search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
Merge branch 'merges'
[unleashed.git] / lib / libssl / s3_lib.c
blob52e0c524102def938793338484efd06eb82ef91d
1 /* $OpenBSD: s3_lib.c,v 1.165 2018/03/15 12:27:00 jca Exp $ */
2 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 * All rights reserved.
4 *
5 * This package is an SSL implementation written
6 * by Eric Young (eay@cryptsoft.com).
7 * The implementation was written so as to conform with Netscapes SSL.
8 *
9 * This library is free for commercial and non-commercial use as long as
10 * the following conditions are aheared to. The following conditions
11 * apply to all code found in this distribution, be it the RC4, RSA,
12 * lhash, DES, etc., code; not just the SSL code. The SSL documentation
13 * included with this distribution is covered by the same copyright terms
14 * except that the holder is Tim Hudson (tjh@cryptsoft.com).
15 *
16 * Copyright remains Eric Young's, and as such any Copyright notices in
17 * the code are not to be removed.
18 * If this package is used in a product, Eric Young should be given attribution
19 * as the author of the parts of the library used.
20 * This can be in the form of a textual message at program startup or
21 * in documentation (online or textual) provided with the package.
22 *
23 * Redistribution and use in source and binary forms, with or without
24 * modification, are permitted provided that the following conditions
25 * are met:
26 * 1. Redistributions of source code must retain the copyright
27 * notice, this list of conditions and the following disclaimer.
28 * 2. Redistributions in binary form must reproduce the above copyright
29 * notice, this list of conditions and the following disclaimer in the
30 * documentation and/or other materials provided with the distribution.
31 * 3. All advertising materials mentioning features or use of this software
32 * must display the following acknowledgement:
33 * "This product includes cryptographic software written by
34 * Eric Young (eay@cryptsoft.com)"
35 * The word 'cryptographic' can be left out if the rouines from the library
36 * being used are not cryptographic related :-).
37 * 4. If you include any Windows specific code (or a derivative thereof) from
38 * the apps directory (application code) you must include an acknowledgement:
39 * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
40 *
41 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
42 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
43 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
44 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
45 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
46 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
47 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
48 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
49 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
50 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
51 * SUCH DAMAGE.
52 *
53 * The licence and distribution terms for any publically available version or
54 * derivative of this code cannot be changed. i.e. this code cannot simply be
55 * copied and put under another distribution licence
56 * [including the GNU Public Licence.]
57 */
58 /* ====================================================================
59 * Copyright (c) 1998-2007 The OpenSSL Project. All rights reserved.
60 *
61 * Redistribution and use in source and binary forms, with or without
62 * modification, are permitted provided that the following conditions
63 * are met:
64 *
65 * 1. Redistributions of source code must retain the above copyright
66 * notice, this list of conditions and the following disclaimer.
67 *
68 * 2. Redistributions in binary form must reproduce the above copyright
69 * notice, this list of conditions and the following disclaimer in
70 * the documentation and/or other materials provided with the
71 * distribution.
72 *
73 * 3. All advertising materials mentioning features or use of this
74 * software must display the following acknowledgment:
75 * "This product includes software developed by the OpenSSL Project
76 * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
77 *
78 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
79 * endorse or promote products derived from this software without
80 * prior written permission. For written permission, please contact
81 * openssl-core@openssl.org.
82 *
83 * 5. Products derived from this software may not be called "OpenSSL"
84 * nor may "OpenSSL" appear in their names without prior written
85 * permission of the OpenSSL Project.
86 *
87 * 6. Redistributions of any form whatsoever must retain the following
88 * acknowledgment:
89 * "This product includes software developed by the OpenSSL Project
90 * for use in the OpenSSL Toolkit (http://www.openssl.org/)"
91 *
92 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
93 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
94 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
95 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
96 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
97 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
98 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
99 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
100 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
101 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
102 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
103 * OF THE POSSIBILITY OF SUCH DAMAGE.
104 * ====================================================================
105 *
106 * This product includes cryptographic software written by Eric Young
107 * (eay@cryptsoft.com). This product includes software written by Tim
108 * Hudson (tjh@cryptsoft.com).
109 *
110 */
111 /* ====================================================================
112 * Copyright 2002 Sun Microsystems, Inc. ALL RIGHTS RESERVED.
113 *
114 * Portions of the attached software ("Contribution") are developed by
115 * SUN MICROSYSTEMS, INC., and are contributed to the OpenSSL project.
116 *
117 * The Contribution is licensed pursuant to the OpenSSL open source
118 * license provided above.
119 *
120 * ECC cipher suite support in OpenSSL originally written by
121 * Vipul Gupta and Sumit Gupta of Sun Microsystems Laboratories.
122 *
123 */
124 /* ====================================================================
125 * Copyright 2005 Nokia. All rights reserved.
126 *
127 * The portions of the attached software ("Contribution") is developed by
128 * Nokia Corporation and is licensed pursuant to the OpenSSL open source
129 * license.
130 *
131 * The Contribution, originally written by Mika Kousa and Pasi Eronen of
132 * Nokia Corporation, consists of the "PSK" (Pre-Shared Key) ciphersuites
133 * support (see RFC 4279) to OpenSSL.
134 *
135 * No patent licenses or other rights except those expressly stated in
136 * the OpenSSL open source license shall be deemed granted or received
137 * expressly, by implication, estoppel, or otherwise.
138 *
139 * No assurances are provided by Nokia that the Contribution does not
140 * infringe the patent or other intellectual property rights of any third
141 * party or that the license provides you with all the necessary rights
142 * to make use of the Contribution.
143 *
144 * THE SOFTWARE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. IN
145 * ADDITION TO THE DISCLAIMERS INCLUDED IN THE LICENSE, NOKIA
146 * SPECIFICALLY DISCLAIMS ANY LIABILITY FOR CLAIMS BROUGHT BY YOU OR ANY
147 * OTHER ENTITY BASED ON INFRINGEMENT OF INTELLECTUAL PROPERTY RIGHTS OR
148 * OTHERWISE.
149 */
150
151 #include <limits.h>
152 #include <stdio.h>
153
154 #include <openssl/bn.h>
155 #include <openssl/curve25519.h>
156 #include <openssl/dh.h>
157 #include <openssl/md5.h>
158 #include <openssl/objects.h>
159
160 #include "ssl_locl.h"
161 #include "bytestring.h"
162
163 #define SSL3_NUM_CIPHERS (sizeof(ssl3_ciphers) / sizeof(SSL_CIPHER))
164
165 /*
166 * FIXED_NONCE_LEN is a macro that provides in the correct value to set the
167 * fixed nonce length in algorithms2. It is the inverse of the
168 * SSL_CIPHER_AEAD_FIXED_NONCE_LEN macro.
169 */
170 #define FIXED_NONCE_LEN(x) (((x / 2) & 0xf) << 24)
171
172 /* list of available SSLv3 ciphers (sorted by id) */
173 SSL_CIPHER ssl3_ciphers[] = {
174
175 /* The RSA ciphers */
176 /* Cipher 01 */
177 {
178 .valid = 1,
179 .name = SSL3_TXT_RSA_NULL_MD5,
180 .id = SSL3_CK_RSA_NULL_MD5,
181 .algorithm_mkey = SSL_kRSA,
182 .algorithm_auth = SSL_aRSA,
183 .algorithm_enc = SSL_eNULL,
184 .algorithm_mac = SSL_MD5,
185 .algorithm_ssl = SSL_SSLV3,
186 .algo_strength = SSL_STRONG_NONE,
187 .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
188 .strength_bits = 0,
189 .alg_bits = 0,
190 },
191
192 /* Cipher 02 */
193 {
194 .valid = 1,
195 .name = SSL3_TXT_RSA_NULL_SHA,
196 .id = SSL3_CK_RSA_NULL_SHA,
197 .algorithm_mkey = SSL_kRSA,
198 .algorithm_auth = SSL_aRSA,
199 .algorithm_enc = SSL_eNULL,
200 .algorithm_mac = SSL_SHA1,
201 .algorithm_ssl = SSL_SSLV3,
202 .algo_strength = SSL_STRONG_NONE,
203 .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
204 .strength_bits = 0,
205 .alg_bits = 0,
206 },
207
208 /* Cipher 04 */
209 {
210 .valid = 1,
211 .name = SSL3_TXT_RSA_RC4_128_MD5,
212 .id = SSL3_CK_RSA_RC4_128_MD5,
213 .algorithm_mkey = SSL_kRSA,
214 .algorithm_auth = SSL_aRSA,
215 .algorithm_enc = SSL_RC4,
216 .algorithm_mac = SSL_MD5,
217 .algorithm_ssl = SSL_SSLV3,
218 .algo_strength = SSL_LOW,
219 .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
220 .strength_bits = 128,
221 .alg_bits = 128,
222 },
223
224 /* Cipher 05 */
225 {
226 .valid = 1,
227 .name = SSL3_TXT_RSA_RC4_128_SHA,
228 .id = SSL3_CK_RSA_RC4_128_SHA,
229 .algorithm_mkey = SSL_kRSA,
230 .algorithm_auth = SSL_aRSA,
231 .algorithm_enc = SSL_RC4,
232 .algorithm_mac = SSL_SHA1,
233 .algorithm_ssl = SSL_SSLV3,
234 .algo_strength = SSL_LOW,
235 .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
236 .strength_bits = 128,
237 .alg_bits = 128,
238 },
239
240 /* Cipher 09 */
241 {
242 .valid = 1,
243 .name = SSL3_TXT_RSA_DES_64_CBC_SHA,
244 .id = SSL3_CK_RSA_DES_64_CBC_SHA,
245 .algorithm_mkey = SSL_kRSA,
246 .algorithm_auth = SSL_aRSA,
247 .algorithm_enc = SSL_DES,
248 .algorithm_mac = SSL_SHA1,
249 .algorithm_ssl = SSL_SSLV3,
250 .algo_strength = SSL_LOW,
251 .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
252 .strength_bits = 56,
253 .alg_bits = 56,
254 },
255
256 /* Cipher 0A */
257 {
258 .valid = 1,
259 .name = SSL3_TXT_RSA_DES_192_CBC3_SHA,
260 .id = SSL3_CK_RSA_DES_192_CBC3_SHA,
261 .algorithm_mkey = SSL_kRSA,
262 .algorithm_auth = SSL_aRSA,
263 .algorithm_enc = SSL_3DES,
264 .algorithm_mac = SSL_SHA1,
265 .algorithm_ssl = SSL_SSLV3,
266 .algo_strength = SSL_MEDIUM,
267 .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
268 .strength_bits = 112,
269 .alg_bits = 168,
270 },
271
272 /*
273 * Ephemeral DH (DHE) ciphers.
274 */
275
276 /* Cipher 15 */
277 {
278 .valid = 1,
279 .name = SSL3_TXT_EDH_RSA_DES_64_CBC_SHA,
280 .id = SSL3_CK_EDH_RSA_DES_64_CBC_SHA,
281 .algorithm_mkey = SSL_kDHE,
282 .algorithm_auth = SSL_aRSA,
283 .algorithm_enc = SSL_DES,
284 .algorithm_mac = SSL_SHA1,
285 .algorithm_ssl = SSL_SSLV3,
286 .algo_strength = SSL_LOW,
287 .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
288 .strength_bits = 56,
289 .alg_bits = 56,
290 },
291
292 /* Cipher 16 */
293 {
294 .valid = 1,
295 .name = SSL3_TXT_EDH_RSA_DES_192_CBC3_SHA,
296 .id = SSL3_CK_EDH_RSA_DES_192_CBC3_SHA,
297 .algorithm_mkey = SSL_kDHE,
298 .algorithm_auth = SSL_aRSA,
299 .algorithm_enc = SSL_3DES,
300 .algorithm_mac = SSL_SHA1,
301 .algorithm_ssl = SSL_SSLV3,
302 .algo_strength = SSL_MEDIUM,
303 .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
304 .strength_bits = 112,
305 .alg_bits = 168,
306 },
307
308 /* Cipher 18 */
309 {
310 .valid = 1,
311 .name = SSL3_TXT_ADH_RC4_128_MD5,
312 .id = SSL3_CK_ADH_RC4_128_MD5,
313 .algorithm_mkey = SSL_kDHE,
314 .algorithm_auth = SSL_aNULL,
315 .algorithm_enc = SSL_RC4,
316 .algorithm_mac = SSL_MD5,
317 .algorithm_ssl = SSL_SSLV3,
318 .algo_strength = SSL_LOW,
319 .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
320 .strength_bits = 128,
321 .alg_bits = 128,
322 },
323
324 /* Cipher 1A */
325 {
326 .valid = 1,
327 .name = SSL3_TXT_ADH_DES_64_CBC_SHA,
328 .id = SSL3_CK_ADH_DES_64_CBC_SHA,
329 .algorithm_mkey = SSL_kDHE,
330 .algorithm_auth = SSL_aNULL,
331 .algorithm_enc = SSL_DES,
332 .algorithm_mac = SSL_SHA1,
333 .algorithm_ssl = SSL_SSLV3,
334 .algo_strength = SSL_LOW,
335 .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
336 .strength_bits = 56,
337 .alg_bits = 56,
338 },
339
340 /* Cipher 1B */
341 {
342 .valid = 1,
343 .name = SSL3_TXT_ADH_DES_192_CBC_SHA,
344 .id = SSL3_CK_ADH_DES_192_CBC_SHA,
345 .algorithm_mkey = SSL_kDHE,
346 .algorithm_auth = SSL_aNULL,
347 .algorithm_enc = SSL_3DES,
348 .algorithm_mac = SSL_SHA1,
349 .algorithm_ssl = SSL_SSLV3,
350 .algo_strength = SSL_MEDIUM,
351 .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
352 .strength_bits = 112,
353 .alg_bits = 168,
354 },
355
356 /*
357 * AES ciphersuites.
