summaryrefslogtreecommitdiff
path: root/src/lib/libssl/s3_lib.c
diff options
context:
space:
mode:
Diffstat (limited to '')
-rw-r--r--src/lib/libssl/s3_lib.c2748
1 files changed, 0 insertions, 2748 deletions
diff --git a/src/lib/libssl/s3_lib.c b/src/lib/libssl/s3_lib.c
deleted file mode 100644
index 6400454f1b..0000000000
--- a/src/lib/libssl/s3_lib.c
+++ /dev/null
@@ -1,2748 +0,0 @@
1/* $OpenBSD: s3_lib.c,v 1.214 2021/07/26 03:17:38 jsing Exp $ */
2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 * All rights reserved.
4 *
5 * This package is an SSL implementation written
6 * by Eric Young (eay@cryptsoft.com).
7 * The implementation was written so as to conform with Netscapes SSL.
8 *
9 * This library is free for commercial and non-commercial use as long as
10 * the following conditions are aheared to. The following conditions
11 * apply to all code found in this distribution, be it the RC4, RSA,
12 * lhash, DES, etc., code; not just the SSL code. The SSL documentation
13 * included with this distribution is covered by the same copyright terms
14 * except that the holder is Tim Hudson (tjh@cryptsoft.com).
15 *
16 * Copyright remains Eric Young's, and as such any Copyright notices in
17 * the code are not to be removed.
18 * If this package is used in a product, Eric Young should be given attribution
19 * as the author of the parts of the library used.
20 * This can be in the form of a textual message at program startup or
21 * in documentation (online or textual) provided with the package.
22 *
23 * Redistribution and use in source and binary forms, with or without
24 * modification, are permitted provided that the following conditions
25 * are met:
26 * 1. Redistributions of source code must retain the copyright
27 * notice, this list of conditions and the following disclaimer.
28 * 2. Redistributions in binary form must reproduce the above copyright
29 * notice, this list of conditions and the following disclaimer in the
30 * documentation and/or other materials provided with the distribution.
31 * 3. All advertising materials mentioning features or use of this software
32 * must display the following acknowledgement:
33 * "This product includes cryptographic software written by
34 * Eric Young (eay@cryptsoft.com)"
35 * The word 'cryptographic' can be left out if the rouines from the library
36 * being used are not cryptographic related :-).
37 * 4. If you include any Windows specific code (or a derivative thereof) from
38 * the apps directory (application code) you must include an acknowledgement:
39 * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
40 *
41 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
42 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
43 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
44 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
45 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
46 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
47 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
48 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
49 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
50 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
51 * SUCH DAMAGE.
52 *
53 * The licence and distribution terms for any publically available version or
54 * derivative of this code cannot be changed. i.e. this code cannot simply be
55 * copied and put under another distribution licence
56 * [including the GNU Public Licence.]
57 */
58/* ====================================================================
59 * Copyright (c) 1998-2007 The OpenSSL Project. All rights reserved.
60 *
61 * Redistribution and use in source and binary forms, with or without
62 * modification, are permitted provided that the following conditions
63 * are met:
64 *
65 * 1. Redistributions of source code must retain the above copyright
66 * notice, this list of conditions and the following disclaimer.
67 *
68 * 2. Redistributions in binary form must reproduce the above copyright
69 * notice, this list of conditions and the following disclaimer in
70 * the documentation and/or other materials provided with the
71 * distribution.
72 *
73 * 3. All advertising materials mentioning features or use of this
74 * software must display the following acknowledgment:
75 * "This product includes software developed by the OpenSSL Project
76 * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
77 *
78 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
79 * endorse or promote products derived from this software without
80 * prior written permission. For written permission, please contact
81 * openssl-core@openssl.org.
82 *
83 * 5. Products derived from this software may not be called "OpenSSL"
84 * nor may "OpenSSL" appear in their names without prior written
85 * permission of the OpenSSL Project.
86 *
87 * 6. Redistributions of any form whatsoever must retain the following
88 * acknowledgment:
89 * "This product includes software developed by the OpenSSL Project
90 * for use in the OpenSSL Toolkit (http://www.openssl.org/)"
91 *
92 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
93 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
94 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
95 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
96 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
97 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
98 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
99 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
100 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
101 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
102 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
103 * OF THE POSSIBILITY OF SUCH DAMAGE.
