH_AES_128_GCM_SHA256,
706 .algorithm_mkey = SSL_kDHE,
707 .algorithm_auth = SSL_aRSA,
708 .algorithm_enc = SSL_AES128GCM,
709 .algorithm_mac = SSL_AEAD,
710 .algorithm_ssl = SSL_TLSV1_2,
711 .algo_strength = SSL_HIGH,
712 .algorithm2 = SSL_HANDSHAKE_MAC_SHA256|TLS1_PRF_SHA256|
713 FIXED_NONCE_LEN(4)|
714 SSL_CIPHER_ALGORITHM2_VARIABLE_NONCE_IN_RECORD,
715 .strength_bits = 128,
716 .alg_bits = 128,
717 },
718
719 /* Cipher 9F */
720 {
721 .valid = 1,
722 .name = TLS1_TXT_DHE_RSA_WITH_AES_256_GCM_SHA384,
723 .id = TLS1_CK_DHE_RSA_WITH_AES_256_GCM_SHA384,
724 .algorithm_mkey = SSL_kDHE,
725 .algorithm_auth = SSL_aRSA,
726 .algorithm_enc = SSL_AES256GCM,
727 .algorithm_mac = SSL_AEAD,
728 .algorithm_ssl = SSL_TLSV1_2,
729 .algo_strength = SSL_HIGH,
730 .algorithm2 = SSL_HANDSHAKE_MAC_SHA384|TLS1_PRF_SHA384|
731 FIXED_NONCE_LEN(4)|
732 SSL_CIPHER_ALGORITHM2_VARIABLE_NONCE_IN_RECORD,
733 .strength_bits = 256,
734 .alg_bits = 256,
735 },
736
737 /* Cipher A6 */
738 {
739 .valid = 1,
740 .name = TLS1_TXT_ADH_WITH_AES_128_GCM_SHA256,
741 .id = TLS1_CK_ADH_WITH_AES_128_GCM_SHA256,
742 .algorithm_mkey = SSL_kDHE,
743 .algorithm_auth = SSL_aNULL,
744 .algorithm_enc = SSL_AES128GCM,
745 .algorithm_mac = SSL_AEAD,
746 .algorithm_ssl = SSL_TLSV1_2,
747 .algo_strength = SSL_HIGH,
748 .algorithm2 = SSL_HANDSHAKE_MAC_SHA256|TLS1_PRF_SHA256|
749 FIXED_NONCE_LEN(4)|
750 SSL_CIPHER_ALGORITHM2_VARIABLE_NONCE_IN_RECORD,
751 .strength_bits = 128,
752 .alg_bits = 128,
753 },
754
755 /* Cipher A7 */
756 {
757 .valid = 1,
758 .name = TLS1_TXT_ADH_WITH_AES_256_GCM_SHA384,
759 .id = TLS1_CK_ADH_WITH_AES_256_GCM_SHA384,
760 .algorithm_mkey = SSL_kDHE,
761 .algorithm_auth = SSL_aNULL,
762 .algorithm_enc = SSL_AES256GCM,
763 .algorithm_mac = SSL_AEAD,
764 .algorithm_ssl = SSL_TLSV1_2,
765 .algo_strength = SSL_HIGH,
766 .algorithm2 = SSL_HANDSHAKE_MAC_SHA384|TLS1_PRF_SHA384|
767 FIXED_NONCE_LEN(4)|
768 SSL_CIPHER_ALGORITHM2_VARIABLE_NONCE_IN_RECORD,
769 .strength_bits = 256,
770 .alg_bits = 256,
771 },
772
773 #ifndef OPENSSL_NO_CAMELLIA
774 /* TLS 1.2 Camellia SHA-256 ciphersuites from RFC5932 */
775
776 /* Cipher BA */
777 {
778 .valid = 1,
779 .name = TLS1_TXT_RSA_WITH_CAMELLIA_128_CBC_SHA256,
780 .id = TLS1_CK_RSA_WITH_CAMELLIA_128_CBC_SHA256,
781 .algorithm_mkey = SSL_kRSA,
782 .algorithm_auth = SSL_aRSA,
783 .algorithm_enc = SSL_CAMELLIA128,
784 .algorithm_mac = SSL_SHA256,
785 .algorithm_ssl = SSL_TLSV1_2,
786 .algo_strength = SSL_HIGH,
787 .algorithm2 = SSL_HANDSHAKE_MAC_SHA256|TLS1_PRF_SHA256,
788 .strength_bits = 128,
789 .alg_bits = 128,
790 },
791
792 /* Cipher BE */
793 {
794 .valid = 1,
795 .name = TLS1_TXT_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA256,
796 .id = TLS1_CK_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA256,
797 .algorithm_mkey = SSL_kDHE,
798 .algorithm_auth = SSL_aRSA,
799 .algorithm_enc = SSL_CAMELLIA128,
800 .algorithm_mac = SSL_SHA256,
801 .algorithm_ssl = SSL_TLSV1_2,
802 .algo_strength = SSL_HIGH,
803 .algorithm2 = SSL_HANDSHAKE_MAC_SHA256|TLS1_PRF_SHA256,
804 .strength_bits = 128,
805 .alg_bits = 128,
806 },
807
808 /* Cipher BF */
809 {
810 .valid = 1,
811 .name = TLS1_TXT_ADH_WITH_CAMELLIA_128_CBC_SHA256,
812 .id = TLS1_CK_ADH_WITH_CAMELLIA_128_CBC_SHA256,
813 .algorithm_mkey = SSL_kDHE,
814 .algorithm_auth = SSL_aNULL,
815 .algorithm_enc = SSL_CAMELLIA128,
816 .algorithm_mac = SSL_SHA256,
817 .algorithm_ssl = SSL_TLSV1_2,
818 .algo_strength = SSL_HIGH,
819 .algorithm2 = SSL_HANDSHAKE_MAC_SHA256|TLS1_PRF_SHA256,
820 .strength_bits = 128,
821 .alg_bits = 128,
822 },
823
824 /* Cipher C0 */
825 {
826 .valid = 1,
827 .name = TLS1_TXT_RSA_WITH_CAMELLIA_256_CBC_SHA256,
828 .id = TLS1_CK_RSA_WITH_CAMELLIA_256_CBC_SHA256,
829 .algorithm_mkey = SSL_kRSA,
830 .algorithm_auth = SSL_aRSA,
831 .algorithm_enc = SSL_CAMELLIA256,
832 .algorithm_mac = SSL_SHA256,
833 .algorithm_ssl = SSL_TLSV1_2,
834 .algo_strength = SSL_HIGH,
835 .algorithm2 = SSL_HANDSHAKE_MAC_SHA256|TLS1_PRF_SHA256,
836 .strength_bits = 256,
837 .alg_bits = 256,
838 },
839
840 /* Cipher C4 */
841 {
842 .valid = 1,
843 .name = TLS1_TXT_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA256,
844 .id = TLS1_CK_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA256,
845 .algorithm_mkey = SSL_kDHE,
846 .algorithm_auth = SSL_aRSA,
847 .algorithm_enc = SSL_CAMELLIA256,
848 .algorithm_mac = SSL_SHA256,
849 .algorithm_ssl = SSL_TLSV1_2,
850 .algo_strength = SSL_HIGH,
851 .algorithm2 = SSL_HANDSHAKE_MAC_SHA256|TLS1_PRF_SHA256,
852 .strength_bits = 256,
853 .alg_bits = 256,
854 },
855
856 /* Cipher C5 */
857 {
858 .valid = 1,
859 .name = TLS1_TXT_ADH_WITH_CAMELLIA_256_CBC_SHA256,
860 .id = TLS1_CK_ADH_WITH_CAMELLIA_256_CBC_SHA256,
861 .algorithm_mkey = SSL_kDHE,
862 .algorithm_auth = SSL_aNULL,
863 .algorithm_enc = SSL_CAMELLIA256,
864 .algorithm_mac = SSL_SHA256,
865 .algorithm_ssl = SSL_TLSV1_2,
866 .algo_strength = SSL_HIGH,
867 .algorithm2 = SSL_HANDSHAKE_MAC_SHA256|TLS1_PRF_SHA256,
868 .strength_bits = 256,
869 .alg_bits = 256,
870 },
871 #endif /* OPENSSL_NO_CAMELLIA */
872
873 /* Cipher C006 */
874 {
875 .valid = 1,
876 .name = TLS1_TXT_ECDHE_ECDSA_WITH_NULL_SHA,
877 .id = TLS1_CK_ECDHE_ECDSA_WITH_NULL_SHA,
878 .algorithm_mkey = SSL_kECDHE,
879 .algorithm_auth = SSL_aECDSA,
880 .algorithm_enc = SSL_eNULL,
881 .algorithm_mac = SSL_SHA1,
882 .algorithm_ssl = SSL_TLSV1,
883 .algo_strength = SSL_STRONG_NONE,
884 .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
885 .strength_bits = 0,
886 .alg_bits = 0,
887 },
888
889 /* Cipher C007 */
890 {
891 .valid = 1,
892 .name = TLS1_TXT_ECDHE_ECDSA_WITH_RC4_128_SHA,
893 .id = TLS1_CK_ECDHE_ECDSA_WITH_RC4_128_SHA,
894 .algorithm_mkey = SSL_kECDHE,
895 .algorithm_auth = SSL_aECDSA,
896 .algorithm_enc = SSL_RC4,
897 .algorithm_mac = SSL_SHA1,
898 .algorithm_ssl = SSL_TLSV1,
899 .algo_strength = SSL_LOW,
900 .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
901 .strength_bits = 128,
902 .alg_bits = 128,
903 },
904
905 /* Cipher C008 */
906 {
907 .valid = 1,
908 .name = TLS1_TXT_ECDHE_ECDSA_WITH_DES_192_CBC3_SHA,
909 .id = TLS1_CK_ECDHE_ECDSA_WITH_DES_192_CBC3_SHA,