358 */
359
360 /* Cipher 2F */
361 {
362 .valid = 1,
363 .name = TLS1_TXT_RSA_WITH_AES_128_SHA,
364 .id = TLS1_CK_RSA_WITH_AES_128_SHA,
365 .algorithm_mkey = SSL_kRSA,
366 .algorithm_auth = SSL_aRSA,
367 .algorithm_enc = SSL_AES128,
368 .algorithm_mac = SSL_SHA1,
369 .algorithm_ssl = SSL_TLSV1,
370 .algo_strength = SSL_HIGH,
371 .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
372 .strength_bits = 128,
373 .alg_bits = 128,
374 },
375
376 /* Cipher 33 */
377 {
378 .valid = 1,
379 .name = TLS1_TXT_DHE_RSA_WITH_AES_128_SHA,
380 .id = TLS1_CK_DHE_RSA_WITH_AES_128_SHA,
381 .algorithm_mkey = SSL_kDHE,
382 .algorithm_auth = SSL_aRSA,
383 .algorithm_enc = SSL_AES128,
384 .algorithm_mac = SSL_SHA1,
385 .algorithm_ssl = SSL_TLSV1,
386 .algo_strength = SSL_HIGH,
387 .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
388 .strength_bits = 128,
389 .alg_bits = 128,
390 },
391
392 /* Cipher 34 */
393 {
394 .valid = 1,
395 .name = TLS1_TXT_ADH_WITH_AES_128_SHA,
396 .id = TLS1_CK_ADH_WITH_AES_128_SHA,
397 .algorithm_mkey = SSL_kDHE,
398 .algorithm_auth = SSL_aNULL,
399 .algorithm_enc = SSL_AES128,
400 .algorithm_mac = SSL_SHA1,
401 .algorithm_ssl = SSL_TLSV1,
402 .algo_strength = SSL_HIGH,
403 .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
404 .strength_bits = 128,
405 .alg_bits = 128,
406 },
407
408 /* Cipher 35 */
409 {
410 .valid = 1,
411 .name = TLS1_TXT_RSA_WITH_AES_256_SHA,
412 .id = TLS1_CK_RSA_WITH_AES_256_SHA,
413 .algorithm_mkey = SSL_kRSA,
414 .algorithm_auth = SSL_aRSA,
415 .algorithm_enc = SSL_AES256,
416 .algorithm_mac = SSL_SHA1,
417 .algorithm_ssl = SSL_TLSV1,
418 .algo_strength = SSL_HIGH,
419 .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
420 .strength_bits = 256,
421 .alg_bits = 256,
422 },
423
424 /* Cipher 39 */
425 {
426 .valid = 1,
427 .name = TLS1_TXT_DHE_RSA_WITH_AES_256_SHA,
428 .id = TLS1_CK_DHE_RSA_WITH_AES_256_SHA,
429 .algorithm_mkey = SSL_kDHE,
430 .algorithm_auth = SSL_aRSA,
431 .algorithm_enc = SSL_AES256,
432 .algorithm_mac = SSL_SHA1,
433 .algorithm_ssl = SSL_TLSV1,
434 .algo_strength = SSL_HIGH,
435 .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
436 .strength_bits = 256,
437 .alg_bits = 256,
438 },
439
440 /* Cipher 3A */
441 {
442 .valid = 1,
443 .name = TLS1_TXT_ADH_WITH_AES_256_SHA,
444 .id = TLS1_CK_ADH_WITH_AES_256_SHA,
445 .algorithm_mkey = SSL_kDHE,
446 .algorithm_auth = SSL_aNULL,
447 .algorithm_enc = SSL_AES256,
448 .algorithm_mac = SSL_SHA1,
449 .algorithm_ssl = SSL_TLSV1,
450 .algo_strength = SSL_HIGH,
451 .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
452 .strength_bits = 256,
453 .alg_bits = 256,
454 },
455
456 /* TLS v1.2 ciphersuites */
457 /* Cipher 3B */
458 {
459 .valid = 1,
460 .name = TLS1_TXT_RSA_WITH_NULL_SHA256,
461 .id = TLS1_CK_RSA_WITH_NULL_SHA256,
462 .algorithm_mkey = SSL_kRSA,
463 .algorithm_auth = SSL_aRSA,
464 .algorithm_enc = SSL_eNULL,
465 .algorithm_mac = SSL_SHA256,
466 .algorithm_ssl = SSL_TLSV1_2,
467 .algo_strength = SSL_STRONG_NONE,
468 .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
469 .strength_bits = 0,
470 .alg_bits = 0,
471 },
472
473 /* Cipher 3C */
474 {
475 .valid = 1,
476 .name = TLS1_TXT_RSA_WITH_AES_128_SHA256,
477 .id = TLS1_CK_RSA_WITH_AES_128_SHA256,
478 .algorithm_mkey = SSL_kRSA,
479 .algorithm_auth = SSL_aRSA,
480 .algorithm_enc = SSL_AES128,
481 .algorithm_mac = SSL_SHA256,
482 .algorithm_ssl = SSL_TLSV1_2,
483 .algo_strength = SSL_HIGH,
484 .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
485 .strength_bits = 128,
486 .alg_bits = 128,
487 },
488
489 /* Cipher 3D */
490 {
491 .valid = 1,
492 .name = TLS1_TXT_RSA_WITH_AES_256_SHA256,
493 .id = TLS1_CK_RSA_WITH_AES_256_SHA256,
494 .algorithm_mkey = SSL_kRSA,
495 .algorithm_auth = SSL_aRSA,
496 .algorithm_enc = SSL_AES256,
497 .algorithm_mac = SSL_SHA256,
498 .algorithm_ssl = SSL_TLSV1_2,
499 .algo_strength = SSL_HIGH,
500 .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
501 .strength_bits = 256,
502 .alg_bits = 256,
503 },
504
505 #ifndef OPENSSL_NO_CAMELLIA
506 /* Camellia ciphersuites from RFC4132 (128-bit portion) */
507
508 /* Cipher 41 */
509 {
510 .valid = 1,
511 .name = TLS1_TXT_RSA_WITH_CAMELLIA_128_CBC_SHA,
512 .id = TLS1_CK_RSA_WITH_CAMELLIA_128_CBC_SHA,
513 .algorithm_mkey = SSL_kRSA,
514 .algorithm_auth = SSL_aRSA,
515 .algorithm_enc = SSL_CAMELLIA128,
516 .algorithm_mac = SSL_SHA1,
517 .algorithm_ssl = SSL_TLSV1,
518 .algo_strength = SSL_HIGH,
519 .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
520 .strength_bits = 128,
521 .alg_bits = 128,
522 },
523
524 /* Cipher 45 */
525 {
526 .valid = 1,
527 .name = TLS1_TXT_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA,
528 .id = TLS1_CK_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA,
529 .algorithm_mkey = SSL_kDHE,
530 .algorithm_auth = SSL_aRSA,
531 .algorithm_enc = SSL_CAMELLIA128,
532 .algorithm_mac = SSL_SHA1,
533 .algorithm_ssl = SSL_TLSV1,
534 .algo_strength = SSL_HIGH,
535 .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
536 .strength_bits = 128,
537 .alg_bits = 128,
538 },
539
540 /* Cipher 46 */
541 {
542 .valid = 1,
543 .name = TLS1_TXT_ADH_WITH_CAMELLIA_128_CBC_SHA,
544 .id = TLS1_CK_ADH_WITH_CAMELLIA_128_CBC_SHA,
545 .algorithm_mkey = SSL_kDHE,
546 .algorithm_auth = SSL_aNULL,
547 .algorithm_enc = SSL_CAMELLIA128,
548 .algorithm_mac = SSL_SHA1,
549 .algorithm_ssl = SSL_TLSV1,
550 .algo_strength = SSL_HIGH,
551 .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
552 .strength_bits = 128,
553 .alg_bits = 128,
554 },
555 #endif /* OPENSSL_NO_CAMELLIA */
556
557 /* TLS v1.2 ciphersuites */
558 /* Cipher 67 */
559 {
560 .valid = 1,
561 .name = TLS1_TXT_DHE_RSA_WITH_AES_128_SHA256,
562 .id = TLS1_CK_DHE_RSA_WITH_AES_128_SHA256,
563 .algorithm_mkey = SSL_kDHE,
564 .algorithm_auth = SSL_aRSA,
565 .algorithm_enc = SSL_AES128,
566 .algorithm_mac = SSL_SHA256,
567 .algorithm_ssl = SSL_TLSV1_2,
568 .algo_strength = SSL_HIGH,
569 .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
570 .strength_bits = 128,
571 .alg_bits = 128,
572 },
573
574 /* Cipher 6B */
575 {
576 .valid = 1,
577 .name = TLS1_TXT_DHE_RSA_WITH_AES_256_SHA256,
578 .id = TLS1_CK_DHE_RSA_WITH_AES_256_SHA256,
579 .algorithm_mkey = SSL_kDHE,
580 .algorithm_auth = SSL_aRSA,
581 .algorithm_enc = SSL_AES256,
582 .algorithm_mac = SSL_SHA256,
583 .algorithm_ssl = SSL_TLSV1_2,
584 .algo_strength = SSL_HIGH,
585 .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
586 .strength_bits = 256,
587 .alg_bits = 256,
588 },
589
590 /* Cipher 6C */
591 {
592 .valid = 1,
593 .name = TLS1_TXT_ADH_WITH_AES_128_SHA256,
594 .id = TLS1_CK_ADH_WITH_AES_128_SHA256,
595 .algorithm_mkey = SSL_kDHE,
596 .algorithm_auth = SSL_aNULL,
597 .algorithm_enc = SSL_AES128,
598 .algorithm_mac = SSL_SHA256,
599 .algorithm_ssl = SSL_TLSV1_2,
600 .algo_strength = SSL_HIGH,
601 .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
602 .strength_bits = 128,
603 .alg_bits = 128,
604 },
605
606 /* Cipher 6D */
607 {
608 .valid = 1,
609 .name = TLS1_TXT_ADH_WITH_AES_256_SHA256,
610 .id = TLS1_CK_ADH_WITH_AES_256_SHA256,
611 .algorithm_mkey = SSL_kDHE,
612 .algorithm_auth = SSL_aNULL,
613 .algorithm_enc = SSL_AES256,
614 .algorithm_mac = SSL_SHA256,
615 .algorithm_ssl = SSL_TLSV1_2,
616 .algo_strength = SSL_HIGH,
617 .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
618 .strength_bits = 256,
619 .alg_bits = 256,
620 },
621
622 /* GOST Ciphersuites */
623
624 /* Cipher 81 */
625 {
626 .valid = 1,
627 .name = "GOST2001-GOST89-GOST89",
628 .id = 0x3000081,
629 .algorithm_mkey = SSL_kGOST,
630 .algorithm_auth = SSL_aGOST01,
631 .algorithm_enc = SSL_eGOST2814789CNT,
632 .algorithm_mac = SSL_GOST89MAC,
633 .algorithm_ssl = SSL_TLSV1,
634 .algo_strength = SSL_HIGH,
635 .algorithm2 = SSL_HANDSHAKE_MAC_GOST94|TLS1_PRF_GOST94|
636 TLS1_STREAM_MAC,
637 .strength_bits = 256,
638 .alg_bits = 256
639 },
640
641 /* Cipher 83 */
642 {
643 .valid = 1,
644 .name = "GOST2001-NULL-GOST94",
645 .id = 0x3000083,
646 .algorithm_mkey = SSL_kGOST,
647 .algorithm_auth = SSL_aGOST01,
648 .algorithm_enc = SSL_eNULL,
649 .algorithm_mac = SSL_GOST94,
650 .algorithm_ssl = SSL_TLSV1,
651 .algo_strength = SSL_STRONG_NONE,
652 .algorithm2 = SSL_HANDSHAKE_MAC_GOST94|TLS1_PRF_GOST94,
653 .strength_bits = 0,
654 .alg_bits = 0
655 },
656
657 #ifndef OPENSSL_NO_CAMELLIA
658 /* Camellia ciphersuites from RFC4132 (256-bit portion) */
659
660 /* Cipher 84 */
661 {
662 .valid = 1,
663 .name = TLS1_TXT_RSA_WITH_CAMELLIA_256_CBC_SHA,
664 .id = TLS1_CK_RSA_WITH_CAMELLIA_256_CBC_SHA,
665 .algorithm_mkey = SSL_kRSA,
666 .algorithm_auth = SSL_aRSA,
667 .algorithm_enc = SSL_CAMELLIA256,
668 .algorithm_mac = SSL_SHA1,
669 .algorithm_ssl = SSL_TLSV1,
670 .algo_strength = SSL_HIGH,
671 .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
672 .strength_bits = 256,
673 .alg_bits = 256,
674 },
675
676 /* Cipher 88 */
677 {
678 .valid = 1,
679 .name = TLS1_TXT_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA,
680 .id = TLS1_CK_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA,
681 .algorithm_mkey = SSL_kDHE,
682 .algorithm_auth = SSL_aRSA,
683 .algorithm_enc = SSL_CAMELLIA256,
684 .algorithm_mac = SSL_SHA1,
685 .algorithm_ssl = SSL_TLSV1,
686 .algo_strength = SSL_HIGH,
687 .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
688 .strength_bits = 256,
689 .alg_bits = 256,
690 },
691
692 /* Cipher 89 */
693 {
694 .valid = 1,
695 .name = TLS1_TXT_ADH_WITH_CAMELLIA_256_CBC_SHA,
696 .id = TLS1_CK_ADH_WITH_CAMELLIA_256_CBC_SHA,
697 .algorithm_mkey = SSL_kDHE,
698 .algorithm_auth = SSL_aNULL,
699 .algorithm_enc = SSL_CAMELLIA256,
700 .algorithm_mac = SSL_SHA1,
701 .algorithm_ssl = SSL_TLSV1,
702 .algo_strength = SSL_HIGH,
703 .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
704 .strength_bits = 256,
705 .alg_bits = 256,
706 },
707 #endif /* OPENSSL_NO_CAMELLIA */
708
709 /*
710 * GCM ciphersuites from RFC5288.