104 * ====================================================================
105 *
106 * This product includes cryptographic software written by Eric Young
107 * (eay@cryptsoft.com). This product includes software written by Tim
108 * Hudson (tjh@cryptsoft.com).
109 *
110 */
111/* ====================================================================
112 * Copyright 2002 Sun Microsystems, Inc. ALL RIGHTS RESERVED.
113 *
114 * Portions of the attached software ("Contribution") are developed by
115 * SUN MICROSYSTEMS, INC., and are contributed to the OpenSSL project.
116 *
117 * The Contribution is licensed pursuant to the OpenSSL open source
118 * license provided above.
119 *
120 * ECC cipher suite support in OpenSSL originally written by
121 * Vipul Gupta and Sumit Gupta of Sun Microsystems Laboratories.
122 *
123 */
124/* ====================================================================
125 * Copyright 2005 Nokia. All rights reserved.
126 *
127 * The portions of the attached software ("Contribution") is developed by
128 * Nokia Corporation and is licensed pursuant to the OpenSSL open source
129 * license.
130 *
131 * The Contribution, originally written by Mika Kousa and Pasi Eronen of
132 * Nokia Corporation, consists of the "PSK" (Pre-Shared Key) ciphersuites
133 * support (see RFC 4279) to OpenSSL.
134 *
135 * No patent licenses or other rights except those expressly stated in
136 * the OpenSSL open source license shall be deemed granted or received
137 * expressly, by implication, estoppel, or otherwise.
138 *
139 * No assurances are provided by Nokia that the Contribution does not
140 * infringe the patent or other intellectual property rights of any third
141 * party or that the license provides you with all the necessary rights
142 * to make use of the Contribution.
143 *
144 * THE SOFTWARE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. IN
145 * ADDITION TO THE DISCLAIMERS INCLUDED IN THE LICENSE, NOKIA
146 * SPECIFICALLY DISCLAIMS ANY LIABILITY FOR CLAIMS BROUGHT BY YOU OR ANY
147 * OTHER ENTITY BASED ON INFRINGEMENT OF INTELLECTUAL PROPERTY RIGHTS OR
148 * OTHERWISE.
149 */
150
151#include <limits.h>
152#include <stdio.h>
153
154#include <openssl/bn.h>
155#include <openssl/curve25519.h>
156#include <openssl/dh.h>
157#include <openssl/md5.h>
158#include <openssl/objects.h>
159#include <openssl/opensslconf.h>
160
161#include "bytestring.h"
162#include "dtls_locl.h"
163#include "ssl_locl.h"
164#include "ssl_sigalgs.h"
165
166#define SSL3_NUM_CIPHERS (sizeof(ssl3_ciphers) / sizeof(SSL_CIPHER))
167
168/*
169 * FIXED_NONCE_LEN is a macro that provides in the correct value to set the
170 * fixed nonce length in algorithms2. It is the inverse of the
171 * SSL_CIPHER_AEAD_FIXED_NONCE_LEN macro.