910 .algorithm_mkey = SSL_kECDHE,
911 .algorithm_auth = SSL_aECDSA,
912 .algorithm_enc = SSL_3DES,
913 .algorithm_mac = SSL_SHA1,
914 .algorithm_ssl = SSL_TLSV1,
915 .algo_strength = SSL_MEDIUM,
916 .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
917 .strength_bits = 112,
918 .alg_bits = 168,
919 },
920
921 /* Cipher C009 */
922 {
923 .valid = 1,
924 .name = TLS1_TXT_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,
925 .id = TLS1_CK_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,
926 .algorithm_mkey = SSL_kECDHE,
927 .algorithm_auth = SSL_aECDSA,
928 .algorithm_enc = SSL_AES128,
929 .algorithm_mac = SSL_SHA1,
930 .algorithm_ssl = SSL_TLSV1,
931 .algo_strength = SSL_HIGH,
932 .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
933 .strength_bits = 128,
934 .alg_bits = 128,
935 },
936
937 /* Cipher C00A */
938 {
939 .valid = 1,
940 .name = TLS1_TXT_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,
941 .id = TLS1_CK_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,
942 .algorithm_mkey = SSL_kECDHE,
943 .algorithm_auth = SSL_aECDSA,
944 .algorithm_enc = SSL_AES256,
945 .algorithm_mac = SSL_SHA1,
946 .algorithm_ssl = SSL_TLSV1,
947 .algo_strength = SSL_HIGH,
948 .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
949 .strength_bits = 256,
950 .alg_bits = 256,
951 },
952
953 /* Cipher C010 */
954 {
955 .valid = 1,
956 .name = TLS1_TXT_ECDHE_RSA_WITH_NULL_SHA,
957 .id = TLS1_CK_ECDHE_RSA_WITH_NULL_SHA,
958 .algorithm_mkey = SSL_kECDHE,
959 .algorithm_auth = SSL_aRSA,
960 .algorithm_enc = SSL_eNULL,
961 .algorithm_mac = SSL_SHA1,
962 .algorithm_ssl = SSL_TLSV1,
963 .algo_strength = SSL_STRONG_NONE,
964 .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
965 .strength_bits = 0,
966 .alg_bits = 0,
967 },
968
969 /* Cipher C011 */
970 {
971 .valid = 1,
972 .name = TLS1_TXT_ECDHE_RSA_WITH_RC4_128_SHA,
973 .id = TLS1_CK_ECDHE_RSA_WITH_RC4_128_SHA,
974 .algorithm_mkey = SSL_kECDHE,
975 .algorithm_auth = SSL_aRSA,
976 .algorithm_enc = SSL_RC4,
977 .algorithm_mac = SSL_SHA1,
978 .algorithm_ssl = SSL_TLSV1,
979 .algo_strength = SSL_LOW,
980 .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
981 .strength_bits = 128,
982 .alg_bits = 128,
983 },
984
985 /* Cipher C012 */
986 {
987 .valid = 1,
988 .name = TLS1_TXT_ECDHE_RSA_WITH_DES_192_CBC3_SHA,
989 .id = TLS1_CK_ECDHE_RSA_WITH_DES_192_CBC3_SHA,
990 .algorithm_mkey = SSL_kECDHE,
991 .algorithm_auth = SSL_aRSA,
992 .algorithm_enc = SSL_3DES,
993 .algorithm_mac = SSL_SHA1,
994 .algorithm_ssl = SSL_TLSV1,
995 .algo_strength = SSL_MEDIUM,
996 .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
997 .strength_bits = 112,
998 .alg_bits = 168,
999 },
1000
1001 /* Cipher C013 */
1002 {
1003 .valid = 1,
1004 .name = TLS1_TXT_ECDHE_RSA_WITH_AES_128_CBC_SHA,
1005 .id = TLS1_CK_ECDHE_RSA_WITH_AES_128_CBC_SHA,
1006 .algorithm_mkey = SSL_kECDHE,
1007 .algorithm_auth = SSL_aRSA,
1008 .algorithm_enc = SSL_AES128,
1009 .algorithm_mac = SSL_SHA1,
1010 .algorithm_ssl = SSL_TLSV1,
1011 .algo_strength = SSL_HIGH,
1012 .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
1013 .strength_bits = 128,
1014 .alg_bits = 128,
1015 },
1016
1017 /* Cipher C014 */
1018 {
1019 .valid = 1,
1020 .name = TLS1_TXT_ECDHE_RSA_WITH_AES_256_CBC_SHA,
1021 .id = TLS1_CK_ECDHE_RSA_WITH_AES_256_CBC_SHA,
1022 .algorithm_mkey = SSL_kECDHE,
1023 .algorithm_auth = SSL_aRSA,
1024 .algorithm_enc = SSL_AES256,
1025 .algorithm_mac = SSL_SHA1,
1026 .algorithm_ssl = SSL_TLSV1,
1027 .algo_strength = SSL_HIGH,
1028 .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
1029 .strength_bits = 256,
1030 .alg_bits = 256,
1031 },
1032
1033 /* Cipher C015 */
1034 {
1035 .valid = 1,
1036 .name = TLS1_TXT_ECDH_anon_WITH_NULL_SHA,
1037 .id = TLS1_CK_ECDH_anon_WITH_NULL_SHA,
1038 .algorithm_mkey = SSL_kECDHE,
1039 .algorithm_auth = SSL_aNULL,
1040 .algorithm_enc = SSL_eNULL,
1041 .algorithm_mac = SSL_SHA1,
1042 .algorithm_ssl = SSL_TLSV1,
1043 .algo_strength = SSL_STRONG_NONE,
1044 .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
1045 .strength_bits = 0,
1046 .alg_bits = 0,
1047 },
1048
1049 /* Cipher C016 */
1050 {
1051 .valid = 1,
1052 .name = TLS1_TXT_ECDH_anon_WITH_RC4_128_SHA,
1053 .id = TLS1_CK_ECDH_anon_WITH_RC4_128_SHA,
1054 .algorithm_mkey = SSL_kECDHE,
1055 .algorithm_auth = SSL_aNULL,
1056 .algorithm_enc = SSL_RC4,
1057 .algorithm_mac = SSL_SHA1,
1058 .algorithm_ssl = SSL_TLSV1,
1059 .algo_strength = SSL_LOW,
1060 .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
1061 .strength_bits = 128,
1062 .alg_bits = 128,
1063 },
1064
1065 /* Cipher C017 */
1066 {
1067 .valid = 1,
1068 .name = TLS1_TXT_ECDH_anon_WITH_DES_192_CBC3_SHA,
1069 .id = TLS1_CK_ECDH_anon_WITH_DES_192_CBC3_SHA,
1070 .algorithm_mkey = SSL_kECDHE,
1071 .algorithm_auth = SSL_aNULL,
1072 .algorithm_enc = SSL_3DES,
1073 .algorithm_mac = SSL_SHA1,
1074 .algorithm_ssl = SSL_TLSV1,
1075 .algo_strength = SSL_MEDIUM,
1076 .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
1077 .strength_bits = 112,
1078 .alg_bits = 168,
1079 },
1080
1081 /* Cipher C018 */
1082 {
1083 .valid = 1,
1084 .name = TLS1_TXT_ECDH_anon_WITH_AES_128_CBC_SHA,
1085 .id = TLS1_CK_ECDH_anon_WITH_AES_128_CBC_SHA,
1086 .algorithm_mkey = SSL_kECDHE,
1087 .algorithm_auth = SSL_aNULL,
1088 .algorithm_enc = SSL_AES128,
1089 .algorithm_mac = SSL_SHA1,
1090 .algorithm_ssl = SSL_TLSV1,
1091 .algo_strength = SSL_HIGH,
1092 .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
1093 .strength_bits = 128,
1094 .alg_bits = 128,
1095 },
1096
1097 /* Cipher C019 */
1098 {
1099 .valid = 1,
1100 .name = TLS1_TXT_ECDH_anon_WITH_AES_256_CBC_SHA,
1101 .id = TLS1_CK_ECDH_anon_WITH_AES_256_CBC_SHA,
1102 .algorithm_mkey = SSL_kECDHE,
1103 .algorithm_auth = SSL_aNULL,
1104 .algorithm_enc = SSL_AES256,
1105 .algorithm_mac = SSL_SHA1,
1106 .algorithm_ssl = SSL_TLSV1,
1107 .algo_strength = SSL_HIGH,
1108 .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
1109 .strength_bits = 256,
1110 .alg_bits = 256,
1111 },
1112
1113
1114 /* HMAC based TLS v1.2 ciphersuites from RFC5289 */
1115
1116 /* Cipher C023 */