711 */
712
713 /* Cipher 9C */
714 {
715 .valid = 1,
716 .name = TLS1_TXT_RSA_WITH_AES_128_GCM_SHA256,
717 .id = TLS1_CK_RSA_WITH_AES_128_GCM_SHA256,
718 .algorithm_mkey = SSL_kRSA,
719 .algorithm_auth = SSL_aRSA,
720 .algorithm_enc = SSL_AES128GCM,
721 .algorithm_mac = SSL_AEAD,
722 .algorithm_ssl = SSL_TLSV1_2,
723 .algo_strength = SSL_HIGH,
724 .algorithm2 = SSL_HANDSHAKE_MAC_SHA256|TLS1_PRF_SHA256|
725 SSL_CIPHER_ALGORITHM2_AEAD|FIXED_NONCE_LEN(4)|
726 SSL_CIPHER_ALGORITHM2_VARIABLE_NONCE_IN_RECORD,
727 .strength_bits = 128,
728 .alg_bits = 128,
729 },
730
731 /* Cipher 9D */
732 {
733 .valid = 1,
734 .name = TLS1_TXT_RSA_WITH_AES_256_GCM_SHA384,
735 .id = TLS1_CK_RSA_WITH_AES_256_GCM_SHA384,
736 .algorithm_mkey = SSL_kRSA,
737 .algorithm_auth = SSL_aRSA,
738 .algorithm_enc = SSL_AES256GCM,
739 .algorithm_mac = SSL_AEAD,
740 .algorithm_ssl = SSL_TLSV1_2,
741 .algo_strength = SSL_HIGH,
742 .algorithm2 = SSL_HANDSHAKE_MAC_SHA384|TLS1_PRF_SHA384|
743 SSL_CIPHER_ALGORITHM2_AEAD|FIXED_NONCE_LEN(4)|
744 SSL_CIPHER_ALGORITHM2_VARIABLE_NONCE_IN_RECORD,
745 .strength_bits = 256,
746 .alg_bits = 256,
747 },
748
749 /* Cipher 9E */
750 {
751 .valid = 1,
752 .name = TLS1_TXT_DHE_RSA_WITH_AES_128_GCM_SHA256,
753 .id = TLS1_CK_DHE_RSA_WITH_AES_128_GCM_SHA256,
754 .algorithm_mkey = SSL_kDHE,
755 .algorithm_auth = SSL_aRSA,
756 .algorithm_enc = SSL_AES128GCM,
757 .algorithm_mac = SSL_AEAD,
758 .algorithm_ssl = SSL_TLSV1_2,
759 .algo_strength = SSL_HIGH,
760 .algorithm2 = SSL_HANDSHAKE_MAC_SHA256|TLS1_PRF_SHA256|
761 SSL_CIPHER_ALGORITHM2_AEAD|FIXED_NONCE_LEN(4)|
762 SSL_CIPHER_ALGORITHM2_VARIABLE_NONCE_IN_RECORD,
763 .strength_bits = 128,
764 .alg_bits = 128,
765 },
766
767 /* Cipher 9F */
768 {
769 .valid = 1,
770 .name = TLS1_TXT_DHE_RSA_WITH_AES_256_GCM_SHA384,
771 .id = TLS1_CK_DHE_RSA_WITH_AES_256_GCM_SHA384,
772 .algorithm_mkey = SSL_kDHE,
773 .algorithm_auth = SSL_aRSA,
774 .algorithm_enc = SSL_AES256GCM,
775 .algorithm_mac = SSL_AEAD,
776 .algorithm_ssl = SSL_TLSV1_2,
777 .algo_strength = SSL_HIGH,
778 .algorithm2 = SSL_HANDSHAKE_MAC_SHA384|TLS1_PRF_SHA384|
779 SSL_CIPHER_ALGORITHM2_AEAD|FIXED_NONCE_LEN(4)|
780 SSL_CIPHER_ALGORITHM2_VARIABLE_NONCE_IN_RECORD,
781 .strength_bits = 256,
782 .alg_bits = 256,
783 },
784
785 /* Cipher A6 */
786 {
787 .valid = 1,
788 .name = TLS1_TXT_ADH_WITH_AES_128_GCM_SHA256,
789 .id = TLS1_CK_ADH_WITH_AES_128_GCM_SHA256,
790 .algorithm_mkey = SSL_kDHE,
791 .algorithm_auth = SSL_aNULL,
792 .algorithm_enc = SSL_AES128GCM,
793 .algorithm_mac = SSL_AEAD,
794 .algorithm_ssl = SSL_TLSV1_2,
795 .algo_strength = SSL_HIGH,
796 .algorithm2 = SSL_HANDSHAKE_MAC_SHA256|TLS1_PRF_SHA256|
797 SSL_CIPHER_ALGORITHM2_AEAD|FIXED_NONCE_LEN(4)|
798 SSL_CIPHER_ALGORITHM2_VARIABLE_NONCE_IN_RECORD,
799 .strength_bits = 128,
800 .alg_bits = 128,
801 },
802
803 /* Cipher A7 */
804 {
805 .valid = 1,
806 .name = TLS1_TXT_ADH_WITH_AES_256_GCM_SHA384,
807 .id = TLS1_CK_ADH_WITH_AES_256_GCM_SHA384,
808 .algorithm_mkey = SSL_kDHE,
809 .algorithm_auth = SSL_aNULL,
810 .algorithm_enc = SSL_AES256GCM,
811 .algorithm_mac = SSL_AEAD,
812 .algorithm_ssl = SSL_TLSV1_2,
813 .algo_strength = SSL_HIGH,
814 .algorithm2 = SSL_HANDSHAKE_MAC_SHA384|TLS1_PRF_SHA384|
815 SSL_CIPHER_ALGORITHM2_AEAD|FIXED_NONCE_LEN(4)|
816 SSL_CIPHER_ALGORITHM2_VARIABLE_NONCE_IN_RECORD,
817 .strength_bits = 256,
818 .alg_bits = 256,
819 },
820
821 #ifndef OPENSSL_NO_CAMELLIA
822 /* TLS 1.2 Camellia SHA-256 ciphersuites from RFC5932 */
823
824 /* Cipher BA */
825 {
826 .valid = 1,
827 .name = TLS1_TXT_RSA_WITH_CAMELLIA_128_CBC_SHA256,
828 .id = TLS1_CK_RSA_WITH_CAMELLIA_128_CBC_SHA256,
829 .algorithm_mkey = SSL_kRSA,
830 .algorithm_auth = SSL_aRSA,
831 .algorithm_enc = SSL_CAMELLIA128,
832 .algorithm_mac = SSL_SHA256,
833 .algorithm_ssl = SSL_TLSV1_2,
834 .algo_strength = SSL_HIGH,
835 .algorithm2 = SSL_HANDSHAKE_MAC_SHA256|TLS1_PRF_SHA256,
836 .strength_bits = 128,
837 .alg_bits = 128,
838 },
839
840 /* Cipher BE */
841 {
842 .valid = 1,
843 .name = TLS1_TXT_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA256,
844 .id = TLS1_CK_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA256,
845 .algorithm_mkey = SSL_kDHE,
846 .algorithm_auth = SSL_aRSA,
847 .algorithm_enc = SSL_CAMELLIA128,
848 .algorithm_mac = SSL_SHA256,
849 .algorithm_ssl = SSL_TLSV1_2,
850 .algo_strength = SSL_HIGH,
851 .algorithm2 = SSL_HANDSHAKE_MAC_SHA256|TLS1_PRF_SHA256,
852 .strength_bits = 128,
853 .alg_bits = 128,
854 },
855
856 /* Cipher BF */
857 {
858 .valid = 1,
859 .name = TLS1_TXT_ADH_WITH_CAMELLIA_128_CBC_SHA256,
860 .id = TLS1_CK_ADH_WITH_CAMELLIA_128_CBC_SHA256,
861 .algorithm_mkey = SSL_kDHE,
862 .algorithm_auth = SSL_aNULL,
863 .algorithm_enc = SSL_CAMELLIA128,
864 .algorithm_mac = SSL_SHA256,
865 .algorithm_ssl = SSL_TLSV1_2,
866 .algo_strength = SSL_HIGH,
867 .algorithm2 = SSL_HANDSHAKE_MAC_SHA256|TLS1_PRF_SHA256,
868 .strength_bits = 128,
869 .alg_bits = 128,
870 },
871
872 /* Cipher C0 */
873 {
874 .valid = 1,
875 .name = TLS1_TXT_RSA_WITH_CAMELLIA_256_CBC_SHA256,
876 .id = TLS1_CK_RSA_WITH_CAMELLIA_256_CBC_SHA256,
877 .algorithm_mkey = SSL_kRSA,
878 .algorithm_auth = SSL_aRSA,
879 .algorithm_enc = SSL_CAMELLIA256,
880 .algorithm_mac = SSL_SHA256,
881 .algorithm_ssl = SSL_TLSV1_2,
882 .algo_strength = SSL_HIGH,
883 .algorithm2 = SSL_HANDSHAKE_MAC_SHA256|TLS1_PRF_SHA256,
884 .strength_bits = 256,
885 .alg_bits = 256,
886 },
887
888 /* Cipher C4 */
889 {
890 .valid = 1,
891 .name = TLS1_TXT_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA256,
892 .id = TLS1_CK_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA256,
893 .algorithm_mkey = SSL_kDHE,
894 .algorithm_auth = SSL_aRSA,
895 .algorithm_enc = SSL_CAMELLIA256,
896 .algorithm_mac = SSL_SHA256,
897 .algorithm_ssl = SSL_TLSV1_2,
898 .algo_strength = SSL_HIGH,
899 .algorithm2 = SSL_HANDSHAKE_MAC_SHA256|TLS1_PRF_SHA256,
900 .strength_bits = 256,
901 .alg_bits = 256,
902 },
903
904 /* Cipher C5 */
905 {
906 .valid = 1,
907 .name = TLS1_TXT_ADH_WITH_CAMELLIA_256_CBC_SHA256,
908 .id = TLS1_CK_ADH_WITH_CAMELLIA_256_CBC_SHA256,
909 .algorithm_mkey = SSL_kDHE,
910 .algorithm_auth = SSL_aNULL,
911 .algorithm_enc = SSL_CAMELLIA256,
912 .algorithm_mac = SSL_SHA256,
913 .algorithm_ssl = SSL_TLSV1_2,
914 .algo_strength = SSL_HIGH,
915 .algorithm2 = SSL_HANDSHAKE_MAC_SHA256|TLS1_PRF_SHA256,
916 .strength_bits = 256,
917 .alg_bits = 256,
918 },
919 #endif /* OPENSSL_NO_CAMELLIA */
920
921 /* Cipher C006 */
922 {
923 .valid = 1,
924 .name = TLS1_TXT_ECDHE_ECDSA_WITH_NULL_SHA,
925 .id = TLS1_CK_ECDHE_ECDSA_WITH_NULL_SHA,
926 .algorithm_mkey = SSL_kECDHE,
927 .algorithm_auth = SSL_aECDSA,
928 .algorithm_enc = SSL_eNULL,
929 .algorithm_mac = SSL_SHA1,
930 .algorithm_ssl = SSL_TLSV1,
931 .algo_strength = SSL_STRONG_NONE,
932 .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
933 .strength_bits = 0,
934 .alg_bits = 0,
935 },
936
937 /* Cipher C007 */
938 {
939 .valid = 1,
940 .name = TLS1_TXT_ECDHE_ECDSA_WITH_RC4_128_SHA,
941 .id = TLS1_CK_ECDHE_ECDSA_WITH_RC4_128_SHA,
942 .algorithm_mkey = SSL_kECDHE,
943 .algorithm_auth = SSL_aECDSA,
944 .algorithm_enc = SSL_RC4,
945 .algorithm_mac = SSL_SHA1,
946 .algorithm_ssl = SSL_TLSV1,
947 .algo_strength = SSL_LOW,
948 .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
949 .strength_bits = 128,
950 .alg_bits = 128,
951 },
952
953 /* Cipher C008 */
954 {
955 .valid = 1,
956 .name = TLS1_TXT_ECDHE_ECDSA_WITH_DES_192_CBC3_SHA,
957 .id = TLS1_CK_ECDHE_ECDSA_WITH_DES_192_CBC3_SHA,
958 .algorithm_mkey = SSL_kECDHE,
959 .algorithm_auth = SSL_aECDSA,
960 .algorithm_enc = SSL_3DES,
961 .algorithm_mac = SSL_SHA1,
962 .algorithm_ssl = SSL_TLSV1,
963 .algo_strength = SSL_MEDIUM,
964 .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
965 .strength_bits = 112,
966 .alg_bits = 168,
967 },
968
969 /* Cipher C009 */
970 {
971 .valid = 1,
972 .name = TLS1_TXT_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,
973 .id = TLS1_CK_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,
974 .algorithm_mkey = SSL_kECDHE,
975 .algorithm_auth = SSL_aECDSA,
976 .algorithm_enc = SSL_AES128,
977 .algorithm_mac = SSL_SHA1,
978 .algorithm_ssl = SSL_TLSV1,
979 .algo_strength = SSL_HIGH,
980 .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
981 .strength_bits = 128,
982 .alg_bits = 128,
983 },
984
985 /* Cipher C00A */
986 {
987 .valid = 1,
988 .name = TLS1_TXT_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,
989 .id = TLS1_CK_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,
990 .algorithm_mkey = SSL_kECDHE,
991 .algorithm_auth = SSL_aECDSA,
992 .algorithm_enc = SSL_AES256,
993 .algorithm_mac = SSL_SHA1,
994 .algorithm_ssl = SSL_TLSV1,
995 .algo_strength = SSL_HIGH,
996 .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
997 .strength_bits = 256,
998 .alg_bits = 256,
999 },
1000
1001 /* Cipher C010 */
1002 {