172 */
173#define FIXED_NONCE_LEN(x) (((x / 2) & 0xf) << 24)
174
175/* list of available SSLv3 ciphers (sorted by id) */
176const SSL_CIPHER ssl3_ciphers[] = {
177
178 /* The RSA ciphers */
179 /* Cipher 01 */
180 {
181 .valid = 1,
182 .name = SSL3_TXT_RSA_NULL_MD5,
183 .id = SSL3_CK_RSA_NULL_MD5,
184 .algorithm_mkey = SSL_kRSA,
185 .algorithm_auth = SSL_aRSA,
186 .algorithm_enc = SSL_eNULL,
187 .algorithm_mac = SSL_MD5,
188 .algorithm_ssl = SSL_SSLV3,
189 .algo_strength = SSL_STRONG_NONE,
190 .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
191 .strength_bits = 0,
192 .alg_bits = 0,
193 },
194
195 /* Cipher 02 */
196 {
197 .valid = 1,
198 .name = SSL3_TXT_RSA_NULL_SHA,
199 .id = SSL3_CK_RSA_NULL_SHA,
200 .algorithm_mkey = SSL_kRSA,
201 .algorithm_auth = SSL_aRSA,
202 .algorithm_enc = SSL_eNULL,
203 .algorithm_mac = SSL_SHA1,
204 .algorithm_ssl = SSL_SSLV3,
205 .algo_strength = SSL_STRONG_NONE,
206 .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
207 .strength_bits = 0,
208 .alg_bits = 0,
209 },
210
211 /* Cipher 04 */
212 {
213 .valid = 1,
214 .name = SSL3_TXT_RSA_RC4_128_MD5,
215 .id = SSL3_CK_RSA_RC4_128_MD5,
216 .algorithm_mkey = SSL_kRSA,
217 .algorithm_auth = SSL_aRSA,
218 .algorithm_enc = SSL_RC4,
219 .algorithm_mac = SSL_MD5,
220 .algorithm_ssl = SSL_SSLV3,
221 .algo_strength = SSL_LOW,
222 .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
223 .strength_bits = 128,
224 .alg_bits = 128,
225 },
226
227 /* Cipher 05 */
228 {
229 .valid = 1,
230 .name = SSL3_TXT_RSA_RC4_128_SHA,
231 .id = SSL3_CK_RSA_RC4_128_SHA,
232 .algorithm_mkey = SSL_kRSA,
233 .algorithm_auth = SSL_aRSA,
234 .algorithm_enc = SSL_RC4,
235 .algorithm_mac = SSL_SHA1,
236 .algorithm_ssl = SSL_SSLV3,
237 .algo_strength = SSL_LOW,
238 .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
239 .strength_bits = 128,
240 .alg_bits = 128,
241 },
242
243 /* Cipher 0A */
244 {
245 .valid = 1,
246 .name = SSL3_TXT_RSA_DES_192_CBC3_SHA,
247 .id = SSL3_CK_RSA_DES_192_CBC3_SHA,
248 .algorithm_mkey = SSL_kRSA,
249 .algorithm_auth = SSL_aRSA,
250 .algorithm_enc = SSL_3DES,
251 .algorithm_mac = SSL_SHA1,
252 .algorithm_ssl = SSL_SSLV3,
253 .algo_strength = SSL_MEDIUM,
254 .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
255 .strength_bits = 112,
256 .alg_bits = 168,
257 },
258
259 /*
260 * Ephemeral DH (DHE) ciphers.
261 */
262
263 /* Cipher 16 */
264 {
265 .valid = 1,
266 .name = SSL3_TXT_EDH_RSA_DES_192_CBC3_SHA,
267 .id = SSL3_CK_EDH_RSA_DES_192_CBC3_SHA,
268 .algorithm_mkey = SSL_kDHE,
269 .algorithm_auth = SSL_aRSA,
270 .algorithm_enc = SSL_3DES,
271 .algorithm_mac = SSL_SHA1,
272 .algorithm_ssl = SSL_SSLV3,
273 .algo_strength = SSL_MEDIUM,
274 .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
275 .strength_bits = 112,
276 .alg_bits = 168,
277 },
278
279 /* Cipher 18 */
280 {
281 .valid = 1,
282 .name = SSL3_TXT_ADH_RC4_128_MD5,
283 .id = SSL3_CK_ADH_RC4_128_MD5,
284 .algorithm_mkey = SSL_kDHE,
285 .algorithm_auth = SSL_aNULL,
286 .algorithm_enc = SSL_RC4,
287 .algorithm_mac = SSL_MD5,
288 .algorithm_ssl = SSL_SSLV3,
289 .algo_strength = SSL_LOW,
290 .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
291 .strength_bits = 128,
292 .alg_bits = 128,
293 },
294
295 /* Cipher 1B */
296 {
297 .valid = 1,
298 .name = SSL3_TXT_ADH_DES_192_CBC_SHA,
299 .id = SSL3_CK_ADH_DES_192_CBC_SHA,
300 .algorithm_mkey = SSL_kDHE,
301 .algorithm_auth = SSL_aNULL,
302 .algorithm_enc = SSL_3DES,
303 .algorithm_mac = SSL_SHA1,
304 .algorithm_ssl = SSL_SSLV3,
305 .algo_strength = SSL_MEDIUM,
306 .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
307 .strength_bits = 112,
308 .alg_bits = 168,
309 },
310
311 /*
312 * AES ciphersuites.