1117 {
1118 .valid = 1,
1119 .name = TLS1_TXT_ECDHE_ECDSA_WITH_AES_128_SHA256,
1120 .id = TLS1_CK_ECDHE_ECDSA_WITH_AES_128_SHA256,
1121 .algorithm_mkey = SSL_kECDHE,
1122 .algorithm_auth = SSL_aECDSA,
1123 .algorithm_enc = SSL_AES128,
1124 .algorithm_mac = SSL_SHA256,
1125 .algorithm_ssl = SSL_TLSV1_2,
1126 .algo_strength = SSL_HIGH,
1127 .algorithm2 = SSL_HANDSHAKE_MAC_SHA256|TLS1_PRF_SHA256,
1128 .strength_bits = 128,
1129 .alg_bits = 128,
1130 },
1131
1132 /* Cipher C024 */
1133 {
1134 .valid = 1,
1135 .name = TLS1_TXT_ECDHE_ECDSA_WITH_AES_256_SHA384,
1136 .id = TLS1_CK_ECDHE_ECDSA_WITH_AES_256_SHA384,
1137 .algorithm_mkey = SSL_kECDHE,
1138 .algorithm_auth = SSL_aECDSA,
1139 .algorithm_enc = SSL_AES256,
1140 .algorithm_mac = SSL_SHA384,
1141 .algorithm_ssl = SSL_TLSV1_2,
1142 .algo_strength = SSL_HIGH,
1143 .algorithm2 = SSL_HANDSHAKE_MAC_SHA384|TLS1_PRF_SHA384,
1144 .strength_bits = 256,
1145 .alg_bits = 256,
1146 },
1147
1148 /* Cipher C027 */
1149 {
1150 .valid = 1,
1151 .name = TLS1_TXT_ECDHE_RSA_WITH_AES_128_SHA256,
1152 .id = TLS1_CK_ECDHE_RSA_WITH_AES_128_SHA256,
1153 .algorithm_mkey = SSL_kECDHE,
1154 .algorithm_auth = SSL_aRSA,
1155 .algorithm_enc = SSL_AES128,
1156 .algorithm_mac = SSL_SHA256,
1157 .algorithm_ssl = SSL_TLSV1_2,
1158 .algo_strength = SSL_HIGH,
1159 .algorithm2 = SSL_HANDSHAKE_MAC_SHA256|TLS1_PRF_SHA256,
1160 .strength_bits = 128,
1161 .alg_bits = 128,
1162 },
1163
1164 /* Cipher C028 */
1165 {
1166 .valid = 1,
1167 .name = TLS1_TXT_ECDHE_RSA_WITH_AES_256_SHA384,
1168 .id = TLS1_CK_ECDHE_RSA_WITH_AES_256_SHA384,
1169 .algorithm_mkey = SSL_kECDHE,
1170 .algorithm_auth = SSL_aRSA,
1171 .algorithm_enc = SSL_AES256,
1172 .algorithm_mac = SSL_SHA384,
1173 .algorithm_ssl = SSL_TLSV1_2,
1174 .algo_strength = SSL_HIGH,
1175 .algorithm2 = SSL_HANDSHAKE_MAC_SHA384|TLS1_PRF_SHA384,
1176 .strength_bits = 256,
1177 .alg_bits = 256,
1178 },
1179
1180 /* GCM based TLS v1.2 ciphersuites from RFC5289 */
1181
1182 /* Cipher C02B */
1183 {
1184 .valid = 1,
1185 .name = TLS1_TXT_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
1186 .id = TLS1_CK_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
1187 .algorithm_mkey = SSL_kECDHE,
1188 .algorithm_auth = SSL_aECDSA,
1189 .algorithm_enc = SSL_AES128GCM,
1190 .algorithm_mac = SSL_AEAD,
1191 .algorithm_ssl = SSL_TLSV1_2,
1192 .algo_strength = SSL_HIGH,
1193 .algorithm2 = SSL_HANDSHAKE_MAC_SHA256|TLS1_PRF_SHA256|
1194 FIXED_NONCE_LEN(4)|
1195 SSL_CIPHER_ALGORITHM2_VARIABLE_NONCE_IN_RECORD,
1196 .strength_bits = 128,
1197 .alg_bits = 128,
1198 },
1199
1200 /* Cipher C02C */
1201 {
1202 .valid = 1,
1203 .name = TLS1_TXT_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
1204 .id = TLS1_CK_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
1205 .algorithm_mkey = SSL_kECDHE,
1206 .algorithm_auth = SSL_aECDSA,
1207 .algorithm_enc = SSL_AES256GCM,
1208 .algorithm_mac = SSL_AEAD,
1209 .algorithm_ssl = SSL_TLSV1_2,
1210 .algo_strength = SSL_HIGH,
1211 .algorithm2 = SSL_HANDSHAKE_MAC_SHA384|TLS1_PRF_SHA384|
1212 FIXED_NONCE_LEN(4)|
1213 SSL_CIPHER_ALGORITHM2_VARIABLE_NONCE_IN_RECORD,
1214 .strength_bits = 256,
1215 .alg_bits = 256,
1216 },
1217
1218 /* Cipher C02F */
1219 {
1220 .valid = 1,
1221 .name = TLS1_TXT_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
1222 .id = TLS1_CK_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
1223 .algorithm_mkey = SSL_kECDHE,
1224 .algorithm_auth = SSL_aRSA,
1225 .algorithm_enc = SSL_AES128GCM,
1226 .algorithm_mac = SSL_AEAD,
1227 .algorithm_ssl = SSL_TLSV1_2,
1228 .algo_strength = SSL_HIGH,
1229 .algorithm2 = SSL_HANDSHAKE_MAC_SHA256|TLS1_PRF_SHA256|
1230 FIXED_NONCE_LEN(4)|
1231 SSL_CIPHER_ALGORITHM2_VARIABLE_NONCE_IN_RECORD,
1232 .strength_bits = 128,
1233 .alg_bits = 128,
1234 },
1235
1236 /* Cipher C030 */
1237 {
1238 .valid = 1,
1239 .name = TLS1_TXT_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
1240 .id = TLS1_CK_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
1241 .algorithm_mkey = SSL_kECDHE,
1242 .algorithm_auth = SSL_aRSA,
1243 .algorithm_enc = SSL_AES256GCM,
1244 .algorithm_mac = SSL_AEAD,
1245 .algorithm_ssl = SSL_TLSV1_2,
1246 .algo_strength = SSL_HIGH,
1247 .algorithm2 = SSL_HANDSHAKE_MAC_SHA384|TLS1_PRF_SHA384|
1248 FIXED_NONCE_LEN(4)|
1249 SSL_CIPHER_ALGORITHM2_VARIABLE_NONCE_IN_RECORD,
1250 .strength_bits = 256,
1251 .alg_bits = 256,
1252 },
1253
1254 /* Cipher CCA8 */
1255 {
1256 .valid = 1,
1257 .name = TLS1_TXT_ECDHE_RSA_WITH_CHACHA20_POLY1305,
1258 .id = TLS1_CK_ECDHE_RSA_CHACHA20_POLY1305,
1259 .algorithm_mkey = SSL_kECDHE,
1260 .algorithm_auth = SSL_aRSA,
1261 .algorithm_enc = SSL_CHACHA20POLY1305,
1262 .algorithm_mac = SSL_AEAD,
1263 .algorithm_ssl = SSL_TLSV1_2,
1264 .algo_strength = SSL_HIGH,
1265 .algorithm2 = SSL_HANDSHAKE_MAC_SHA256|TLS1_PRF_SHA256|
1266 FIXED_NONCE_LEN(12),
1267 .strength_bits = 256,
1268 .alg_bits = 256,
1269 },
1270
1271 /* Cipher CCA9 */
1272 {
1273 .valid = 1,
1274 .name = TLS1_TXT_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,
1275 .id = TLS1_CK_ECDHE_ECDSA_CHACHA20_POLY1305,
1276 .algorithm_mkey = SSL_kECDHE,
1277 .algorithm_auth = SSL_aECDSA,
1278 .algorithm_enc = SSL_CHACHA20POLY1305,
1279 .algorithm_mac = SSL_AEAD,
1280 .algorithm_ssl = SSL_TLSV1_2,
1281 .algo_strength = SSL_HIGH,
1282 .algorithm2 = SSL_HANDSHAKE_MAC_SHA256|TLS1_PRF_SHA256|
1283 FIXED_NONCE_LEN(12),
1284 .strength_bits = 256,
1285 .alg_bits = 256,
1286 },
1287
1288 /* Cipher CCAA */
1289 {
1290 .valid = 1,
1291 .name = TLS1_TXT_DHE_RSA_WITH_CHACHA20_POLY1305,
1292 .id = TLS1_CK_DHE_RSA_CHACHA20_POLY1305,
1293 .algorithm_mkey = SSL_kDHE,
1294 .algorithm_auth = SSL_aRSA,
1295 .algorithm_enc = SSL_CHACHA20POLY1305,
1296 .algorithm_mac = SSL_AEAD,
1297 .algorithm_ssl = SSL_TLSV1_2,
1298 .algo_strength = SSL_HIGH,
1299 .algorithm2 = SSL_HANDSHAKE_MAC_SHA256|TLS1_PRF_SHA256|
1300 FIXED_NONCE_LEN(12),
1301 .strength_bits = 256,
1302 .alg_bits = 256,
1303 },
1304
1305 /* Cipher FF85 FIXME IANA */
1306 {
1307 .valid = 1,
1308 .name = "GOST2012256-GOST89-GOST89",
1309 .id = 0x300ff85, /* FIXME IANA */
1310 .algorithm_mkey = SSL_kGOST,