1003 .valid = 1,
1004 .name = TLS1_TXT_ECDHE_RSA_WITH_NULL_SHA,
1005 .id = TLS1_CK_ECDHE_RSA_WITH_NULL_SHA,
1006 .algorithm_mkey = SSL_kECDHE,
1007 .algorithm_auth = SSL_aRSA,
1008 .algorithm_enc = SSL_eNULL,
1009 .algorithm_mac = SSL_SHA1,
1010 .algorithm_ssl = SSL_TLSV1,
1011 .algo_strength = SSL_STRONG_NONE,
1012 .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
1013 .strength_bits = 0,
1014 .alg_bits = 0,
1015 },
1016
1017 /* Cipher C011 */
1018 {
1019 .valid = 1,
1020 .name = TLS1_TXT_ECDHE_RSA_WITH_RC4_128_SHA,
1021 .id = TLS1_CK_ECDHE_RSA_WITH_RC4_128_SHA,
1022 .algorithm_mkey = SSL_kECDHE,
1023 .algorithm_auth = SSL_aRSA,
1024 .algorithm_enc = SSL_RC4,
1025 .algorithm_mac = SSL_SHA1,
1026 .algorithm_ssl = SSL_TLSV1,
1027 .algo_strength = SSL_LOW,
1028 .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
1029 .strength_bits = 128,
1030 .alg_bits = 128,
1031 },
1032
1033 /* Cipher C012 */
1034 {
1035 .valid = 1,
1036 .name = TLS1_TXT_ECDHE_RSA_WITH_DES_192_CBC3_SHA,
1037 .id = TLS1_CK_ECDHE_RSA_WITH_DES_192_CBC3_SHA,
1038 .algorithm_mkey = SSL_kECDHE,
1039 .algorithm_auth = SSL_aRSA,
1040 .algorithm_enc = SSL_3DES,
1041 .algorithm_mac = SSL_SHA1,
1042 .algorithm_ssl = SSL_TLSV1,
1043 .algo_strength = SSL_MEDIUM,
1044 .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
1045 .strength_bits = 112,
1046 .alg_bits = 168,
1047 },
1048
1049 /* Cipher C013 */
1050 {
1051 .valid = 1,
1052 .name = TLS1_TXT_ECDHE_RSA_WITH_AES_128_CBC_SHA,
1053 .id = TLS1_CK_ECDHE_RSA_WITH_AES_128_CBC_SHA,
1054 .algorithm_mkey = SSL_kECDHE,
1055 .algorithm_auth = SSL_aRSA,
1056 .algorithm_enc = SSL_AES128,
1057 .algorithm_mac = SSL_SHA1,
1058 .algorithm_ssl = SSL_TLSV1,
1059 .algo_strength = SSL_HIGH,
1060 .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
1061 .strength_bits = 128,
1062 .alg_bits = 128,
1063 },
1064
1065 /* Cipher C014 */
1066 {
1067 .valid = 1,
1068 .name = TLS1_TXT_ECDHE_RSA_WITH_AES_256_CBC_SHA,
1069 .id = TLS1_CK_ECDHE_RSA_WITH_AES_256_CBC_SHA,
1070 .algorithm_mkey = SSL_kECDHE,
1071 .algorithm_auth = SSL_aRSA,
1072 .algorithm_enc = SSL_AES256,
1073 .algorithm_mac = SSL_SHA1,
1074 .algorithm_ssl = SSL_TLSV1,
1075 .algo_strength = SSL_HIGH,
1076 .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
1077 .strength_bits = 256,
1078 .alg_bits = 256,
1079 },
1080
1081 /* Cipher C015 */
1082 {
1083 .valid = 1,
1084 .name = TLS1_TXT_ECDH_anon_WITH_NULL_SHA,
1085 .id = TLS1_CK_ECDH_anon_WITH_NULL_SHA,
1086 .algorithm_mkey = SSL_kECDHE,
1087 .algorithm_auth = SSL_aNULL,
1088 .algorithm_enc = SSL_eNULL,
1089 .algorithm_mac = SSL_SHA1,
1090 .algorithm_ssl = SSL_TLSV1,
1091 .algo_strength = SSL_STRONG_NONE,
1092 .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
1093 .strength_bits = 0,
1094 .alg_bits = 0,
1095 },
1096
1097 /* Cipher C016 */
1098 {
1099 .valid = 1,
1100 .name = TLS1_TXT_ECDH_anon_WITH_RC4_128_SHA,
1101 .id = TLS1_CK_ECDH_anon_WITH_RC4_128_SHA,
1102 .algorithm_mkey = SSL_kECDHE,
1103 .algorithm_auth = SSL_aNULL,
1104 .algorithm_enc = SSL_RC4,
1105 .algorithm_mac = SSL_SHA1,
1106 .algorithm_ssl = SSL_TLSV1,
1107 .algo_strength = SSL_LOW,
1108 .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
1109 .strength_bits = 128,
1110 .alg_bits = 128,
1111 },
1112
1113 /* Cipher C017 */
1114 {
1115 .valid = 1,
1116 .name = TLS1_TXT_ECDH_anon_WITH_DES_192_CBC3_SHA,
1117 .id = TLS1_CK_ECDH_anon_WITH_DES_192_CBC3_SHA,
1118 .algorithm_mkey = SSL_kECDHE,
1119 .algorithm_auth = SSL_aNULL,
1120 .algorithm_enc = SSL_3DES,
1121 .algorithm_mac = SSL_SHA1,
1122 .algorithm_ssl = SSL_TLSV1,
1123 .algo_strength = SSL_MEDIUM,
1124 .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
1125 .strength_bits = 112,
1126 .alg_bits = 168,
1127 },
1128
1129 /* Cipher C018 */
1130 {
1131 .valid = 1,
1132 .name = TLS1_TXT_ECDH_anon_WITH_AES_128_CBC_SHA,
1133 .id = TLS1_CK_ECDH_anon_WITH_AES_128_CBC_SHA,
1134 .algorithm_mkey = SSL_kECDHE,
1135 .algorithm_auth = SSL_aNULL,
1136 .algorithm_enc = SSL_AES128,
1137 .algorithm_mac = SSL_SHA1,
1138 .algorithm_ssl = SSL_TLSV1,
1139 .algo_strength = SSL_HIGH,
1140 .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
1141 .strength_bits = 128,
1142 .alg_bits = 128,
1143 },
1144
1145 /* Cipher C019 */
1146 {
1147 .valid = 1,
1148 .name = TLS1_TXT_ECDH_anon_WITH_AES_256_CBC_SHA,
1149 .id = TLS1_CK_ECDH_anon_WITH_AES_256_CBC_SHA,
1150 .algorithm_mkey = SSL_kECDHE,
1151 .algorithm_auth = SSL_aNULL,
1152 .algorithm_enc = SSL_AES256,
1153 .algorithm_mac = SSL_SHA1,
1154 .algorithm_ssl = SSL_TLSV1,
1155 .algo_strength = SSL_HIGH,
1156 .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
1157 .strength_bits = 256,
1158 .alg_bits = 256,
1159 },
1160
1161
1162 /* HMAC based TLS v1.2 ciphersuites from RFC5289 */
1163
1164 /* Cipher C023 */
1165 {
1166 .valid = 1,
1167 .name = TLS1_TXT_ECDHE_ECDSA_WITH_AES_128_SHA256,
1168 .id = TLS1_CK_ECDHE_ECDSA_WITH_AES_128_SHA256,
1169 .algorithm_mkey = SSL_kECDHE,
1170 .algorithm_auth = SSL_aECDSA,
1171 .algorithm_enc = SSL_AES128,
1172 .algorithm_mac = SSL_SHA256,
1173 .algorithm_ssl = SSL_TLSV1_2,
1174 .algo_strength = SSL_HIGH,
1175 .algorithm2 = SSL_HANDSHAKE_MAC_SHA256|TLS1_PRF_SHA256,
1176 .strength_bits = 128,
1177 .alg_bits = 128,
1178 },
1179
1180 /* Cipher C024 */
1181 {
1182 .valid = 1,
1183 .name = TLS1_TXT_ECDHE_ECDSA_WITH_AES_256_SHA384,
1184 .id = TLS1_CK_ECDHE_ECDSA_WITH_AES_256_SHA384,
1185 .algorithm_mkey = SSL_kECDHE,
1186 .algorithm_auth = SSL_aECDSA,
1187 .algorithm_enc = SSL_AES256,
1188 .algorithm_mac = SSL_SHA384,
1189 .algorithm_ssl = SSL_TLSV1_2,
1190 .algo_strength = SSL_HIGH,
1191 .algorithm2 = SSL_HANDSHAKE_MAC_SHA384|TLS1_PRF_SHA384,
1192 .strength_bits = 256,
1193 .alg_bits = 256,
1194 },
1195
1196 /* Cipher C027 */
1197 {
1198 .valid = 1,
1199 .name = TLS1_TXT_ECDHE_RSA_WITH_AES_128_SHA256,
1200 .id = TLS1_CK_ECDHE_RSA_WITH_AES_128_SHA256,
1201 .algorithm_mkey = SSL_kECDHE,
1202 .algorithm_auth = SSL_aRSA,
1203 .algorithm_enc = SSL_AES128,
1204 .algorithm_mac = SSL_SHA256,
1205 .algorithm_ssl = SSL_TLSV1_2,
1206 .algo_strength = SSL_HIGH,
1207 .algorithm2 = SSL_HANDSHAKE_MAC_SHA256|TLS1_PRF_SHA256,
1208 .strength_bits = 128,
1209 .alg_bits = 128,
1210 },
1211
1212 /* Cipher C028 */
1213 {
1214 .valid = 1,
1215 .name = TLS1_TXT_ECDHE_RSA_WITH_AES_256_SHA384,
1216 .id = TLS1_CK_ECDHE_RSA_WITH_AES_256_SHA384,
1217 .algorithm_mkey = SSL_kECDHE,
1218 .algorithm_auth = SSL_aRSA,
1219 .algorithm_enc = SSL_AES256,
1220 .algorithm_mac = SSL_SHA384,
1221 .algorithm_ssl = SSL_TLSV1_2,
1222 .algo_strength = SSL_HIGH,
1223 .algorithm2 = SSL_HANDSHAKE_MAC_SHA384|TLS1_PRF_SHA384,
1224 .strength_bits = 256,
1225 .alg_bits = 256,
1226 },
1227
1228 /* GCM based TLS v1.2 ciphersuites from RFC5289 */
1229
1230 /* Cipher C02B */
1231 {
1232 .valid = 1,
1233 .name = TLS1_TXT_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
1234 .id = TLS1_CK_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
1235 .algorithm_mkey = SSL_kECDHE,
1236 .algorithm_auth = SSL_aECDSA,
1237 .algorithm_enc = SSL_AES128GCM,
1238 .algorithm_mac = SSL_AEAD,
1239 .algorithm_ssl = SSL_TLSV1_2,
1240 .algo_strength = SSL_HIGH,
1241 .algorithm2 = SSL_HANDSHAKE_MAC_SHA256|TLS1_PRF_SHA256|
1242 SSL_CIPHER_ALGORITHM2_AEAD|FIXED_NONCE_LEN(4)|
1243 SSL_CIPHER_ALGORITHM2_VARIABLE_NONCE_IN_RECORD,
1244 .strength_bits = 128,
1245 .alg_bits = 128,
1246 },
1247
1248 /* Cipher C02C */
1249 {
1250 .valid = 1,
1251 .name = TLS1_TXT_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
1252 .id = TLS1_CK_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
1253 .algorithm_mkey = SSL_kECDHE,
1254 .algorithm_auth = SSL_aECDSA,
1255 .algorithm_enc = SSL_AES256GCM,
1256 .algorithm_mac = SSL_AEAD,
1257 .algorithm_ssl = SSL_TLSV1_2,
1258 .algo_strength = SSL_HIGH,
1259 .algorithm2 = SSL_HANDSHAKE_MAC_SHA384|TLS1_PRF_SHA384|
1260 SSL_CIPHER_ALGORITHM2_AEAD|FIXED_NONCE_LEN(4)|
1261 SSL_CIPHER_ALGORITHM2_VARIABLE_NONCE_IN_RECORD,
1262 .strength_bits = 256,
1263 .alg_bits = 256,
1264 },
1265
1266 /* Cipher C02F */
1267 {
1268 .valid = 1,
1269 .name = TLS1_TXT_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
1270 .id = TLS1_CK_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
1271 .algorithm_mkey = SSL_kECDHE,
1272 .algorithm_auth = SSL_aRSA,
1273 .algorithm_enc = SSL_AES128GCM,
1274 .algorithm_mac = SSL_AEAD,
1275 .algorithm_ssl = SSL_TLSV1_2,
1276 .algo_strength = SSL_HIGH,
1277 .algorithm2 = SSL_HANDSHAKE_MAC_SHA256|TLS1_PRF_SHA256|
1278 SSL_CIPHER_ALGORITHM2_AEAD|FIXED_NONCE_LEN(4)|
1279 SSL_CIPHER_ALGORITHM2_VARIABLE_NONCE_IN_RECORD,
1280 .strength_bits = 128,
1281 .alg_bits = 128,
1282 },
1283
1284 /* Cipher C030 */
1285 {
1286 .valid = 1,
1287 .name = TLS1_TXT_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
1288 .id = TLS1_CK_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
1289 .algorithm_mkey = SSL_kECDHE,