313 */
314
315 /* Cipher 2F */
316 {
317 .valid = 1,
318 .name = TLS1_TXT_RSA_WITH_AES_128_SHA,
319 .id = TLS1_CK_RSA_WITH_AES_128_SHA,
320 .algorithm_mkey = SSL_kRSA,
321 .algorithm_auth = SSL_aRSA,
322 .algorithm_enc = SSL_AES128,
323 .algorithm_mac = SSL_SHA1,
324 .algorithm_ssl = SSL_TLSV1,
325 .algo_strength = SSL_HIGH,
326 .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
327 .strength_bits = 128,
328 .alg_bits = 128,
329 },
330
331 /* Cipher 33 */
332 {
333 .valid = 1,
334 .name = TLS1_TXT_DHE_RSA_WITH_AES_128_SHA,
335 .id = TLS1_CK_DHE_RSA_WITH_AES_128_SHA,
336 .algorithm_mkey = SSL_kDHE,
337 .algorithm_auth = SSL_aRSA,
338 .algorithm_enc = SSL_AES128,
339 .algorithm_mac = SSL_SHA1,
340 .algorithm_ssl = SSL_TLSV1,
341 .algo_strength = SSL_HIGH,
342 .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
343 .strength_bits = 128,
344 .alg_bits = 128,
345 },
346
347 /* Cipher 34 */
348 {
349 .valid = 1,
350 .name = TLS1_TXT_ADH_WITH_AES_128_SHA,
351 .id = TLS1_CK_ADH_WITH_AES_128_SHA,
352 .algorithm_mkey = SSL_kDHE,
353 .algorithm_auth = SSL_aNULL,
354 .algorithm_enc = SSL_AES128,
355 .algorithm_mac = SSL_SHA1,
356 .algorithm_ssl = SSL_TLSV1,
357 .algo_strength = SSL_HIGH,
358 .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
359 .strength_bits = 128,
360 .alg_bits = 128,
361 },
362
363 /* Cipher 35 */
364 {
365 .valid = 1,
366 .name = TLS1_TXT_RSA_WITH_AES_256_SHA,
367 .id = TLS1_CK_RSA_WITH_AES_256_SHA,
368 .algorithm_mkey = SSL_kRSA,
369 .algorithm_auth = SSL_aRSA,
370 .algorithm_enc = SSL_AES256,
371 .algorithm_mac = SSL_SHA1,
372 .algorithm_ssl = SSL_TLSV1,
373 .algo_strength = SSL_HIGH,
374 .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
375 .strength_bits = 256,
376 .alg_bits = 256,
377 },
378
379 /* Cipher 39 */
380 {
381 .valid = 1,
382 .name = TLS1_TXT_DHE_RSA_WITH_AES_256_SHA,
383 .id = TLS1_CK_DHE_RSA_WITH_AES_256_SHA,
384 .algorithm_mkey = SSL_kDHE,
385 .algorithm_auth = SSL_aRSA,
386 .algorithm_enc = SSL_AES256,
387 .algorithm_mac = SSL_SHA1,
388 .algorithm_ssl = SSL_TLSV1,
389 .algo_strength = SSL_HIGH,
390 .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
391 .strength_bits = 256,
392 .alg_bits = 256,
393 },
394
395 /* Cipher 3A */
396 {
397 .valid = 1,
398 .name = TLS1_TXT_ADH_WITH_AES_256_SHA,
399 .id = TLS1_CK_ADH_WITH_AES_256_SHA,
400 .algorithm_mkey = SSL_kDHE,
401 .algorithm_auth = SSL_aNULL,
402 .algorithm_enc = SSL_AES256,
403 .algorithm_mac = SSL_SHA1,
404 .algorithm_ssl = SSL_TLSV1,
405 .algo_strength = SSL_HIGH,
406 .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
407 .strength_bits = 256,
408 .alg_bits = 256,
409 },
410
411 /* TLS v1.2 ciphersuites */
412 /* Cipher 3B */