1311 .algorithm_auth = SSL_aGOST01,
1312 .algorithm_enc = SSL_eGOST2814789CNT,
1313 .algorithm_mac = SSL_GOST89MAC,
1314 .algorithm_ssl = SSL_TLSV1,
1315 .algo_strength = SSL_HIGH,
1316 .algorithm2 = SSL_HANDSHAKE_MAC_STREEBOG256|TLS1_PRF_STREEBOG256|
1317 TLS1_STREAM_MAC,
1318 .strength_bits = 256,
1319 .alg_bits = 256
1320 },
1321
1322 /* Cipher FF87 FIXME IANA */
1323 {
1324 .valid = 1,
1325 .name = "GOST2012256-NULL-STREEBOG256",
1326 .id = 0x300ff87, /* FIXME IANA */
1327 .algorithm_mkey = SSL_kGOST,
1328 .algorithm_auth = SSL_aGOST01,
1329 .algorithm_enc = SSL_eNULL,
1330 .algorithm_mac = SSL_STREEBOG256,
1331 .algorithm_ssl = SSL_TLSV1,
1332 .algo_strength = SSL_STRONG_NONE,
1333 .algorithm2 = SSL_HANDSHAKE_MAC_STREEBOG256|TLS1_PRF_STREEBOG256,
1334 .strength_bits = 0,
1335 .alg_bits = 0
1336 },
1337
1338
1339 /* end of list */
1340 };
1341
1342 int
1343 ssl3_num_ciphers(void)
1344 {
1345 return (SSL3_NUM_CIPHERS);
1346 }
1347
1348 const SSL_CIPHER *
1349 ssl3_get_cipher(unsigned int u)
1350 {
1351 if (u < SSL3_NUM_CIPHERS)
1352 return (&(ssl3_ciphers[SSL3_NUM_CIPHERS - 1 - u]));
1353 else
1354 return (NULL);
1355 }
1356
1357 const SSL_CIPHER *
1358 ssl3_get_cipher_by_id(unsigned int id)
1359 {
1360 const SSL_CIPHER *cp;
1361 SSL_CIPHER c;
1362
1363 c.id = id;
1364 cp = OBJ_bsearch_ssl_cipher_id(&c, ssl3_ciphers, SSL3_NUM_CIPHERS);
1365 if (cp != NULL && cp->valid == 1)
1366 return (cp);
1367
1368 return (NULL);
1369 }
1370
1371 const SSL_CIPHER *
1372 ssl3_get_cipher_by_value(uint16_t value)
1373 {
1374 return ssl3_get_cipher_by_id(SSL3_CK_ID | value);
1375 }
1376
1377 uint16_t
1378 ssl3_cipher_get_value(const SSL_CIPHER *c)
1379 {
1380 return (c->id & SSL3_CK_VALUE_MASK);
1381 }
1382
1383 int
1384 ssl3_pending(const SSL *s)
1385 {
1386 if (s->internal->rstate == SSL_ST_READ_BODY)
1387 return 0;
1388
1389 return (S3I(s)->rrec.type == SSL3_RT_APPLICATION_DATA) ?
1390 S3I(s)->rrec.length : 0;
1391 }
1392
1393 int
1394 ssl3_handshake_msg_hdr_len(SSL *s)
1395 {
1396 return (SSL_IS_DTLS(s) ? DTLS1_HM_HEADER_LENGTH :
1397 SSL3_HM_HEADER_LENGTH);
1398 }
1399
1400 int
1401 ssl3_handshake_msg_start(SSL *s, CBB *handshake, CBB *body, uint8_t msg_type)
1402 {
1403 int ret = 0;
1404
1405 if (!CBB_init(handshake, SSL3_RT_MAX_PLAIN_LENGTH))
1406 goto err;
1407 if (!CBB_add_u8(handshake, msg_type))
1408 goto err;
1409 if (SSL_IS_DTLS(s)) {
1410 unsigned char *data;
1411
1412 if (!CBB_add_space(handshake, &data, DTLS1_HM_HEADER_LENGTH -
1413 SSL3_HM_HEADER_LENGTH))
1414 goto err;
1415 }
1416 if (!CBB_add_u24_length_prefixed(handshake, body))
1417 goto err;
1418
1419 ret = 1;
1420
1421 err:
1422 return (ret);
1423 }
1424
1425 int
1426 ssl3_handshake_msg_finish(SSL *s, CBB *handshake)
1427 {
1428 unsigned char *data = NULL;
1429 size_t outlen;
1430 int ret = 0;
1431
1432 if (!CBB_finish(handshake, &data, &outlen))
1433 goto err;
1434
1435 if (outlen > INT_MAX)
1436 goto err;
1437
1438 if (!BUF_MEM_grow_clean(s->internal->init_buf, outlen))
1439 goto err;
1440
1441 memcpy(s->internal->init_buf->data, data, outlen);
1442
1443 s->internal->init_num = (int)outlen;
1444 s->internal->init_off = 0;
1445
1446 if (SSL_IS_DTLS(s)) {
1447 unsigned long len;
1448 uint8_t msg_type;
1449 CBS cbs;
1450
1451 CBS_init(&cbs, data, outlen);
1452 if (!CBS_get_u8(&cbs, &msg_type))
1453 goto err;
1454
1455 len = outlen - ssl3_handshake_msg_hdr_len(s);
1456
1457 dtls1_set_message_header(s, msg_type, len, 0, len);
1458 dtls1_buffer_message(s, 0);
1459 }
1460
1461 ret = 1;
1462
1463 err:
1464 free(data);
1465
1466 return (ret);
1467 }
1468
1469 int
1470 ssl3_handshake_write(SSL *s)
1471 {
1472 return ssl3_record_write(s, SSL3_RT_HANDSHAKE);
1473 }
1474
1475 int
1476 ssl3_record_write(SSL *s, int type)
1477 {
1478 if (SSL_IS_DTLS(s))
1479 return dtls1_do_write(s, type);
1480
1481 return ssl3_do_write(s, type);
1482 }
1483
1484 int
1485 ssl3_new(SSL *s)
1486 {
1487 if ((s->s3 = calloc(1, sizeof(*s->s3))) == NULL)
1488 return (0);
1489 if ((S3I(s) = calloc(1, sizeof(*S3I(s)))) == NULL) {
1490 free(s->s3);
1491 return (0);
1492 }
1493
1494 s->method->internal->ssl_clear(s);
1495
1496 return (1);
1497 }
1498
1499 void
1500 ssl3_free(SSL *s)
1501 {
1502 if (s == NULL)
1503 return;
1504
1505 tls1_cleanup_key_block(s);
1506 ssl3_release_read_buffer(s);
1507 ssl3_release_write_buffer(s);
1508
1509 DH_free(S3I(s)->tmp.dh);
1510 EC_KEY_free(S3I(s)->tmp.ecdh);
1511
1512 freezero(S3I(s)->tmp.x25519, X25519_KEY_LENGTH);
1513
1514 sk_X509_NAME_pop_free(S3I(s)->tmp.ca_names, X509_NAME_free);
1515
1516 BIO_free(S3I(s)->handshake_buffer);
1517
1518 tls1_handshake_hash_free(s);
1519
1520 free(S3I(s)->alpn_selected);
1521
1522 freezero(S3I(s), sizeof(*S3I(s)));
1523 freezero(s->s3, sizeof(*s->s3));
1524
1525 s->s3 = NULL;
1526 }
1527
1528 void
1529 ssl3_clear(SSL *s)
1530 {
1531 struct ssl3_state_internal_st *internal;
1532 unsigned char *rp, *wp;
1533 size_t rlen, wlen;
1534
1535 tls1_cleanup_key_block(s);
1536 sk_X509_NAME_pop_free(S3I(s)->tmp.ca_names, X509_NAME_free);
1537
1538 DH_free(S3I(s)->tmp.dh);
1539 S3I(s)->tmp.dh = NULL;
1540 EC_KEY_free(S3I(s)->tmp.ecdh);
1541 S3I(s)->tmp.ecdh = NULL;
1542
1543 freezero(S3I(s)->tmp.x25519, X25519_KEY_LENGTH);
1544 S3I(s)->tmp.x25519 = NULL;
1545
1546 rp = s->s3->rbuf.buf;
1547 wp = s->s3->wbuf.buf;
1548 rlen = s->s3->rbuf.len;
1549 wlen = s->s3->wbuf.len;
1550
1551 BIO_free(S3I(s)->handshake_buffer);
1552 S3I(s)->handshake_buffer = NULL;
1553
1554 tls1_handshake_hash_free(s);
1555
1556 free(S3I(s)->alpn_selected);
1557 S3I(s)->alpn_selected = NULL;
1558
1559 memset(S3I(s), 0, sizeof(*S3I(s)));
1560 internal = S3I(s);
1561 memset(s->s3, 0, sizeof(*s->s3));
1562 S3I(s) = internal;
1563
1564 s->s3->rbuf.buf = rp;
1565 s->s3->wbuf.buf = wp;
1566 s->s3->rbuf.len = rlen;
1567 s->s3->wbuf.len = wlen;
1568
1569 ssl_free_wbio_buffer(s);
1570
1571 /* Not needed... */
1572 S3I(s)->renegotiate = 0;
1573 S3I(s)->total_renegotiations = 0;
1574 S3I(s)->num_renegotiations = 0;
1575 S3I(s)->in_read_app_data = 0;
1576
1577 s->internal->packet_length = 0;
1578 s->version = TLS1_VERSION;