1290 .algorithm_auth = SSL_aRSA,
1291 .algorithm_enc = SSL_AES256GCM,
1292 .algorithm_mac = SSL_AEAD,
1293 .algorithm_ssl = SSL_TLSV1_2,
1294 .algo_strength = SSL_HIGH,
1295 .algorithm2 = SSL_HANDSHAKE_MAC_SHA384|TLS1_PRF_SHA384|
1296 SSL_CIPHER_ALGORITHM2_AEAD|FIXED_NONCE_LEN(4)|
1297 SSL_CIPHER_ALGORITHM2_VARIABLE_NONCE_IN_RECORD,
1298 .strength_bits = 256,
1299 .alg_bits = 256,
1300 },
1301
1302 /* Cipher CCA8 */
1303 {
1304 .valid = 1,
1305 .name = TLS1_TXT_ECDHE_RSA_WITH_CHACHA20_POLY1305,
1306 .id = TLS1_CK_ECDHE_RSA_CHACHA20_POLY1305,
1307 .algorithm_mkey = SSL_kECDHE,
1308 .algorithm_auth = SSL_aRSA,
1309 .algorithm_enc = SSL_CHACHA20POLY1305,
1310 .algorithm_mac = SSL_AEAD,
1311 .algorithm_ssl = SSL_TLSV1_2,
1312 .algo_strength = SSL_HIGH,
1313 .algorithm2 = SSL_HANDSHAKE_MAC_SHA256|TLS1_PRF_SHA256|
1314 SSL_CIPHER_ALGORITHM2_AEAD|FIXED_NONCE_LEN(12),
1315 .strength_bits = 256,
1316 .alg_bits = 256,
1317 },
1318
1319 /* Cipher CCA9 */
1320 {
1321 .valid = 1,
1322 .name = TLS1_TXT_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,
1323 .id = TLS1_CK_ECDHE_ECDSA_CHACHA20_POLY1305,
1324 .algorithm_mkey = SSL_kECDHE,
1325 .algorithm_auth = SSL_aECDSA,
1326 .algorithm_enc = SSL_CHACHA20POLY1305,
1327 .algorithm_mac = SSL_AEAD,
1328 .algorithm_ssl = SSL_TLSV1_2,
1329 .algo_strength = SSL_HIGH,
1330 .algorithm2 = SSL_HANDSHAKE_MAC_SHA256|TLS1_PRF_SHA256|
1331 SSL_CIPHER_ALGORITHM2_AEAD|FIXED_NONCE_LEN(12),
1332 .strength_bits = 256,
1333 .alg_bits = 256,
1334 },
1335
1336 /* Cipher CCAA */
1337 {
1338 .valid = 1,
1339 .name = TLS1_TXT_DHE_RSA_WITH_CHACHA20_POLY1305,
1340 .id = TLS1_CK_DHE_RSA_CHACHA20_POLY1305,
1341 .algorithm_mkey = SSL_kDHE,
1342 .algorithm_auth = SSL_aRSA,
1343 .algorithm_enc = SSL_CHACHA20POLY1305,
1344 .algorithm_mac = SSL_AEAD,
1345 .algorithm_ssl = SSL_TLSV1_2,
1346 .algo_strength = SSL_HIGH,
1347 .algorithm2 = SSL_HANDSHAKE_MAC_SHA256|TLS1_PRF_SHA256|
1348 SSL_CIPHER_ALGORITHM2_AEAD|FIXED_NONCE_LEN(12),
1349 .strength_bits = 256,
1350 .alg_bits = 256,
1351 },
1352
1353 /* Cipher FF85 FIXME IANA */
1354 {
1355 .valid = 1,
1356 .name = "GOST2012256-GOST89-GOST89",
1357 .id = 0x300ff85, /* FIXME IANA */
1358 .algorithm_mkey = SSL_kGOST,
1359 .algorithm_auth = SSL_aGOST01,
1360 .algorithm_enc = SSL_eGOST2814789CNT,
1361 .algorithm_mac = SSL_GOST89MAC,
1362 .algorithm_ssl = SSL_TLSV1,
1363 .algo_strength = SSL_HIGH,
1364 .algorithm2 = SSL_HANDSHAKE_MAC_STREEBOG256|TLS1_PRF_STREEBOG256|
1365 TLS1_STREAM_MAC,
1366 .strength_bits = 256,
1367 .alg_bits = 256
1368 },
1369
1370 /* Cipher FF87 FIXME IANA */
1371 {
1372 .valid = 1,
1373 .name = "GOST2012256-NULL-STREEBOG256",
1374 .id = 0x300ff87, /* FIXME IANA */
1375 .algorithm_mkey = SSL_kGOST,
1376 .algorithm_auth = SSL_aGOST01,
1377 .algorithm_enc = SSL_eNULL,
1378 .algorithm_mac = SSL_STREEBOG256,
1379 .algorithm_ssl = SSL_TLSV1,
1380 .algo_strength = SSL_STRONG_NONE,
1381 .algorithm2 = SSL_HANDSHAKE_MAC_STREEBOG256|TLS1_PRF_STREEBOG256,
1382 .strength_bits = 0,
1383 .alg_bits = 0
1384 },
1385
1386
1387 /* end of list */
1388 };
1389
1390 int
1391 ssl3_num_ciphers(void)
1392 {
1393 return (SSL3_NUM_CIPHERS);
1394 }
1395
1396 const SSL_CIPHER *
1397 ssl3_get_cipher(unsigned int u)
1398 {
1399 if (u < SSL3_NUM_CIPHERS)
1400 return (&(ssl3_ciphers[SSL3_NUM_CIPHERS - 1 - u]));
1401 else
1402 return (NULL);
1403 }
1404
1405 const SSL_CIPHER *
1406 ssl3_get_cipher_by_id(unsigned int id)
1407 {
1408 const SSL_CIPHER *cp;
1409 SSL_CIPHER c;
1410
1411 c.id = id;
1412 cp = OBJ_bsearch_ssl_cipher_id(&c, ssl3_ciphers, SSL3_NUM_CIPHERS);
1413 if (cp != NULL && cp->valid == 1)
1414 return (cp);
1415
1416 return (NULL);
1417 }
1418
1419 const SSL_CIPHER *
1420 ssl3_get_cipher_by_value(uint16_t value)
1421 {
1422 return ssl3_get_cipher_by_id(SSL3_CK_ID | value);
1423 }
1424
1425 uint16_t
1426 ssl3_cipher_get_value(const SSL_CIPHER *c)
1427 {
1428 return (c->id & SSL3_CK_VALUE_MASK);
1429 }
1430
1431 int
1432 ssl3_pending(const SSL *s)
1433 {
1434 if (s->internal->rstate == SSL_ST_READ_BODY)
1435 return 0;
1436
1437 return (S3I(s)->rrec.type == SSL3_RT_APPLICATION_DATA) ?
1438 S3I(s)->rrec.length : 0;
1439 }
1440
1441 int
1442 ssl3_handshake_msg_hdr_len(SSL *s)
1443 {
1444 return (SSL_IS_DTLS(s) ? DTLS1_HM_HEADER_LENGTH :
1445 SSL3_HM_HEADER_LENGTH);
1446 }
1447
1448 unsigned char *
1449 ssl3_handshake_msg_start(SSL *s, uint8_t msg_type)
1450 {
1451 unsigned char *d, *p;
1452
1453 d = p = (unsigned char *)s->internal->init_buf->data;
1454
1455 /* Handshake message type and length. */
1456 *(p++) = msg_type;
1457 l2n3(0, p);
1458
1459 return (d + ssl3_handshake_msg_hdr_len(s));
1460 }
1461
1462 void
1463 ssl3_handshake_msg_finish(SSL *s, unsigned int len)
1464 {
1465 unsigned char *p;
1466 uint8_t msg_type;
1467
1468 p = (unsigned char *)s->internal->init_buf->data;
1469
1470 /* Handshake message length. */
1471 msg_type = *(p++);
1472 l2n3(len, p);
1473
1474 s->internal->init_num = ssl3_handshake_msg_hdr_len(s) + (int)len;
1475 s->internal->init_off = 0;
1476
1477 if (SSL_IS_DTLS(s)) {
1478 dtls1_set_message_header(s, msg_type, len, 0, len);
1479 dtls1_buffer_message(s, 0);
1480 }
1481 }
1482
1483 int
1484 ssl3_handshake_msg_start_cbb(SSL *s, CBB *handshake, CBB *body,
1485 uint8_t msg_type)
1486 {
1487 int ret = 0;
1488
1489 if (!CBB_init(handshake, SSL3_RT_MAX_PLAIN_LENGTH))
1490 goto err;
1491 if (!CBB_add_u8(handshake, msg_type))
1492 goto err;
1493 if (SSL_IS_DTLS(s)) {
1494 unsigned char *data;
1495
1496 if (!CBB_add_space(handshake, &data, DTLS1_HM_HEADER_LENGTH -
1497 SSL3_HM_HEADER_LENGTH))
1498 goto err;
1499 }
1500 if (!CBB_add_u24_length_prefixed(handshake, body))
1501 goto err;
1502
1503 ret = 1;
1504
1505 err:
1506 return (ret);
1507 }
1508
1509 int
1510 ssl3_handshake_msg_finish_cbb(SSL *s, CBB *handshake)
1511 {
1512 unsigned char *data = NULL;
1513 size_t outlen;
1514 int ret = 0;
1515
1516 if (!CBB_finish(handshake, &data, &outlen))
1517 goto err;
1518
1519 if (outlen > INT_MAX)
1520 goto err;
1521
1522 if (!BUF_MEM_grow_clean(s->internal->init_buf, outlen))
1523 goto err;
1524
1525 memcpy(s->internal->init_buf->data, data, outlen);
1526
1527 s->internal->init_num = (int)outlen;
1528 s->internal->init_off = 0;
1529
1530 if (SSL_IS_DTLS(s)) {
1531 unsigned long len;
1532 uint8_t msg_type;
1533 CBS cbs;
1534
1535 CBS_init(&cbs, data, outlen);
1536 if (!CBS_get_u8(&cbs, &msg_type))
1537 goto err;
1538
1539 len = outlen - ssl3_handshake_msg_hdr_len(s);
1540
1541 dtls1_set_message_header(s, msg_type, len, 0, len);
1542 dtls1_buffer_message(s, 0);
1543 }
1544
1545 ret = 1;
1546
1547 err:
1548 free(data);
1549
1550 return (ret);
1551 }
1552
1553 int
1554 ssl3_handshake_write(SSL *s)
1555 {
1556 return ssl3_record_write(s, SSL3_RT_HANDSHAKE);
1557 }
1558
1559 int
1560 ssl3_record_write(SSL *s, int type)
1561 {
1562 if (SSL_IS_DTLS(s))
1563 return dtls1_do_write(s, type);
1564
1565 return ssl3_do_write(s, type);
1566 }
1567
1568 int
1569 ssl3_new(SSL *s)
1570 {
1571 if ((s->s3 = calloc(1, sizeof(*s->s3))) == NULL)
1572 return (0);
1573 if ((S3I(s) = calloc(1, sizeof(*S3I(s)))) == NULL) {
1574 free(s->s3);
1575 return (0);
1576 }
1577
1578 s->method->internal->ssl_clear(s);
1579
1580 return (1);
1581 }
1582
1583 void
1584 ssl3_free(SSL *s)
1585 {
1586 if (s == NULL)
1587 return;
1588
1589 tls1_cleanup_key_block(s);
1590 ssl3_release_read_buffer(s);
1591 ssl3_release_write_buffer(s);
1592
1593 DH_free(S3I(s)->tmp.dh);
1594 EC_KEY_free(S3I(s)->tmp.ecdh);
1595
1596 freezero(S3I(s)->tmp.x25519, X25519_KEY_LENGTH);
1597
1598 sk_X509_NAME_pop_free(S3I(s)->tmp.ca_names, X509_NAME_free);
1599
1600 BIO_free(S3I(s)->handshake_buffer);
1601
1602 tls1_handshake_hash_free(s);
1603
1604 free(S3I(s)->alpn_selected);
1605
1606 freezero(S3I(s), sizeof(*S3I(s)));
1607 freezero(s->s3, sizeof(*s->s3));
1608
1609 s->s3 = NULL;
1610 }
1611
1612 void
1613 ssl3_clear(SSL *s)
1614 {
1615 struct ssl3_state_internal_st *internal;
1616 unsigned char *rp, *wp;
1617 size_t rlen, wlen;
1618
1619 tls1_cleanup_key_block(s);
1620 sk_X509_NAME_pop_free(S3I(s)->tmp.ca_names, X509_NAME_free);
1621
1622 DH_free(S3I(s)->tmp.dh);
1623 S3I(s)->tmp.dh = NULL;
1624 EC_KEY_free(S3I(s)->tmp.ecdh);
1625 S3I(s)->tmp.ecdh = NULL;
1626
1627 freezero(S3I(s)->tmp.x25519, X25519_KEY_LENGTH);
1628 S3I(s)->tmp.x25519 = NULL;
1629
1630 rp = s->s3->rbuf.buf;
1631 wp = s->s3->wbuf.buf;
1632 rlen = s->s3->rbuf.len;
1633 wlen = s->s3->wbuf.len;
1634
1635 BIO_free(S3I(s)->handshake_buffer);
1636 S3I(s)->handshake_buffer = NULL;
1637
1638 tls1_handshake_hash_free(s);
1639
1640 free(S3I(s)->alpn_selected);
1641 S3I(s)->alpn_selected = NULL;
1642
1643 memset(S3I(s), 0, sizeof(*S3I(s)));
1644 internal = S3I(s);
1645 memset(s->s3, 0, sizeof(*s->s3));
1646 S3I(s) = internal;
1647
1648 s->s3->rbuf.buf = rp;
1649 s->s3->wbuf.buf = wp;