413 {
414 .valid = 1,
415 .name = TLS1_TXT_RSA_WITH_NULL_SHA256,
416 .id = TLS1_CK_RSA_WITH_NULL_SHA256,
417 .algorithm_mkey = SSL_kRSA,
418 .algorithm_auth = SSL_aRSA,
419 .algorithm_enc = SSL_eNULL,
420 .algorithm_mac = SSL_SHA256,
421 .algorithm_ssl = SSL_TLSV1_2,
422 .algo_strength = SSL_STRONG_NONE,
423 .algorithm2 = SSL_HANDSHAKE_MAC_SHA256|TLS1_PRF_SHA256,
424 .strength_bits = 0,
425 .alg_bits = 0,
426 },
427
428 /* Cipher 3C */
429 {
430 .valid = 1,
431 .name = TLS1_TXT_RSA_WITH_AES_128_SHA256,
432 .id = TLS1_CK_RSA_WITH_AES_128_SHA256,
433 .algorithm_mkey = SSL_kRSA,
434 .algorithm_auth = SSL_aRSA,
435 .algorithm_enc = SSL_AES128,
436 .algorithm_mac = SSL_SHA256,
437 .algorithm_ssl = SSL_TLSV1_2,
438 .algo_strength = SSL_HIGH,
439 .algorithm2 = SSL_HANDSHAKE_MAC_SHA256|TLS1_PRF_SHA256,
440 .strength_bits = 128,
441 .alg_bits = 128,
442 },
443
444 /* Cipher 3D */
445 {
446 .valid = 1,
447 .name = TLS1_TXT_RSA_WITH_AES_256_SHA256,
448 .id = TLS1_CK_RSA_WITH_AES_256_SHA256,
449 .algorithm_mkey = SSL_kRSA,
450 .algorithm_auth = SSL_aRSA,
451 .algorithm_enc = SSL_AES256,
452 .algorithm_mac = SSL_SHA256,
453 .algorithm_ssl = SSL_TLSV1_2,
454 .algo_strength = SSL_HIGH,
455 .algorithm2 = SSL_HANDSHAKE_MAC_SHA256|TLS1_PRF_SHA256,
456 .strength_bits = 256,
457 .alg_bits = 256,
458 },
459
460#ifndef OPENSSL_NO_CAMELLIA
461 /* Camellia ciphersuites from RFC4132 (128-bit portion) */
462
463 /* Cipher 41 */
464 {
465 .valid = 1,
466 .name = TLS1_TXT_RSA_WITH_CAMELLIA_128_CBC_SHA,
467 .id = TLS1_CK_RSA_WITH_CAMELLIA_128_CBC_SHA,
468 .algorithm_mkey = SSL_kRSA,
469 .algorithm_auth = SSL_aRSA,
470 .algorithm_enc = SSL_CAMELLIA128,
471 .algorithm_mac = SSL_SHA1,
472 .algorithm_ssl = SSL_TLSV1,
473 .algo_strength = SSL_HIGH,
474 .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
475 .strength_bits = 128,
476 .alg_bits = 128,
477 },
478
479 /* Cipher 45 */
480 {
481 .valid = 1,
482 .name = TLS1_TXT_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA,
483 .id = TLS1_CK_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA,
484 .algorithm_mkey = SSL_kDHE,
485 .algorithm_auth = SSL_aRSA,
486 .algorithm_enc = SSL_CAMELLIA128,
487 .algorithm_mac = SSL_SHA1,
488 .algorithm_ssl = SSL_TLSV1,
489 .algo_strength = SSL_HIGH,
490 .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
491 .strength_bits = 128,
492 .alg_bits = 128,
493 },
494
495 /* Cipher 46 */
496 {
497 .valid = 1,
498 .name = TLS1_TXT_ADH_WITH_CAMELLIA_128_CBC_SHA,
499 .id = TLS1_CK_ADH_WITH_CAMELLIA_128_CBC_SHA,
500 .algorithm_mkey = SSL_kDHE,
501 .algorithm_auth = SSL_aNULL,
502 .algorithm_enc = SSL_CAMELLIA128,
503 .algorithm_mac = SSL_SHA1,
504 .algorithm_ssl = SSL_TLSV1,