1579 }
1580
1581 static long
1582 ssl_ctrl_get_server_tmp_key(SSL *s, EVP_PKEY **pkey_tmp)
1583 {
1584 EVP_PKEY *pkey = NULL;
1585 EC_GROUP *group = NULL;
1586 EC_POINT *point = NULL;
1587 EC_KEY *ec_key = NULL;
1588 BIGNUM *order = NULL;
1589 SESS_CERT *sc;
1590 int ret = 0;
1591
1592 *pkey_tmp = NULL;
1593
1594 if (s->server != 0)
1595 return 0;
1596 if (s->session == NULL || SSI(s)->sess_cert == NULL)
1597 return 0;
1598
1599 sc = SSI(s)->sess_cert;
1600
1601 if ((pkey = EVP_PKEY_new()) == NULL)
1602 return 0;
1603
1604 if (sc->peer_dh_tmp != NULL) {
1605 ret = EVP_PKEY_set1_DH(pkey, sc->peer_dh_tmp);
1606 } else if (sc->peer_ecdh_tmp) {
1607 ret = EVP_PKEY_set1_EC_KEY(pkey, sc->peer_ecdh_tmp);
1608 } else if (sc->peer_x25519_tmp != NULL) {
1609 /* Fudge up an EC_KEY that looks like X25519... */
1610 if ((group = EC_GROUP_new(EC_GFp_mont_method())) == NULL)
1611 goto err;
1612 if ((point = EC_POINT_new(group)) == NULL)
1613 goto err;
1614 if ((order = BN_new()) == NULL)
1615 goto err;
1616 if (!BN_set_bit(order, 252))
1617 goto err;
1618 if (!EC_GROUP_set_generator(group, point, order, NULL))
1619 goto err;
1620 EC_GROUP_set_curve_name(group, NID_X25519);
1621 if ((ec_key = EC_KEY_new()) == NULL)
1622 goto err;
1623 if (!EC_KEY_set_group(ec_key, group))
1624 goto err;
1625 ret = EVP_PKEY_set1_EC_KEY(pkey, ec_key);
1626 }
1627
1628 if (ret == 1) {
1629 *pkey_tmp = pkey;
1630 pkey = NULL;
1631 }
1632
1633 err:
1634 EVP_PKEY_free(pkey);
1635 EC_GROUP_free(group);
1636 EC_POINT_free(point);
1637 EC_KEY_free(ec_key);
1638 BN_free(order);
1639
1640 return (ret);
1641 }
1642
1643 static int
1644 _SSL_session_reused(SSL *s)
1645 {
1646 return s->internal->hit;
1647 }
1648
1649 static int
1650 _SSL_num_renegotiations(SSL *s)
1651 {
1652 return S3I(s)->num_renegotiations;
1653 }
1654
1655 static int
1656 _SSL_clear_num_renegotiations(SSL *s)
1657 {
1658 int renegs;
1659
1660 renegs = S3I(s)->num_renegotiations;
1661 S3I(s)->num_renegotiations = 0;
1662
1663 return renegs;
1664 }
1665
1666 static int
1667 _SSL_total_renegotiations(SSL *s)
1668 {
1669 return S3I(s)->total_renegotiations;
1670 }
1671
1672 static int
1673 _SSL_set_tmp_dh(SSL *s, DH *dh)
1674 {
1675 DH *dh_tmp;
1676
1677 if (!ssl_cert_inst(&s->cert)) {
1678 SSLerror(s, ERR_R_MALLOC_FAILURE);
1679 return 0;
1680 }
1681
1682 if (dh == NULL) {
1683 SSLerror(s, ERR_R_PASSED_NULL_PARAMETER);
1684 return 0;
1685 }
1686
1687 if ((dh_tmp = DHparams_dup(dh)) == NULL) {
1688 SSLerror(s, ERR_R_DH_LIB);
1689 return 0;
1690 }
1691
1692 DH_free(s->cert->dh_tmp);
1693 s->cert->dh_tmp = dh_tmp;
1694
1695 return 1;
1696 }
1697
1698 static int
1699 _SSL_set_dh_auto(SSL *s, int state)
1700 {
1701 s->cert->dh_tmp_auto = state;
1702 return 1;
1703 }
1704
1705 static int
1706 _SSL_set_tmp_ecdh(SSL *s, EC_KEY *ecdh)
1707 {
1708 const EC_GROUP *group;
1709 int nid;
1710
1711 if (!ssl_cert_inst(&s->cert)) {
1712 SSLerror(s, ERR_R_MALLOC_FAILURE);
1713 return 0;
1714 }
1715
1716 if (ecdh == NULL)
1717 return 0;
1718 if ((group = EC_KEY_get0_group(ecdh)) == NULL)
1719 return 0;
1720
1721 nid = EC_GROUP_get_curve_name(group);
1722 return SSL_set1_groups(s, &nid, 1);
1723 }
1724
1725 static int
1726 _SSL_set_ecdh_auto(SSL *s, int state)
1727 {
1728 return 1;
1729 }
1730
1731 static int
1732 _SSL_set_tlsext_host_name(SSL *s, const char *name)
1733 {
1734 free(s->tlsext_hostname);
1735 s->tlsext_hostname = NULL;
1736
1737 if (name == NULL)
1738 return 1;
1739
1740 if (strlen(name) > TLSEXT_MAXLEN_host_name) {
1741 SSLerror(s, SSL_R_SSL3_EXT_INVALID_SERVERNAME);
1742 return 0;
1743 }
1744
1745 if ((s->tlsext_hostname = strdup(name)) == NULL) {
1746 SSLerror(s, ERR_R_INTERNAL_ERROR);
1747 return 0;
1748 }
1749
1750 return 1;
1751 }
1752
1753 static int
1754 _SSL_set_tlsext_debug_arg(SSL *s, void *arg)
1755 {
1756 s->internal->tlsext_debug_arg = arg;
1757 return 1;
1758 }
1759
1760 static int
1761 _SSL_set_tlsext_status_type(SSL *s, int type)
1762 {
1763 s->tlsext_status_type = type;
1764 return 1;
1765 }
1766
1767 static int
1768 _SSL_get_tlsext_status_exts(SSL *s, STACK_OF(X509_EXTENSION) **exts)
1769 {
1770 *exts = s->internal->tlsext_ocsp_exts;
1771 return 1;
1772 }
1773
1774 static int
1775 _SSL_set_tlsext_status_exts(SSL *s, STACK_OF(X509_EXTENSION) *exts)
1776 {
1777 /* XXX - leak... */
1778 s->internal->tlsext_ocsp_exts = exts;
1779 return 1;
1780 }
1781
1782 static int
1783 _SSL_get_tlsext_status_ids(SSL *s, STACK_OF(OCSP_RESPID) **ids)
1784 {
1785 *ids = s->internal->tlsext_ocsp_ids;
1786 return 1;
1787 }
1788
1789 static int
1790 _SSL_set_tlsext_status_ids(SSL *s, STACK_OF(OCSP_RESPID) *ids)
1791 {
1792 /* XXX - leak... */
1793 s->internal->tlsext_ocsp_ids = ids;
1794 return 1;
1795 }
1796
1797 static int
1798 _SSL_get_tlsext_status_ocsp_resp(SSL *s, unsigned char **resp)
1799 {
1800 *resp = s->internal->tlsext_ocsp_resp;
1801 return s->internal->tlsext_ocsp_resplen;
1802 }
1803
1804 static int
1805 _SSL_set_tlsext_status_ocsp_resp(SSL *s, unsigned char *resp, int resp_len)
1806 {
1807 free(s->internal->tlsext_ocsp_resp);
1808 s->internal->tlsext_ocsp_resp = resp;
1809 s->internal->tlsext_ocsp_resplen = resp_len;
1810 return 1;
1811 }
1812
1813 int
1814 SSL_set1_groups(SSL *s, const int *groups, size_t groups_len)
1815 {
1816 return tls1_set_groups(&s->internal->tlsext_supportedgroups,
1817 &s->internal->tlsext_supportedgroups_length, groups, groups_len);
1818 }
1819
1820 int
1821 SSL_set1_groups_list(SSL *s, const char *groups)
1822 {
1823 return tls1_set_groups_list(&s->internal->tlsext_supportedgroups,
1824 &s->internal->tlsext_supportedgroups_length, groups);
1825 }
1826
1827 long
1828 ssl3_ctrl(SSL *s, int cmd, long larg, void *parg)
1829 {
1830 switch (cmd) {
1831 case SSL_CTRL_GET_SESSION_REUSED:
1832 return _SSL_session_reused(s);
1833
1834 case SSL_CTRL_GET_NUM_RENEGOTIATIONS:
1835 return _SSL_num_renegotiations(s);
1836
1837 case SSL_CTRL_CLEAR_NUM_RENEGOTIATIONS:
1838 return _SSL_clear_num_renegotiations(s);
1839
1840 case SSL_CTRL_GET_TOTAL_RENEGOTIATIONS:
1841 return _SSL_total_renegotiations(s);
1842