1650 s->s3->rbuf.len = rlen;
1651 s->s3->wbuf.len = wlen;
1652
1653 ssl_free_wbio_buffer(s);
1654
1655 /* Not needed... */
1656 S3I(s)->renegotiate = 0;
1657 S3I(s)->total_renegotiations = 0;
1658 S3I(s)->num_renegotiations = 0;
1659 S3I(s)->in_read_app_data = 0;
1660
1661 s->internal->packet_length = 0;
1662 s->version = TLS1_VERSION;
1663 }
1664
1665 static long
1666 ssl_ctrl_get_server_tmp_key(SSL *s, EVP_PKEY **pkey_tmp)
1667 {
1668 EVP_PKEY *pkey = NULL;
1669 EC_GROUP *group = NULL;
1670 EC_POINT *point = NULL;
1671 EC_KEY *ec_key = NULL;
1672 BIGNUM *order = NULL;
1673 SESS_CERT *sc;
1674 int ret = 0;
1675
1676 *pkey_tmp = NULL;
1677
1678 if (s->server != 0)
1679 return 0;
1680 if (s->session == NULL || SSI(s)->sess_cert == NULL)
1681 return 0;
1682
1683 sc = SSI(s)->sess_cert;
1684
1685 if ((pkey = EVP_PKEY_new()) == NULL)
1686 return 0;
1687
1688 if (sc->peer_dh_tmp != NULL) {
1689 ret = EVP_PKEY_set1_DH(pkey, sc->peer_dh_tmp);
1690 } else if (sc->peer_ecdh_tmp) {
1691 ret = EVP_PKEY_set1_EC_KEY(pkey, sc->peer_ecdh_tmp);
1692 } else if (sc->peer_x25519_tmp != NULL) {
1693 /* Fudge up an EC_KEY that looks like X25519... */
1694 if ((group = EC_GROUP_new(EC_GFp_mont_method())) == NULL)
1695 goto err;
1696 if ((point = EC_POINT_new(group)) == NULL)
1697 goto err;
1698 if ((order = BN_new()) == NULL)
1699 goto err;
1700 if (!BN_set_bit(order, 252))
1701 goto err;
1702 if (!EC_GROUP_set_generator(group, point, order, NULL))
1703 goto err;
1704 EC_GROUP_set_curve_name(group, NID_X25519);
1705 if ((ec_key = EC_KEY_new()) == NULL)
1706 goto err;
1707 if (!EC_KEY_set_group(ec_key, group))
1708 goto err;
1709 ret = EVP_PKEY_set1_EC_KEY(pkey, ec_key);
1710 }
1711
1712 if (ret == 1) {
1713 *pkey_tmp = pkey;
1714 pkey = NULL;
1715 }
1716
1717 err:
1718 EVP_PKEY_free(pkey);
1719 EC_GROUP_free(group);
1720 EC_POINT_free(point);
1721 EC_KEY_free(ec_key);
1722 BN_free(order);
1723
1724 return (ret);
1725 }
1726
1727 static int
1728 _SSL_session_reused(SSL *s)
1729 {
1730 return s->internal->hit;
1731 }
1732
1733 static int
1734 _SSL_num_renegotiations(SSL *s)
1735 {
1736 return S3I(s)->num_renegotiations;
1737 }
1738
1739 static int
1740 _SSL_clear_num_renegotiations(SSL *s)
1741 {
1742 int renegs;
1743
1744 renegs = S3I(s)->num_renegotiations;
1745 S3I(s)->num_renegotiations = 0;
1746
1747 return renegs;
1748 }
1749
1750 static int
1751 _SSL_total_renegotiations(SSL *s)
1752 {
1753 return S3I(s)->total_renegotiations;
1754 }
1755
1756 static int
1757 _SSL_set_tmp_dh(SSL *s, DH *dh)
1758 {
1759 DH *dh_tmp;
1760
1761 if (!ssl_cert_inst(&s->cert)) {
1762 SSLerror(s, ERR_R_MALLOC_FAILURE);
1763 return 0;
1764 }
1765
1766 if (dh == NULL) {
1767 SSLerror(s, ERR_R_PASSED_NULL_PARAMETER);
1768 return 0;
1769 }
1770
1771 if ((dh_tmp = DHparams_dup(dh)) == NULL) {
1772 SSLerror(s, ERR_R_DH_LIB);
1773 return 0;
1774 }
1775
1776 DH_free(s->cert->dh_tmp);
1777 s->cert->dh_tmp = dh_tmp;
1778
1779 return 1;
1780 }
1781
1782 static int
1783 _SSL_set_dh_auto(SSL *s, int state)
1784 {
1785 s->cert->dh_tmp_auto = state;
1786 return 1;
1787 }
1788
1789 static int
1790 _SSL_set_tmp_ecdh(SSL *s, EC_KEY *ecdh)
1791 {
1792 const EC_GROUP *group;
1793 int nid;
1794
1795 if (!ssl_cert_inst(&s->cert)) {
1796 SSLerror(s, ERR_R_MALLOC_FAILURE);
1797 return 0;
1798 }
1799
1800 if (ecdh == NULL)
1801 return 0;
1802 if ((group = EC_KEY_get0_group(ecdh)) == NULL)
1803 return 0;
1804
1805 nid = EC_GROUP_get_curve_name(group);
1806 return SSL_set1_groups(s, &nid, 1);
1807 }
1808
1809 static int
1810 _SSL_set_ecdh_auto(SSL *s, int state)
1811 {
1812 return 1;
1813 }
1814
1815 static int
1816 _SSL_set_tlsext_host_name(SSL *s, const char *name)
1817 {
1818 free(s->tlsext_hostname);
1819 s->tlsext_hostname = NULL;
1820
1821 if (name == NULL)
1822 return 1;
1823
1824 if (strlen(name) > TLSEXT_MAXLEN_host_name) {
1825 SSLerror(s, SSL_R_SSL3_EXT_INVALID_SERVERNAME);
1826 return 0;
1827 }
1828
1829 if ((s->tlsext_hostname = strdup(name)) == NULL) {
1830 SSLerror(s, ERR_R_INTERNAL_ERROR);
1831 return 0;
1832 }
1833
1834 return 1;
1835 }
1836
1837 static int
1838 _SSL_set_tlsext_debug_arg(SSL *s, void *arg)
1839 {
1840 s->internal->tlsext_debug_arg = arg;
1841 return 1;
1842 }
1843
1844 static int
1845 _SSL_set_tlsext_status_type(SSL *s, int type)
1846 {
1847 s->tlsext_status_type = type;
1848 return 1;
1849 }
1850
1851 static int
1852 _SSL_get_tlsext_status_exts(SSL *s, STACK_OF(X509_EXTENSION) **exts)
1853 {
1854 *exts = s->internal->tlsext_ocsp_exts;
1855 return 1;
1856 }
1857
1858 static int
1859 _SSL_set_tlsext_status_exts(SSL *s, STACK_OF(X509_EXTENSION) *exts)
1860 {
1861 /* XXX - leak... */
1862 s->internal->tlsext_ocsp_exts = exts;
1863 return 1;
1864 }
1865
1866 static int
1867 _SSL_get_tlsext_status_ids(SSL *s, STACK_OF(OCSP_RESPID) **ids)
1868 {
1869 *ids = s->internal->tlsext_ocsp_ids;
1870 return 1;
1871 }
1872
1873 static int
1874 _SSL_set_tlsext_status_ids(SSL *s, STACK_OF(OCSP_RESPID) *ids)
1875 {
1876 /* XXX - leak... */
1877 s->internal->tlsext_ocsp_ids = ids;
1878 return 1;
1879 }
1880
1881 static int
1882 _SSL_get_tlsext_status_ocsp_resp(SSL *s, unsigned char **resp)
1883 {
1884 *resp = s->internal->tlsext_ocsp_resp;
1885 return s->internal->tlsext_ocsp_resplen;
1886 }
1887
1888 static int
1889 _SSL_set_tlsext_status_ocsp_resp(SSL *s, unsigned char *resp, int resp_len)
1890 {
1891 free(s->internal->tlsext_ocsp_resp);
1892 s->internal->tlsext_ocsp_resp = resp;
1893 s->internal->tlsext_ocsp_resplen = resp_len;
1894 return 1;
1895 }
1896
1897 int
1898 SSL_set1_groups(SSL *s, const int *groups, size_t groups_len)
1899 {
1900 return tls1_set_groups(&s->internal->tlsext_supportedgroups,
1901 &s->internal->tlsext_supportedgroups_length, groups, groups_len);
1902 }
1903
1904 int
1905 SSL_set1_groups_list(SSL *s, const char *groups)
1906 {
1907 return tls1_set_groups_list(&s->internal->tlsext_supportedgroups,
1908 &s->internal->tlsext_supportedgroups_length, groups);
1909 }
1910
1911 long
1912 ssl3_ctrl(SSL *s, int cmd, long larg, void *parg)
1913 {
1914 switch (cmd) {
1915 case SSL_CTRL_GET_SESSION_REUSED:
1916 return _SSL_session_reused(s);
1917
1918 case SSL_CTRL_GET_NUM_RENEGOTIATIONS:
1919 return _SSL_num_renegotiations(s);
1920
1921 case SSL_CTRL_CLEAR_NUM_RENEGOTIATIONS:
1922 return _SSL_clear_num_renegotiations(s);
1923
1924 case SSL_CTRL_GET_TOTAL_RENEGOTIATIONS:
1925 return _SSL_total_renegotiations(s);
1926
1927 case SSL_CTRL_SET_TMP_DH:
1928 return _SSL_set_tmp_dh(s, parg);
1929
1930 case SSL_CTRL_SET_TMP_DH_CB:
1931 SSLerror(s, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
1932 return 0;
1933
1934 case SSL_CTRL_SET_DH_AUTO:
1935 return _SSL_set_dh_auto(s, larg);
1936
1937 case SSL_CTRL_SET_TMP_ECDH:
1938 return _SSL_set_tmp_ecdh(s, parg);
1939
1940 case SSL_CTRL_SET_TMP_ECDH_CB:
1941 SSLerror(s, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
1942 return 0;
1943
1944 case SSL_CTRL_SET_ECDH_AUTO:
1945 return _SSL_set_ecdh_auto(s, larg);
1946
1947 case SSL_CTRL_SET_TLSEXT_HOSTNAME:
1948 if (larg != TLSEXT_NAMETYPE_host_name) {
1949 SSLerror(s, SSL_R_SSL3_EXT_INVALID_SERVERNAME_TYPE);
1950 return 0;
1951 }
1952 return _SSL_set_tlsext_host_name(s, parg);
1953
1954 case SSL_CTRL_SET_TLSEXT_DEBUG_ARG:
1955 return _SSL_set_tlsext_debug_arg(s, parg);
1956
1957 case SSL_CTRL_SET_TLSEXT_STATUS_REQ_TYPE:
1958 return _SSL_set_tlsext_status_type(s, larg);
1959
1960 case SSL_CTRL_GET_TLSEXT_STATUS_REQ_EXTS:
1961 return _SSL_get_tlsext_status_exts(s, parg);
1962
1963 case SSL_CTRL_SET_TLSEXT_STATUS_REQ_EXTS:
1964 return _SSL_set_tlsext_status_exts(s, parg);
1965
1966 case SSL_CTRL_GET_TLSEXT_STATUS_REQ_IDS:
1967 return _SSL_get_tlsext_status_ids(s, parg);
1968
1969 case SSL_CTRL_SET_TLSEXT_STATUS_REQ_IDS:
1970 return _SSL_set_tlsext_status_ids(s, parg);
1971
1972 case SSL_CTRL_GET_TLSEXT_STATUS_REQ_OCSP_RESP:
1973 return _SSL_get_tlsext_status_ocsp_resp(s, parg);
1974
1975 case SSL_CTRL_SET_TLSEXT_STATUS_REQ_OCSP_RESP:
1976 return _SSL_set_tlsext_status_ocsp_resp(s, parg, larg);
1977
1978 case SSL_CTRL_SET_GROUPS:
1979 return SSL_set1_groups(s, parg, larg);
1980
1981 case SSL_CTRL_SET_GROUPS_LIST:
1982 return SSL_set1_groups_list(s, parg);
1983
1984 case SSL_CTRL_GET_SERVER_TMP_KEY:
1985 return ssl_ctrl_get_server_tmp_key(s, parg);
1986
1987 case SSL_CTRL_GET_MIN_PROTO_VERSION:
1988 return SSL_get_min_proto_version(s);
1989
1990 case SSL_CTRL_GET_MAX_PROTO_VERSION:
1991 return SSL_get_max_proto_version(s);
1992
1993 case SSL_CTRL_SET_MIN_PROTO_VERSION:
1994 if (larg < 0 || larg > UINT16_MAX)
1995 return 0;
1996 return SSL_set_min_proto_version(s, larg);
1997
1998 case SSL_CTRL_SET_MAX_PROTO_VERSION:
1999 if (larg < 0 || larg > UINT16_MAX)
2000 return 0;
2001 return SSL_set_max_proto_version(s, larg);
2002
2003 /*
2004 * Legacy controls that should eventually be removed.