505 .algo_strength = SSL_HIGH,
506 .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
507 .strength_bits = 128,
508 .alg_bits = 128,
509 },
510#endif /* OPENSSL_NO_CAMELLIA */
511
512 /* TLS v1.2 ciphersuites */
513 /* Cipher 67 */
514 {
515 .valid = 1,
516 .name = TLS1_TXT_DHE_RSA_WITH_AES_128_SHA256,
517 .id = TLS1_CK_DHE_RSA_WITH_AES_128_SHA256,
518 .algorithm_mkey = SSL_kDHE,
519 .algorithm_auth = SSL_aRSA,
520 .algorithm_enc = SSL_AES128,
521 .algorithm_mac = SSL_SHA256,
522 .algorithm_ssl = SSL_TLSV1_2,
523 .algo_strength = SSL_HIGH,
524 .algorithm2 = SSL_HANDSHAKE_MAC_SHA256|TLS1_PRF_SHA256,
525 .strength_bits = 128,
526 .alg_bits = 128,
527 },
528
529 /* Cipher 6B */
530 {
531 .valid = 1,
532 .name = TLS1_TXT_DHE_RSA_WITH_AES_256_SHA256,
533 .id = TLS1_CK_DHE_RSA_WITH_AES_256_SHA256,
534 .algorithm_mkey = SSL_kDHE,
535 .algorithm_auth = SSL_aRSA,
536 .algorithm_enc = SSL_AES256,
537 .algorithm_mac = SSL_SHA256,
538 .algorithm_ssl = SSL_TLSV1_2,
539 .algo_strength = SSL_HIGH,
540 .algorithm2 = SSL_HANDSHAKE_MAC_SHA256|TLS1_PRF_SHA256,
541 .strength_bits = 256,
542 .alg_bits = 256,
543 },
544
545 /* Cipher 6C */
546 {
547 .valid = 1,
548 .name = TLS1_TXT_ADH_WITH_AES_128_SHA256,
549 .id = TLS1_CK_ADH_WITH_AES_128_SHA256,
550 .algorithm_mkey = SSL_kDHE,
551 .algorithm_auth = SSL_aNULL,
552 .algorithm_enc = SSL_AES128,
553 .algorithm_mac = SSL_SHA256,
554 .algorithm_ssl = SSL_TLSV1_2,
555 .algo_strength = SSL_HIGH,
556 .algorithm2 = SSL_HANDSHAKE_MAC_SHA256|TLS1_PRF_SHA256,
557 .strength_bits = 128,
558 .alg_bits = 128,
559 },
560
561 /* Cipher 6D */
562 {
563 .valid = 1,
564 .name = TLS1_TXT_ADH_WITH_AES_256_SHA256,
565 .id = TLS1_CK_ADH_WITH_AES_256_SHA256,
566 .algorithm_mkey = SSL_kDHE,
567 .algorithm_auth = SSL_aNULL,
568 .algorithm_enc = SSL_AES256,
569 .algorithm_mac = SSL_SHA256,
570 .algorithm_ssl = SSL_TLSV1_2,
571 .algo_strength = SSL_HIGH,
572 .algorithm2 = SSL_HANDSHAKE_MAC_SHA256|TLS1_PRF_SHA256,
573 .strength_bits = 256,
574 .alg_bits = 256,
575 },
576
577 /* GOST Ciphersuites */
578
579 /* Cipher 81 */
580 {
581 .valid = 1,
582 .name = "GOST2001-GOST89-GOST89",
583 .id = 0x3000081,
584 .algorithm_mkey = SSL_kGOST,
585 .algorithm_auth = SSL_aGOST01,
586 .algorithm_enc = SSL_eGOST2814789CNT,
587 .algorithm_mac = SSL_GOST89MAC,
588 .algorithm_ssl = SSL_TLSV1,
589 .algo_strength = SSL_HIGH,
590 .algorithm2 = SSL_HANDSHAKE_MAC_GOST94|TLS1_PRF_GOST94|
591 TLS1_STREAM_MAC,
592 .strength_bits = 256,
593 .alg_bits = 256
594 },
595
596 /* Cipher 83 */
597 {
598 .valid = 1,
599 .name = "GOST2001-NULL-GOST94",
600 .id = 0x3000083,
601 .algorithm_mkey = SSL_kGOST,
602 .algorithm_auth = SSL_aGOST01,