1843 case SSL_CTRL_SET_TMP_DH:
1844 return _SSL_set_tmp_dh(s, parg);
1845
1846 case SSL_CTRL_SET_TMP_DH_CB:
1847 SSLerror(s, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
1848 return 0;
1849
1850 case SSL_CTRL_SET_DH_AUTO:
1851 return _SSL_set_dh_auto(s, larg);
1852
1853 case SSL_CTRL_SET_TMP_ECDH:
1854 return _SSL_set_tmp_ecdh(s, parg);
1855
1856 case SSL_CTRL_SET_TMP_ECDH_CB:
1857 SSLerror(s, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
1858 return 0;
1859
1860 case SSL_CTRL_SET_ECDH_AUTO:
1861 return _SSL_set_ecdh_auto(s, larg);
1862
1863 case SSL_CTRL_SET_TLSEXT_HOSTNAME:
1864 if (larg != TLSEXT_NAMETYPE_host_name) {
1865 SSLerror(s, SSL_R_SSL3_EXT_INVALID_SERVERNAME_TYPE);
1866 return 0;
1867 }
1868 return _SSL_set_tlsext_host_name(s, parg);
1869
1870 case SSL_CTRL_SET_TLSEXT_DEBUG_ARG:
1871 return _SSL_set_tlsext_debug_arg(s, parg);
1872
1873 case SSL_CTRL_SET_TLSEXT_STATUS_REQ_TYPE:
1874 return _SSL_set_tlsext_status_type(s, larg);
1875
1876 case SSL_CTRL_GET_TLSEXT_STATUS_REQ_EXTS:
1877 return _SSL_get_tlsext_status_exts(s, parg);
1878
1879 case SSL_CTRL_SET_TLSEXT_STATUS_REQ_EXTS:
1880 return _SSL_set_tlsext_status_exts(s, parg);
1881
1882 case SSL_CTRL_GET_TLSEXT_STATUS_REQ_IDS:
1883 return _SSL_get_tlsext_status_ids(s, parg);
1884
1885 case SSL_CTRL_SET_TLSEXT_STATUS_REQ_IDS:
1886 return _SSL_set_tlsext_status_ids(s, parg);
1887
1888 case SSL_CTRL_GET_TLSEXT_STATUS_REQ_OCSP_RESP:
1889 return _SSL_get_tlsext_status_ocsp_resp(s, parg);
1890
1891 case SSL_CTRL_SET_TLSEXT_STATUS_REQ_OCSP_RESP:
1892 return _SSL_set_tlsext_status_ocsp_resp(s, parg, larg);
1893
1894 case SSL_CTRL_SET_GROUPS:
1895 return SSL_set1_groups(s, parg, larg);
1896
1897 case SSL_CTRL_SET_GROUPS_LIST:
1898 return SSL_set1_groups_list(s, parg);
1899
1900 case SSL_CTRL_GET_SERVER_TMP_KEY:
1901 return ssl_ctrl_get_server_tmp_key(s, parg);
1902
1903 case SSL_CTRL_GET_MIN_PROTO_VERSION:
1904 return SSL_get_min_proto_version(s);
1905
1906 case SSL_CTRL_GET_MAX_PROTO_VERSION:
1907 return SSL_get_max_proto_version(s);
1908
1909 case SSL_CTRL_SET_MIN_PROTO_VERSION:
1910 if (larg < 0 || larg > UINT16_MAX)
1911 return 0;
1912 return SSL_set_min_proto_version(s, larg);
1913
1914 case SSL_CTRL_SET_MAX_PROTO_VERSION:
1915 if (larg < 0 || larg > UINT16_MAX)
1916 return 0;
1917 return SSL_set_max_proto_version(s, larg);
1918
1919 /*
1920 * Legacy controls that should eventually be removed.
1921 */
1922 case SSL_CTRL_GET_CLIENT_CERT_REQUEST:
1923 return 0;
1924
1925 case SSL_CTRL_GET_FLAGS:
1926 return (int)(s->s3->flags);
1927
1928 case SSL_CTRL_NEED_TMP_RSA:
1929 return 0;
1930
1931 case SSL_CTRL_SET_TMP_RSA:
1932 case SSL_CTRL_SET_TMP_RSA_CB:
1933 SSLerror(s, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
1934 return 0;
1935 }
1936
1937 return 0;
1938 }
1939
1940 long
1941 ssl3_callback_ctrl(SSL *s, int cmd, void (*fp)(void))
1942 {
1943 if (cmd == SSL_CTRL_SET_TMP_DH_CB || cmd == SSL_CTRL_SET_TMP_ECDH_CB) {
1944 if (!ssl_cert_inst(&s->cert)) {
1945 SSLerror(s, ERR_R_MALLOC_FAILURE);
1946 return 0;
1947 }
1948 }
1949
1950 switch (cmd) {
1951 case SSL_CTRL_SET_TMP_RSA_CB:
1952 SSLerror(s, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
1953 return 0;
1954
1955 case SSL_CTRL_SET_TMP_DH_CB:
1956 s->cert->dh_tmp_cb = (DH *(*)(SSL *, int, int))fp;
1957 return 1;
1958
1959 case SSL_CTRL_SET_TMP_ECDH_CB:
1960 return 1;
1961
1962 case SSL_CTRL_SET_TLSEXT_DEBUG_CB:
1963 s->internal->tlsext_debug_cb = (void (*)(SSL *, int , int,
1964 unsigned char *, int, void *))fp;
1965 return 1;
1966 }
1967
1968 return 0;
1969 }
1970
1971 static int
1972 _SSL_CTX_set_tmp_dh(SSL_CTX *ctx, DH *dh)
1973 {
1974 DH *dh_tmp;
1975
1976 if ((dh_tmp = DHparams_dup(dh)) == NULL) {
1977 SSLerrorx(ERR_R_DH_LIB);
1978 return 0;
1979 }
1980
1981 DH_free(ctx->internal->cert->dh_tmp);
1982 ctx->internal->cert->dh_tmp = dh_tmp;
1983
1984 return 1;
1985 }
1986
1987 static int
1988 _SSL_CTX_set_dh_auto(SSL_CTX *ctx, int state)
1989 {
1990 ctx->internal->cert->dh_tmp_auto = state;
1991 return 1;
1992 }
1993
1994 static int
1995 _SSL_CTX_set_tmp_ecdh(SSL_CTX *ctx, EC_KEY *ecdh)
1996 {
1997 const EC_GROUP *group;
1998 int nid;
1999
2000 if (ecdh == NULL)
2001 return 0;
2002 if ((group = EC_KEY_get0_group(ecdh)) == NULL)
2003 return 0;
2004
2005 nid = EC_GROUP_get_curve_name(group);
2006 return SSL_CTX_set1_groups(ctx, &nid, 1);
2007 }
2008
2009 static int
2010 _SSL_CTX_set_ecdh_auto(SSL_CTX *ctx, int state)
2011 {
2012 return 1;
2013 }
2014
2015 static int
2016 _SSL_CTX_set_tlsext_servername_arg(SSL_CTX *ctx, void *arg)
2017 {
2018 ctx->internal->tlsext_servername_arg = arg;
2019 return 1;
2020 }
2021
2022 static int
2023 _SSL_CTX_get_tlsext_ticket_keys(SSL_CTX *ctx, unsigned char *keys, int keys_len)
2024 {
2025 if (keys == NULL)
2026 return 48;
2027
2028 if (keys_len != 48) {
2029 SSLerrorx(SSL_R_INVALID_TICKET_KEYS_LENGTH);
2030 return 0;
2031 }
2032
2033 memcpy(keys, ctx->internal->tlsext_tick_key_name, 16);
2034 memcpy(keys + 16, ctx->internal->tlsext_tick_hmac_key, 16);
2035 memcpy(keys + 32, ctx->internal->tlsext_tick_aes_key, 16);
2036
2037 return 1;
2038 }
2039
2040 static int
2041 _SSL_CTX_set_tlsext_ticket_keys(SSL_CTX *ctx, unsigned char *keys, int keys_len)
2042 {
2043 if (keys == NULL)
2044 return 48;
2045
2046 if (keys_len != 48) {
2047 SSLerrorx(SSL_R_INVALID_TICKET_KEYS_LENGTH);
2048 return 0;
2049 }
2050
2051 memcpy(ctx->internal->tlsext_tick_key_name, keys, 16);
2052 memcpy(ctx->internal->tlsext_tick_hmac_key, keys + 16, 16);
2053 memcpy(ctx->internal->tlsext_tick_aes_key, keys + 32, 16);
2054
2055 return 1;
2056 }
2057
2058 static int
2059 _SSL_CTX_get_tlsext_status_arg(SSL_CTX *ctx, void **arg)
2060 {
2061 *arg = ctx->internal->tlsext_status_arg;
2062 return 1;
2063 }
2064
2065 static int
2066 _SSL_CTX_set_tlsext_status_arg(SSL_CTX *ctx, void *arg)
2067 {
2068 ctx->internal->tlsext_status_arg = arg;
2069 return 1;
2070 }
2071
2072 static int
2073 _SSL_CTX_add_extra_chain_cert(SSL_CTX *ctx, X509 *cert)
2074 {
2075 if (ctx->extra_certs == NULL) {
2076 if ((ctx->extra_certs = sk_X509_new_null()) == NULL)
2077 return 0;