2005 */
2006 case SSL_CTRL_GET_CLIENT_CERT_REQUEST:
2007 return 0;
2008
2009 case SSL_CTRL_GET_FLAGS:
2010 return (int)(s->s3->flags);
2011
2012 case SSL_CTRL_NEED_TMP_RSA:
2013 return 0;
2014
2015 case SSL_CTRL_SET_TMP_RSA:
2016 case SSL_CTRL_SET_TMP_RSA_CB:
2017 SSLerror(s, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
2018 return 0;
2019 }
2020
2021 return 0;
2022 }
2023
2024 long
2025 ssl3_callback_ctrl(SSL *s, int cmd, void (*fp)(void))
2026 {
2027 if (cmd == SSL_CTRL_SET_TMP_DH_CB || cmd == SSL_CTRL_SET_TMP_ECDH_CB) {
2028 if (!ssl_cert_inst(&s->cert)) {
2029 SSLerror(s, ERR_R_MALLOC_FAILURE);
2030 return 0;
2031 }
2032 }
2033
2034 switch (cmd) {
2035 case SSL_CTRL_SET_TMP_RSA_CB:
2036 SSLerror(s, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
2037 return 0;
2038
2039 case SSL_CTRL_SET_TMP_DH_CB:
2040 s->cert->dh_tmp_cb = (DH *(*)(SSL *, int, int))fp;
2041 return 1;
2042
2043 case SSL_CTRL_SET_TMP_ECDH_CB:
2044 return 1;
2045
2046 case SSL_CTRL_SET_TLSEXT_DEBUG_CB:
2047 s->internal->tlsext_debug_cb = (void (*)(SSL *, int , int,
2048 unsigned char *, int, void *))fp;
2049 return 1;
2050 }
2051
2052 return 0;
2053 }
2054
2055 static int
2056 _SSL_CTX_set_tmp_dh(SSL_CTX *ctx, DH *dh)
2057 {
2058 DH *dh_tmp;
2059
2060 if ((dh_tmp = DHparams_dup(dh)) == NULL) {
2061 SSLerrorx(ERR_R_DH_LIB);
2062 return 0;
2063 }
2064
2065 DH_free(ctx->internal->cert->dh_tmp);
2066 ctx->internal->cert->dh_tmp = dh_tmp;
2067
2068 return 1;
2069 }
2070
2071 static int
2072 _SSL_CTX_set_dh_auto(SSL_CTX *ctx, int state)
2073 {
2074 ctx->internal->cert->dh_tmp_auto = state;
2075 return 1;
2076 }
2077
2078 static int
2079 _SSL_CTX_set_tmp_ecdh(SSL_CTX *ctx, EC_KEY *ecdh)
2080 {
2081 const EC_GROUP *group;
2082 int nid;
2083
2084 if (ecdh == NULL)
2085 return 0;
2086 if ((group = EC_KEY_get0_group(ecdh)) == NULL)
2087 return 0;
2088
2089 nid = EC_GROUP_get_curve_name(group);
2090 return SSL_CTX_set1_groups(ctx, &nid, 1);
2091 }
2092
2093 static int
2094 _SSL_CTX_set_ecdh_auto(SSL_CTX *ctx, int state)
2095 {
2096 return 1;
2097 }
2098
2099 static int
2100 _SSL_CTX_set_tlsext_servername_arg(SSL_CTX *ctx, void *arg)
2101 {
2102 ctx->internal->tlsext_servername_arg = arg;
2103 return 1;
2104 }
2105
2106 static int
2107 _SSL_CTX_get_tlsext_ticket_keys(SSL_CTX *ctx, unsigned char *keys, int keys_len)
2108 {
2109 if (keys == NULL)
2110 return 48;
2111
2112 if (keys_len != 48) {
2113 SSLerrorx(SSL_R_INVALID_TICKET_KEYS_LENGTH);
2114 return 0;
2115 }
2116
2117 memcpy(keys, ctx->internal->tlsext_tick_key_name, 16);
2118 memcpy(keys + 16, ctx->internal->tlsext_tick_hmac_key, 16);
2119 memcpy(keys + 32, ctx->internal->tlsext_tick_aes_key, 16);
2120
2121 return 1;
2122 }
2123
2124 static int
2125 _SSL_CTX_set_tlsext_ticket_keys(SSL_CTX *ctx, unsigned char *keys, int keys_len)
2126 {
2127 if (keys == NULL)
2128 return 48;
2129
2130 if (keys_len != 48) {
2131 SSLerrorx(SSL_R_INVALID_TICKET_KEYS_LENGTH);
2132 return 0;
2133 }
2134
2135 memcpy(ctx->internal->tlsext_tick_key_name, keys, 16);
2136 memcpy(ctx->internal->tlsext_tick_hmac_key, keys + 16, 16);
2137 memcpy(ctx->internal->tlsext_tick_aes_key, keys + 32, 16);
2138
2139 return 1;
2140 }
2141
2142 static int
2143 _SSL_CTX_get_tlsext_status_arg(SSL_CTX *ctx, void **arg)
2144 {
2145 *arg = ctx->internal->tlsext_status_arg;
2146 return 1;
2147 }
2148
2149 static int
2150 _SSL_CTX_set_tlsext_status_arg(SSL_CTX *ctx, void *arg)
2151 {
2152 ctx->internal->tlsext_status_arg = arg;
2153 return 1;
2154 }
2155
2156 static int
2157 _SSL_CTX_add_extra_chain_cert(SSL_CTX *ctx, X509 *cert)
2158 {
2159 if (ctx->extra_certs == NULL) {
2160 if ((ctx->extra_certs = sk_X509_new_null()) == NULL)
2161 return 0;
2162 }
2163 if (sk_X509_push(ctx->extra_certs, cert) == 0)
2164 return 0;
2165
2166 return 1;
2167 }
2168
2169 int
2170 _SSL_CTX_get_extra_chain_certs(SSL_CTX *ctx, STACK_OF(X509) **certs)
2171 {
2172 *certs = ctx->extra_certs;
2173 return 1;
2174 }
2175
2176 int
2177 _SSL_CTX_clear_extra_chain_certs(SSL_CTX *ctx)
2178 {
2179 sk_X509_pop_free(ctx->extra_certs, X509_free);
2180 ctx->extra_certs = NULL;
2181 return 1;
2182 }
2183
2184 int
2185 SSL_CTX_set1_groups(SSL_CTX *ctx, const int *groups, size_t groups_len)
2186 {
2187 return tls1_set_groups(&ctx->internal->tlsext_supportedgroups,
2188 &ctx->internal->tlsext_supportedgroups_length, groups, groups_len);
2189 }
2190
2191 int
2192 SSL_CTX_set1_groups_list(SSL_CTX *ctx, const char *groups)
2193 {
2194 return tls1_set_groups_list(&ctx->internal->tlsext_supportedgroups,
2195 &ctx->internal->tlsext_supportedgroups_length, groups);
2196 }
2197
2198 long
2199 ssl3_ctx_ctrl(SSL_CTX *ctx, int cmd, long larg, void *parg)
2200 {
2201 switch (cmd) {
2202 case SSL_CTRL_SET_TMP_DH:
2203 return _SSL_CTX_set_tmp_dh(ctx, parg);
2204
2205 case SSL_CTRL_SET_TMP_DH_CB:
2206 SSLerrorx(ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
2207 return 0;
2208
2209 case SSL_CTRL_SET_DH_AUTO:
2210 return _SSL_CTX_set_dh_auto(ctx, larg);
2211
2212 case SSL_CTRL_SET_TMP_ECDH:
2213 return _SSL_CTX_set_tmp_ecdh(ctx, parg);
2214
2215 case SSL_CTRL_SET_TMP_ECDH_CB:
2216 SSLerrorx(ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
2217 return 0;
2218
2219 case SSL_CTRL_SET_ECDH_AUTO:
2220 return _SSL_CTX_set_ecdh_auto(ctx, larg);
2221
2222 case SSL_CTRL_SET_TLSEXT_SERVERNAME_ARG:
2223 return _SSL_CTX_set_tlsext_servername_arg(ctx, parg);
2224
2225 case SSL_CTRL_GET_TLSEXT_TICKET_KEYS:
2226 return _SSL_CTX_get_tlsext_ticket_keys(ctx, parg, larg);
2227
2228 case SSL_CTRL_SET_TLSEXT_TICKET_KEYS:
2229 return _SSL_CTX_set_tlsext_ticket_keys(ctx, parg, larg);
2230
2231 case SSL_CTRL_GET_TLSEXT_STATUS_REQ_CB_ARG:
2232 return _SSL_CTX_get_tlsext_status_arg(ctx, parg);
2233
2234 case SSL_CTRL_SET_TLSEXT_STATUS_REQ_CB_ARG:
2235 return _SSL_CTX_set_tlsext_status_arg(ctx, parg);
2236
2237 case SSL_CTRL_EXTRA_CHAIN_CERT:
2238 return _SSL_CTX_add_extra_chain_cert(ctx, parg);
2239
2240 case SSL_CTRL_GET_EXTRA_CHAIN_CERTS:
2241 return _SSL_CTX_get_extra_chain_certs(ctx, parg);
2242
2243 case SSL_CTRL_CLEAR_EXTRA_CHAIN_CERTS:
2244 return _SSL_CTX_clear_extra_chain_certs(ctx);
2245
2246 case SSL_CTRL_SET_GROUPS:
2247 return SSL_CTX_set1_groups(ctx, parg, larg);
2248
2249 case SSL_CTRL_SET_GROUPS_LIST:
2250 return SSL_CTX_set1_groups_list(ctx, parg);
2251
2252 case SSL_CTRL_GET_MIN_PROTO_VERSION:
2253 return SSL_CTX_get_min_proto_version(ctx);
2254
2255 case SSL_CTRL_GET_MAX_PROTO_VERSION:
2256 return SSL_CTX_get_max_proto_version(ctx);
2257
2258 case SSL_CTRL_SET_MIN_PROTO_VERSION:
2259 if (larg < 0 || larg > UINT16_MAX)
2260 return 0;
2261 return SSL_CTX_set_min_proto_version(ctx, larg);
2262
2263 case SSL_CTRL_SET_MAX_PROTO_VERSION:
2264 if (larg < 0 || larg > UINT16_MAX)
2265 return 0;
2266 return SSL_CTX_set_max_proto_version(ctx, larg);
2267
2268 /*
2269 * Legacy controls that should eventually be removed.
2270 */
2271 case SSL_CTRL_NEED_TMP_RSA:
2272 return 0;
2273
2274 case SSL_CTRL_SET_TMP_RSA:
2275 case SSL_CTRL_SET_TMP_RSA_CB:
2276 SSLerrorx(ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
2277 return 0;
2278 }
2279
2280 return 0;
2281 }
2282
2283 long
2284 ssl3_ctx_callback_ctrl(SSL_CTX *ctx, int cmd, void (*fp)(void))
2285 {
2286 switch (cmd) {
2287 case SSL_CTRL_SET_TMP_RSA_CB:
2288 SSLerrorx(ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
2289 return 0;
2290
2291 case SSL_CTRL_SET_TMP_DH_CB:
2292 ctx->internal->cert->dh_tmp_cb =
2293 (DH *(*)(SSL *, int, int))fp;
2294 return 1;
2295
2296 case SSL_CTRL_SET_TMP_ECDH_CB:
2297 return 1;
2298
2299 case SSL_CTRL_SET_TLSEXT_SERVERNAME_CB:
2300 ctx->internal->tlsext_servername_callback =
2301 (int (*)(SSL *, int *, void *))fp;
2302 return 1;
2303
2304 case SSL_CTRL_GET_TLSEXT_STATUS_REQ_CB:
2305 *(int (**)(SSL *, void *))fp = ctx->internal->tlsext_status_cb;
2306 return 1;
2307
2308 case SSL_CTRL_SET_TLSEXT_STATUS_REQ_CB:
2309 ctx->internal->tlsext_status_cb = (int (*)(SSL *, void *))fp;
2310 return 1;
2311
2312 case SSL_CTRL_SET_TLSEXT_TICKET_KEY_CB:
2313 ctx->internal->tlsext_ticket_key_cb = (int (*)(SSL *, unsigned char *,
2314 unsigned char *, EVP_CIPHER_CTX *, HMAC_CTX *, int))fp;
2315 return 1;
2316 }
2317
2318 return 0;
2319 }
2320
2321 /*
2322 * This function needs to check if the ciphers required are actually available.