603 .algorithm_enc = SSL_eNULL,
604 .algorithm_mac = SSL_GOST94,
605 .algorithm_ssl = SSL_TLSV1,
606 .algo_strength = SSL_STRONG_NONE,
607 .algorithm2 = SSL_HANDSHAKE_MAC_GOST94|TLS1_PRF_GOST94,
608 .strength_bits = 0,
609 .alg_bits = 0
610 },
611
612#ifndef OPENSSL_NO_CAMELLIA
613 /* Camellia ciphersuites from RFC4132 (256-bit portion) */
614
615 /* Cipher 84 */
616 {
617 .valid = 1,
618 .name = TLS1_TXT_RSA_WITH_CAMELLIA_256_CBC_SHA,
619 .id = TLS1_CK_RSA_WITH_CAMELLIA_256_CBC_SHA,
620 .algorithm_mkey = SSL_kRSA,
621 .algorithm_auth = SSL_aRSA,
622 .algorithm_enc = SSL_CAMELLIA256,
623 .algorithm_mac = SSL_SHA1,
624 .algorithm_ssl = SSL_TLSV1,
625 .algo_strength = SSL_HIGH,
626 .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
627 .strength_bits = 256,
628 .alg_bits = 256,
629 },
630
631 /* Cipher 88 */
632 {
633 .valid = 1,
634 .name = TLS1_TXT_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA,
635 .id = TLS1_CK_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA,
636 .algorithm_mkey = SSL_kDHE,
637 .algorithm_auth = SSL_aRSA,
638 .algorithm_enc = SSL_CAMELLIA256,
639 .algorithm_mac = SSL_SHA1,
640 .algorithm_ssl = SSL_TLSV1,
641 .algo_strength = SSL_HIGH,
642 .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
643 .strength_bits = 256,
644 .alg_bits = 256,
645 },
646
647 /* Cipher 89 */
648 {
649 .valid = 1,
650 .name = TLS1_TXT_ADH_WITH_CAMELLIA_256_CBC_SHA,
651 .id = TLS1_CK_ADH_WITH_CAMELLIA_256_CBC_SHA,
652 .algorithm_mkey = SSL_kDHE,
653 .algorithm_auth = SSL_aNULL,
654 .algorithm_enc = SSL_CAMELLIA256,
655 .algorithm_mac = SSL_SHA1,
656 .algorithm_ssl = SSL_TLSV1,
657 .algo_strength = SSL_HIGH,
658 .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
659 .strength_bits = 256,
660 .alg_bits = 256,
661 },
662#endif /* OPENSSL_NO_CAMELLIA */
663
664 /*
665 * GCM ciphersuites from RFC5288.
666 */
667
668 /* Cipher 9C */
669 {
670 .valid = 1,
671 .name = TLS1_TXT_RSA_WITH_AES_128_GCM_SHA256,
672 .id = TLS1_CK_RSA_WITH_AES_128_GCM_SHA256,
673 .algorithm_mkey = SSL_kRSA,
674 .algorithm_auth = SSL_aRSA,
675 .algorithm_enc = SSL_AES128GCM,
676 .algorithm_mac = SSL_AEAD,
677 .algorithm_ssl = SSL_TLSV1_2,
678 .algo_strength = SSL_HIGH,
679 .algorithm2 = SSL_HANDSHAKE_MAC_SHA256|TLS1_PRF_SHA256|
680 FIXED_NONCE_LEN(4)|
681 SSL_CIPHER_ALGORITHM2_VARIABLE_NONCE_IN_RECORD,
682 .strength_bits = 128,
683 .alg_bits = 128,
684 },
685
686 /* Cipher 9D */
687 {
688 .valid = 1,
689 .name = TLS1_TXT_RSA_WITH_AES_256_GCM_SHA384,
690 .id = TLS1_CK_RSA_WITH_AES_256_GCM_SHA384,
691 .algorithm_mkey = SSL_kRSA,
692 .algorithm_auth = SSL_aRSA,
693 .algorithm_enc = SSL_AES256GCM,
694 .algorithm_mac = SSL_AEAD,
695 .algorithm_ssl = SSL_TLSV1_2,