2078 }
2079 if (sk_X509_push(ctx->extra_certs, cert) == 0)
2080 return 0;
2081
2082 return 1;
2083 }
2084
2085 static int
2086 _SSL_CTX_get_extra_chain_certs(SSL_CTX *ctx, STACK_OF(X509) **certs)
2087 {
2088 *certs = ctx->extra_certs;
2089 return 1;
2090 }
2091
2092 static int
2093 _SSL_CTX_clear_extra_chain_certs(SSL_CTX *ctx)
2094 {
2095 sk_X509_pop_free(ctx->extra_certs, X509_free);
2096 ctx->extra_certs = NULL;
2097 return 1;
2098 }
2099
2100 int
2101 SSL_CTX_set1_groups(SSL_CTX *ctx, const int *groups, size_t groups_len)
2102 {
2103 return tls1_set_groups(&ctx->internal->tlsext_supportedgroups,
2104 &ctx->internal->tlsext_supportedgroups_length, groups, groups_len);
2105 }
2106
2107 int
2108 SSL_CTX_set1_groups_list(SSL_CTX *ctx, const char *groups)
2109 {
2110 return tls1_set_groups_list(&ctx->internal->tlsext_supportedgroups,
2111 &ctx->internal->tlsext_supportedgroups_length, groups);
2112 }
2113
2114 long
2115 ssl3_ctx_ctrl(SSL_CTX *ctx, int cmd, long larg, void *parg)
2116 {
2117 switch (cmd) {
2118 case SSL_CTRL_SET_TMP_DH:
2119 return _SSL_CTX_set_tmp_dh(ctx, parg);
2120
2121 case SSL_CTRL_SET_TMP_DH_CB:
2122 SSLerrorx(ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
2123 return 0;
2124
2125 case SSL_CTRL_SET_DH_AUTO:
2126 return _SSL_CTX_set_dh_auto(ctx, larg);
2127
2128 case SSL_CTRL_SET_TMP_ECDH:
2129 return _SSL_CTX_set_tmp_ecdh(ctx, parg);
2130
2131 case SSL_CTRL_SET_TMP_ECDH_CB:
2132 SSLerrorx(ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
2133 return 0;
2134
2135 case SSL_CTRL_SET_ECDH_AUTO:
2136 return _SSL_CTX_set_ecdh_auto(ctx, larg);
2137
2138 case SSL_CTRL_SET_TLSEXT_SERVERNAME_ARG:
2139 return _SSL_CTX_set_tlsext_servername_arg(ctx, parg);
2140
2141 case SSL_CTRL_GET_TLSEXT_TICKET_KEYS:
2142 return _SSL_CTX_get_tlsext_ticket_keys(ctx, parg, larg);
2143
2144 case SSL_CTRL_SET_TLSEXT_TICKET_KEYS:
2145 return _SSL_CTX_set_tlsext_ticket_keys(ctx, parg, larg);
2146
2147 case SSL_CTRL_GET_TLSEXT_STATUS_REQ_CB_ARG:
2148 return _SSL_CTX_get_tlsext_status_arg(ctx, parg);
2149
2150 case SSL_CTRL_SET_TLSEXT_STATUS_REQ_CB_ARG:
2151 return _SSL_CTX_set_tlsext_status_arg(ctx, parg);
2152
2153 case SSL_CTRL_EXTRA_CHAIN_CERT:
2154 return _SSL_CTX_add_extra_chain_cert(ctx, parg);
2155
2156 case SSL_CTRL_GET_EXTRA_CHAIN_CERTS:
2157 return _SSL_CTX_get_extra_chain_certs(ctx, parg);
2158
2159 case SSL_CTRL_CLEAR_EXTRA_CHAIN_CERTS:
2160 return _SSL_CTX_clear_extra_chain_certs(ctx);
2161
2162 case SSL_CTRL_SET_GROUPS:
2163 return SSL_CTX_set1_groups(ctx, parg, larg);
2164
2165 case SSL_CTRL_SET_GROUPS_LIST:
2166 return SSL_CTX_set1_groups_list(ctx, parg);
2167
2168 case SSL_CTRL_GET_MIN_PROTO_VERSION:
2169 return SSL_CTX_get_min_proto_version(ctx);
2170
2171 case SSL_CTRL_GET_MAX_PROTO_VERSION:
2172 return SSL_CTX_get_max_proto_version(ctx);
2173
2174 case SSL_CTRL_SET_MIN_PROTO_VERSION:
2175 if (larg < 0 || larg > UINT16_MAX)
2176 return 0;
2177 return SSL_CTX_set_min_proto_version(ctx, larg);
2178
2179 case SSL_CTRL_SET_MAX_PROTO_VERSION:
2180 if (larg < 0 || larg > UINT16_MAX)
2181 return 0;
2182 return SSL_CTX_set_max_proto_version(ctx, larg);
2183
2184 /*
2185 * Legacy controls that should eventually be removed.
2186 */
2187 case SSL_CTRL_NEED_TMP_RSA:
2188 return 0;
2189
2190 case SSL_CTRL_SET_TMP_RSA:
2191 case SSL_CTRL_SET_TMP_RSA_CB:
2192 SSLerrorx(ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
2193 return 0;
2194 }
2195
2196 return 0;
2197 }
2198
2199 long
2200 ssl3_ctx_callback_ctrl(SSL_CTX *ctx, int cmd, void (*fp)(void))
2201 {
2202 switch (cmd) {
2203 case SSL_CTRL_SET_TMP_RSA_CB:
2204 SSLerrorx(ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
2205 return 0;
2206
2207 case SSL_CTRL_SET_TMP_DH_CB:
2208 ctx->internal->cert->dh_tmp_cb =
2209 (DH *(*)(SSL *, int, int))fp;
2210 return 1;
2211
2212 case SSL_CTRL_SET_TMP_ECDH_CB:
2213 return 1;
2214
2215 case SSL_CTRL_SET_TLSEXT_SERVERNAME_CB:
2216 ctx->internal->tlsext_servername_callback =
2217 (int (*)(SSL *, int *, void *))fp;
2218 return 1;
2219
2220 case SSL_CTRL_GET_TLSEXT_STATUS_REQ_CB:
2221 *(int (**)(SSL *, void *))fp = ctx->internal->tlsext_status_cb;
2222 return 1;
2223
2224 case SSL_CTRL_SET_TLSEXT_STATUS_REQ_CB:
2225 ctx->internal->tlsext_status_cb = (int (*)(SSL *, void *))fp;
2226 return 1;
2227
2228 case SSL_CTRL_SET_TLSEXT_TICKET_KEY_CB:
2229 ctx->internal->tlsext_ticket_key_cb = (int (*)(SSL *, unsigned char *,
2230 unsigned char *, EVP_CIPHER_CTX *, HMAC_CTX *, int))fp;
2231 return 1;
2232 }
2233
2234 return 0;
2235 }
2236
2237 /*
2238 * This function needs to check if the ciphers required are actually available.
2239 */
2240 const SSL_CIPHER *
2241 ssl3_get_cipher_by_char(const unsigned char *p)
2242 {
2243 uint16_t cipher_value;
2244 CBS cbs;
2245
2246 /* We have to assume it is at least 2 bytes due to existing API. */
2247 CBS_init(&cbs, p, 2);
2248 if (!CBS_get_u16(&cbs, &cipher_value))
2249 return NULL;
2250
2251 return ssl3_get_cipher_by_value(cipher_value);
2252 }
2253
2254 int
2255 ssl3_put_cipher_by_char(const SSL_CIPHER *c, unsigned char *p)
2256 {
2257 CBB cbb;
2258
2259 if (p == NULL)
2260 return (2);
2261
2262 if ((c->id & ~SSL3_CK_VALUE_MASK) != SSL3_CK_ID)
2263 return (0);
2264
2265 memset(&cbb, 0, sizeof(cbb));
2266
2267 /* We have to assume it is at least 2 bytes due to existing API. */
2268 if (!CBB_init_fixed(&cbb, p, 2))
2269 goto err;
2270 if (!CBB_add_u16(&cbb, ssl3_cipher_get_value(c)))
2271 goto err;
2272 if (!CBB_finish(&cbb, NULL, NULL))
2273 goto err;
2274
2275 return (2);
2276
2277 err:
2278 CBB_cleanup(&cbb);
2279 return (0);
2280 }
2281
2282 SSL_CIPHER *
2283 ssl3_choose_cipher(SSL *s, STACK_OF(SSL_CIPHER) *clnt,
2284 STACK_OF(SSL_CIPHER) *srvr)
2285 {
2286 unsigned long alg_k, alg_a, mask_k, mask_a;
2287 STACK_OF(SSL_CIPHER) *prio, *allow;
2288 SSL_CIPHER *c, *ret = NULL;
2289 int i, ii, ok;
2290 CERT *cert;
2291
2292 /* Let's see which ciphers we can support */
2293 cert = s->cert;
2294
2295 /*
2296 * Do not set the compare functions, because this may lead to a
2297 * reordering by "id". We want to keep the original ordering.