2323 */
2324 const SSL_CIPHER *
2325 ssl3_get_cipher_by_char(const unsigned char *p)
2326 {
2327 uint16_t cipher_value;
2328 CBS cbs;
2329
2330 /* We have to assume it is at least 2 bytes due to existing API. */
2331 CBS_init(&cbs, p, 2);
2332 if (!CBS_get_u16(&cbs, &cipher_value))
2333 return NULL;
2334
2335 return ssl3_get_cipher_by_value(cipher_value);
2336 }
2337
2338 int
2339 ssl3_put_cipher_by_char(const SSL_CIPHER *c, unsigned char *p)
2340 {
2341 CBB cbb;
2342
2343 if (p == NULL)
2344 return (2);
2345
2346 if ((c->id & ~SSL3_CK_VALUE_MASK) != SSL3_CK_ID)
2347 return (0);
2348
2349 memset(&cbb, 0, sizeof(cbb));
2350
2351 /* We have to assume it is at least 2 bytes due to existing API. */
2352 if (!CBB_init_fixed(&cbb, p, 2))
2353 goto err;
2354 if (!CBB_add_u16(&cbb, ssl3_cipher_get_value(c)))
2355 goto err;
2356 if (!CBB_finish(&cbb, NULL, NULL))
2357 goto err;
2358
2359 return (2);
2360
2361 err:
2362 CBB_cleanup(&cbb);
2363 return (0);
2364 }
2365
2366 SSL_CIPHER *
2367 ssl3_choose_cipher(SSL *s, STACK_OF(SSL_CIPHER) *clnt,
2368 STACK_OF(SSL_CIPHER) *srvr)
2369 {
2370 unsigned long alg_k, alg_a, mask_k, mask_a;
2371 STACK_OF(SSL_CIPHER) *prio, *allow;
2372 SSL_CIPHER *c, *ret = NULL;
2373 int i, ii, ok;
2374 CERT *cert;
2375
2376 /* Let's see which ciphers we can support */
2377 cert = s->cert;
2378
2379 /*
2380 * Do not set the compare functions, because this may lead to a
2381 * reordering by "id". We want to keep the original ordering.
2382 * We may pay a price in performance during sk_SSL_CIPHER_find(),
2383 * but would have to pay with the price of sk_SSL_CIPHER_dup().
2384 */
2385
2386 if (s->internal->options & SSL_OP_CIPHER_SERVER_PREFERENCE) {
2387 prio = srvr;
2388 allow = clnt;
2389 } else {
2390 prio = clnt;
2391 allow = srvr;
2392 }
2393
2394 for (i = 0; i < sk_SSL_CIPHER_num(prio); i++) {
2395 c = sk_SSL_CIPHER_value(prio, i);
2396
2397 /* Skip TLS v1.2 only ciphersuites if not supported. */
2398 if ((c->algorithm_ssl & SSL_TLSV1_2) &&
2399 !SSL_USE_TLS1_2_CIPHERS(s))
2400 continue;
2401
2402 ssl_set_cert_masks(cert, c);
2403 mask_k = cert->mask_k;
2404 mask_a = cert->mask_a;
2405
2406 alg_k = c->algorithm_mkey;
2407 alg_a = c->algorithm_auth;
2408
2409
2410 ok = (alg_k & mask_k) && (alg_a & mask_a);
2411
2412 /*
2413 * If we are considering an ECC cipher suite that uses our
2414 * certificate check it.
2415 */
2416 if (alg_a & SSL_aECDSA)
2417 ok = ok && tls1_check_ec_server_key(s);
2418 /*
2419 * If we are considering an ECC cipher suite that uses
2420 * an ephemeral EC key check it.
2421 */
2422 if (alg_k & SSL_kECDHE)
2423 ok = ok && tls1_check_ec_tmp_key(s);
2424
2425 if (!ok)
2426 continue;
2427 ii = sk_SSL_CIPHER_find(allow, c);
2428 if (ii >= 0) {
2429 ret = sk_SSL_CIPHER_value(allow, ii);
2430 break;
2431 }
2432 }
2433 return (ret);
2434 }
2435
2436 int
2437 ssl3_get_req_cert_types(SSL *s, CBB *cbb)
2438 {
2439 unsigned long alg_k;
2440
2441 alg_k = S3I(s)->hs.new_cipher->algorithm_mkey;
2442
2443 #ifndef OPENSSL_NO_GOST
2444 if ((alg_k & SSL_kGOST) != 0) {
2445 if (!CBB_add_u8(cbb, TLS_CT_GOST94_SIGN))
2446 return 0;
2447 if (!CBB_add_u8(cbb, TLS_CT_GOST01_SIGN))
2448 return 0;
2449 if (!CBB_add_u8(cbb, TLS_CT_GOST12_256_SIGN))
2450 return 0;
2451 if (!CBB_add_u8(cbb, TLS_CT_GOST12_512_SIGN))
2452 return 0;
2453 }
2454 #endif
2455
2456 if ((alg_k & SSL_kDHE) != 0) {
2457 if (!CBB_add_u8(cbb, SSL3_CT_RSA_FIXED_DH))
2458 return 0;
2459 }
2460
2461 if (!CBB_add_u8(cbb, SSL3_CT_RSA_SIGN))
2462 return 0;
2463
2464 /*
2465 * ECDSA certs can be used with RSA cipher suites as well
2466 * so we don't need to check for SSL_kECDH or SSL_kECDHE.
2467 */
2468 if (!CBB_add_u8(cbb, TLS_CT_ECDSA_SIGN))
2469 return 0;
2470
2471 return 1;
2472 }
2473
2474 int
2475 ssl3_shutdown(SSL *s)
2476 {
2477 int ret;
2478
2479 /*
2480 * Don't do anything much if we have not done the handshake or
2481 * we don't want to send messages :-)
2482 */
2483 if ((s->internal->quiet_shutdown) || (S3I(s)->hs.state == SSL_ST_BEFORE)) {
2484 s->internal->shutdown = (SSL_SENT_SHUTDOWN|SSL_RECEIVED_SHUTDOWN);
2485 return (1);
2486 }
2487
2488 if (!(s->internal->shutdown & SSL_SENT_SHUTDOWN)) {
2489 s->internal->shutdown|=SSL_SENT_SHUTDOWN;
2490 ssl3_send_alert(s, SSL3_AL_WARNING, SSL_AD_CLOSE_NOTIFY);
2491 /*
2492 * Our shutdown alert has been sent now, and if it still needs
2493 * to be written, s->s3->alert_dispatch will be true
2494 */
2495 if (s->s3->alert_dispatch)
2496 return(-1); /* return WANT_WRITE */
2497 } else if (s->s3->alert_dispatch) {
2498 /* resend it if not sent */
2499 ret = s->method->ssl_dispatch_alert(s);
2500 if (ret == -1) {
2501 /*
2502 * We only get to return -1 here the 2nd/Nth
2503 * invocation, we must have already signalled
2504 * return 0 upon a previous invoation,
2505 * return WANT_WRITE
2506 */
2507 return (ret);
2508 }
2509 } else if (!(s->internal->shutdown & SSL_RECEIVED_SHUTDOWN)) {
2510 /* If we are waiting for a close from our peer, we are closed */
2511 s->method->internal->ssl_read_bytes(s, 0, NULL, 0, 0);
2512 if (!(s->internal->shutdown & SSL_RECEIVED_SHUTDOWN)) {
2513 return(-1); /* return WANT_READ */
2514 }
2515 }
2516
2517 if ((s->internal->shutdown == (SSL_SENT_SHUTDOWN|SSL_RECEIVED_SHUTDOWN)) &&
2518 !s->s3->alert_dispatch)
2519 return (1);
2520 else
2521 return (0);
2522 }
2523
2524 int
2525 ssl3_write(SSL *s, const void *buf, int len)
2526 {
2527 int ret, n;
2528
2529 #if 0
2530 if (s->internal->shutdown & SSL_SEND_SHUTDOWN) {
2531 s->internal->rwstate = SSL_NOTHING;
2532 return (0);
2533 }
2534 #endif
2535 errno = 0;
2536 if (S3I(s)->renegotiate)
2537 ssl3_renegotiate_check(s);
2538
2539 /*
2540 * This is an experimental flag that sends the
2541 * last handshake message in the same packet as the first
2542 * use data - used to see if it helps the TCP protocol during
2543 * session-id reuse
2544 */
2545 /* The second test is because the buffer may have been removed */
2546 if ((s->s3->flags & SSL3_FLAGS_POP_BUFFER) && (s->wbio == s->bbio)) {
2547 /* First time through, we write into the buffer */
2548 if (S3I(s)->delay_buf_pop_ret == 0) {
2549 ret = ssl3_write_bytes(s, SSL3_RT_APPLICATION_DATA,
2550 buf, len);
2551 if (ret <= 0)
2552 return (ret);
2553
2554 S3I(s)->delay_buf_pop_ret = ret;
2555 }
2556
2557 s->internal->rwstate = SSL_WRITING;
2558 n = BIO_flush(s->wbio);
2559 if (n <= 0)
2560 return (n);
2561 s->internal->rwstate = SSL_NOTHING;
2562
2563 /* We have flushed the buffer, so remove it */
2564 ssl_free_wbio_buffer(s);
2565 s->s3->flags&= ~SSL3_FLAGS_POP_BUFFER;
2566
2567 ret = S3I(s)->delay_buf_pop_ret;
2568 S3I(s)->delay_buf_pop_ret = 0;
2569 } else {
2570 ret = s->method->internal->ssl_write_bytes(s,
2571 SSL3_RT_APPLICATION_DATA, buf, len);
2572 if (ret <= 0)
2573 return (ret);
2574 }
2575
2576 return (ret);
2577 }
2578
2579 static int
2580 ssl3_read_internal(SSL *s, void *buf, int len, int peek)
2581 {
2582 int ret;
2583
2584 errno = 0;
2585 if (S3I(s)->renegotiate)
2586 ssl3_renegotiate_check(s);
2587 S3I(s)->in_read_app_data = 1;
2588 ret = s->method->internal->ssl_read_bytes(s,
2589 SSL3_RT_APPLICATION_DATA, buf, len, peek);
2590 if ((ret == -1) && (S3I(s)->in_read_app_data == 2)) {
2591 /*
2592 * ssl3_read_bytes decided to call s->internal->handshake_func, which
2593 * called ssl3_read_bytes to read handshake data.
2594 * However, ssl3_read_bytes actually found application data
2595 * and thinks that application data makes sense here; so disable
2596 * handshake processing and try to read application data again.
2597 */
2598 s->internal->in_handshake++;
2599 ret = s->method->internal->ssl_read_bytes(s,
2600 SSL3_RT_APPLICATION_DATA, buf, len, peek);
2601 s->internal->in_handshake--;
2602 } else
2603 S3I(s)->in_read_app_data = 0;
2604
2605 return (ret);
2606 }
2607
2608 int
2609 ssl3_read(SSL *s, void *buf, int len)
2610 {
2611 return ssl3_read_internal(s, buf, len, 0);
2612 }
2613
2614 int
2615 ssl3_peek(SSL *s, void *buf, int len)
2616 {
2617 return ssl3_read_internal(s, buf, len, 1);
2618 }
2619
2620 int
2621 ssl3_renegotiate(SSL *s)
2622 {
2623 if (s->internal->handshake_func == NULL)
2624 return (1);
2625
2626 if (s->s3->flags & SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS)
2627 return (0);
2628
2629 S3I(s)->renegotiate = 1;
2630 return (1);
2631 }
2632
2633 int
2634 ssl3_renegotiate_check(SSL *s)
2635 {
2636 int ret = 0;
2637
2638 if (S3I(s)->renegotiate) {
2639 if ((s->s3->rbuf.left == 0) && (s->s3->wbuf.left == 0) &&
2640 !SSL_in_init(s)) {
2641 /*
2642 * If we are the server, and we have sent
2643 * a 'RENEGOTIATE' message, we need to go
2644 * to SSL_ST_ACCEPT.
2645 */
2646 /* SSL_ST_ACCEPT */
2647 S3I(s)->hs.state = SSL_ST_RENEGOTIATE;
2648 S3I(s)->renegotiate = 0;
2649 S3I(s)->num_renegotiations++;
2650 S3I(s)->total_renegotiations++;
2651 ret = 1;
2652 }
2653 }
2654 return (ret);
2655 }
2656 /*
2657 * If we are using default SHA1+MD5 algorithms switch to new SHA256 PRF
2658 * and handshake macs if required.
2659 */
2660 long
2661 ssl_get_algorithm2(SSL *s)
2662 {
2663 long alg2 = S3I(s)->hs.new_cipher->algorithm2;
2664
2665 if (s->method->internal->ssl3_enc->enc_flags & SSL_ENC_FLAG_SHA256_PRF &&
2666 alg2 == (SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF))
2667 return SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256;
2668 return alg2;
2669 }
Unleashed OS