2298 * We may pay a price in performance during sk_SSL_CIPHER_find(),
2299 * but would have to pay with the price of sk_SSL_CIPHER_dup().
2300 */
2301
2302 if (s->internal->options & SSL_OP_CIPHER_SERVER_PREFERENCE) {
2303 prio = srvr;
2304 allow = clnt;
2305 } else {
2306 prio = clnt;
2307 allow = srvr;
2308 }
2309
2310 for (i = 0; i < sk_SSL_CIPHER_num(prio); i++) {
2311 c = sk_SSL_CIPHER_value(prio, i);
2312
2313 /* Skip TLS v1.2 only ciphersuites if not supported. */
2314 if ((c->algorithm_ssl & SSL_TLSV1_2) &&
2315 !SSL_USE_TLS1_2_CIPHERS(s))
2316 continue;
2317
2318 ssl_set_cert_masks(cert, c);
2319 mask_k = cert->mask_k;
2320 mask_a = cert->mask_a;
2321
2322 alg_k = c->algorithm_mkey;
2323 alg_a = c->algorithm_auth;
2324
2325
2326 ok = (alg_k & mask_k) && (alg_a & mask_a);
2327
2328 /*
2329 * If we are considering an ECC cipher suite that uses our
2330 * certificate check it.
2331 */
2332 if (alg_a & SSL_aECDSA)
2333 ok = ok && tls1_check_ec_server_key(s);
2334 /*
2335 * If we are considering an ECC cipher suite that uses
2336 * an ephemeral EC key check it.
2337 */
2338 if (alg_k & SSL_kECDHE)
2339 ok = ok && tls1_check_ec_tmp_key(s);
2340
2341 if (!ok)
2342 continue;
2343 ii = sk_SSL_CIPHER_find(allow, c);
2344 if (ii >= 0) {
2345 ret = sk_SSL_CIPHER_value(allow, ii);
2346 break;
2347 }
2348 }
2349 return (ret);
2350 }
2351
2352 int
2353 ssl3_get_req_cert_types(SSL *s, CBB *cbb)
2354 {
2355 unsigned long alg_k;
2356
2357 alg_k = S3I(s)->hs.new_cipher->algorithm_mkey;
2358
2359 #ifndef OPENSSL_NO_GOST
2360 if ((alg_k & SSL_kGOST) != 0) {
2361 if (!CBB_add_u8(cbb, TLS_CT_GOST94_SIGN))
2362 return 0;
2363 if (!CBB_add_u8(cbb, TLS_CT_GOST01_SIGN))
2364 return 0;
2365 if (!CBB_add_u8(cbb, TLS_CT_GOST12_256_SIGN))
2366 return 0;
2367 if (!CBB_add_u8(cbb, TLS_CT_GOST12_512_SIGN))
2368 return 0;
2369 }
2370 #endif
2371
2372 if ((alg_k & SSL_kDHE) != 0) {
2373 if (!CBB_add_u8(cbb, SSL3_CT_RSA_FIXED_DH))
2374 return 0;
2375 }
2376
2377 if (!CBB_add_u8(cbb, SSL3_CT_RSA_SIGN))
2378 return 0;
2379
2380 /*
2381 * ECDSA certs can be used with RSA cipher suites as well
2382 * so we don't need to check for SSL_kECDH or SSL_kECDHE.
2383 */
2384 if (!CBB_add_u8(cbb, TLS_CT_ECDSA_SIGN))
2385 return 0;
2386
2387 return 1;
2388 }
2389
2390 int
2391 ssl3_shutdown(SSL *s)
2392 {
2393 int ret;
2394
2395 /*
2396 * Don't do anything much if we have not done the handshake or
2397 * we don't want to send messages :-)
2398 */
2399 if ((s->internal->quiet_shutdown) || (S3I(s)->hs.state == SSL_ST_BEFORE)) {
2400 s->internal->shutdown = (SSL_SENT_SHUTDOWN|SSL_RECEIVED_SHUTDOWN);
2401 return (1);
2402 }
2403
2404 if (!(s->internal->shutdown & SSL_SENT_SHUTDOWN)) {
2405 s->internal->shutdown|=SSL_SENT_SHUTDOWN;
2406 ssl3_send_alert(s, SSL3_AL_WARNING, SSL_AD_CLOSE_NOTIFY);
2407 /*
2408 * Our shutdown alert has been sent now, and if it still needs
2409 * to be written, s->s3->alert_dispatch will be true
2410 */
2411 if (s->s3->alert_dispatch)
2412 return(-1); /* return WANT_WRITE */
2413 } else if (s->s3->alert_dispatch) {
2414 /* resend it if not sent */
2415 ret = s->method->ssl_dispatch_alert(s);
2416 if (ret == -1) {
2417 /*
2418 * We only get to return -1 here the 2nd/Nth
2419 * invocation, we must have already signalled
2420 * return 0 upon a previous invoation,
2421 * return WANT_WRITE
2422 */
2423 return (ret);
2424 }
2425 } else if (!(s->internal->shutdown & SSL_RECEIVED_SHUTDOWN)) {
2426 /* If we are waiting for a close from our peer, we are closed */
2427 s->method->internal->ssl_read_bytes(s, 0, NULL, 0, 0);
2428 if (!(s->internal->shutdown & SSL_RECEIVED_SHUTDOWN)) {
2429 return(-1); /* return WANT_READ */
2430 }
2431 }
2432
2433 if ((s->internal->shutdown == (SSL_SENT_SHUTDOWN|SSL_RECEIVED_SHUTDOWN)) &&
2434 !s->s3->alert_dispatch)
2435 return (1);
2436 else
2437 return (0);
2438 }
2439
2440 int
2441 ssl3_write(SSL *s, const void *buf, int len)
2442 {
2443 errno = 0;
2444
2445 if (S3I(s)->renegotiate)
2446 ssl3_renegotiate_check(s);
2447
2448 return s->method->internal->ssl_write_bytes(s,
2449 SSL3_RT_APPLICATION_DATA, buf, len);
2450 }
2451
2452 static int
2453 ssl3_read_internal(SSL *s, void *buf, int len, int peek)
2454 {
2455 int ret;
2456
2457 errno = 0;
2458 if (S3I(s)->renegotiate)
2459 ssl3_renegotiate_check(s);
2460 S3I(s)->in_read_app_data = 1;
2461 ret = s->method->internal->ssl_read_bytes(s,
2462 SSL3_RT_APPLICATION_DATA, buf, len, peek);
2463 if ((ret == -1) && (S3I(s)->in_read_app_data == 2)) {
2464 /*
2465 * ssl3_read_bytes decided to call s->internal->handshake_func, which
2466 * called ssl3_read_bytes to read handshake data.
2467 * However, ssl3_read_bytes actually found application data
2468 * and thinks that application data makes sense here; so disable
2469 * handshake processing and try to read application data again.
2470 */
2471 s->internal->in_handshake++;
2472 ret = s->method->internal->ssl_read_bytes(s,
2473 SSL3_RT_APPLICATION_DATA, buf, len, peek);
2474 s->internal->in_handshake--;
2475 } else
2476 S3I(s)->in_read_app_data = 0;
2477
2478 return (ret);
2479 }
2480
2481 int
2482 ssl3_read(SSL *s, void *buf, int len)
2483 {
2484 return ssl3_read_internal(s, buf, len, 0);
2485 }
2486
2487 int
2488 ssl3_peek(SSL *s, void *buf, int len)
2489 {
2490 return ssl3_read_internal(s, buf, len, 1);
2491 }
2492
2493 int
2494 ssl3_renegotiate(SSL *s)
2495 {
2496 if (s->internal->handshake_func == NULL)
2497 return (1);
2498
2499 if (s->s3->flags & SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS)
2500 return (0);
2501
2502 S3I(s)->renegotiate = 1;
2503 return (1);
2504 }
2505
2506 int
2507 ssl3_renegotiate_check(SSL *s)
2508 {
2509 int ret = 0;
2510
2511 if (S3I(s)->renegotiate) {
2512 if ((s->s3->rbuf.left == 0) && (s->s3->wbuf.left == 0) &&
2513 !SSL_in_init(s)) {
2514 /*
2515 * If we are the server, and we have sent
2516 * a 'RENEGOTIATE' message, we need to go
2517 * to SSL_ST_ACCEPT.
2518 */
2519 /* SSL_ST_ACCEPT */
2520 S3I(s)->hs.state = SSL_ST_RENEGOTIATE;
2521 S3I(s)->renegotiate = 0;
2522 S3I(s)->num_renegotiations++;
2523 S3I(s)->total_renegotiations++;
2524 ret = 1;
2525 }
2526 }
2527 return (ret);
2528 }
2529 /*
2530 * If we are using default SHA1+MD5 algorithms switch to new SHA256 PRF
2531 * and handshake macs if required.
2532 */
2533 long
2534 ssl_get_algorithm2(SSL *s)
2535 {
2536 long alg2 = S3I(s)->hs.new_cipher->algorithm2;
2537
2538 if (s->method->internal->ssl3_enc->enc_flags & SSL_ENC_FLAG_SHA256_PRF &&
2539 alg2 == (SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF))
2540 return SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256;
2541 return alg2;
2542 }
Unleashed OS