696 .algo_strength = SSL_HIGH,
697 .algorithm2 = SSL_HANDSHAKE_MAC_SHA384|TLS1_PRF_SHA384|
698 FIXED_NONCE_LEN(4)|
699 SSL_CIPHER_ALGORITHM2_VARIABLE_NONCE_IN_RECORD,
700 .strength_bits = 256,
701 .alg_bits = 256,
702 },
703
704 /* Cipher 9E */
705 {
706 .valid = 1,
707 .name = TLS1_TXT_DHE_RSA_WITH_AES_128_GCM_SHA256,
708 .id = TLS1_CK_DHE_RSA_WITH_AES_128_GCM_SHA256,
709 .algorithm_mkey = SSL_kDHE,
710 .algorithm_auth = SSL_aRSA,
711 .algorithm_enc = SSL_AES128GCM,
712 .algorithm_mac = SSL_AEAD,
713 .algorithm_ssl = SSL_TLSV1_2,
714 .algo_strength = SSL_HIGH,
715 .algorithm2 = SSL_HANDSHAKE_MAC_SHA256|TLS1_PRF_SHA256|
716 FIXED_NONCE_LEN(4)|
717 SSL_CIPHER_ALGORITHM2_VARIABLE_NONCE_IN_RECORD,
718 .strength_bits = 128,
719 .alg_bits = 128,
720 },
721
722 /* Cipher 9F */
723 {
724 .valid = 1,
725 .name = TLS1_TXT_DHE_RSA_WITH_AES_256_GCM_SHA384,
726 .id = TLS1_CK_DHE_RSA_WITH_AES_256_GCM_SHA384,
727 .algorithm_mkey = SSL_kDHE,
728 .algorithm_auth = SSL_aRSA,
729 .algorithm_enc = SSL_AES256GCM,
730 .algorithm_mac = SSL_AEAD,
731 .algorithm_ssl = SSL_TLSV1_2,
732 .algo_strength = SSL_HIGH,
733 .algorithm2 = SSL_HANDSHAKE_MAC_SHA384|TLS1_PRF_SHA384|
734 FIXED_NONCE_LEN(4)|
735 SSL_CIPHER_ALGORITHM2_VARIABLE_NONCE_IN_RECORD,
736 .strength_bits = 256,
737 .alg_bits = 256,
738 },
739
740 /* Cipher A6 */
741 {
742 .valid = 1,
743 .name = TLS1_TXT_ADH_WITH_AES_128_GCM_SHA256,
744 .id = TLS1_CK_ADH_WITH_AES_128_GCM_SHA256,
745 .algorithm_mkey = SSL_kDHE,
746 .algorithm_auth = SSL_aNULL,
747 .algorithm_enc = SSL_AES128GCM,
748 .algorithm_mac = SSL_AEAD,
749 .algorithm_ssl = SSL_TLSV1_2,
750 .algo_strength = SSL_HIGH,
751 .algorithm2 = SSL_HANDSHAKE_MAC_SHA256|TLS1_PRF_SHA256|
752 FIXED_NONCE_LEN(4)|
753 SSL_CIPHER_ALGORITHM2_VARIABLE_NONCE_IN_RECORD,
754 .strength_bits = 128,
755 .alg_bits = 128,
756 },
757
758 /* Cipher A7 */
759 {
760 .valid = 1,
761 .name = TLS1_TXT_ADH_WITH_AES_256_GCM_SHA384,
762 .id = TLS1_CK_ADH_WITH_AES_256_GCM_SHA384,
763 .algorithm_mkey = SSL_kDHE,
764 .algorithm_auth = SSL_aNULL,
765 .algorithm_enc = SSL_AES256GCM,
766 .algorithm_mac = SSL_AEAD,
767 .algorithm_ssl = SSL_TLSV1_2,
768 .algo_strength = SSL_HIGH,
769 .algorithm2 = SSL_HANDSHAKE_MAC_SHA384|TLS1_PRF_SHA384|
770 FIXED_NONCE_LEN(4)|
771 SSL_CIPHER_ALGORITHM2_VARIABLE_NONCE_IN_RECORD,
772 .strength_bits = 256,
773 .alg_bits = 256,
774 },
775
776#ifndef OPENSSL_NO_CAMELLIA
777 /* TLS 1.2 Camellia SHA-256 ciphersuites from RFC5932 */
778
779 /* Cipher BA */
780 {
781 .valid = 1,
782 .name = TLS1_TXT_RSA_WITH_CAMELLIA_128_CBC_SHA256,
783 .id = TLS1_CK_RSA_WITH_CAMELLIA_128_CBC_SHA256,
784 .algorithm_mkey = SSL_kRSA,
785 .algorithm_auth = SSL_aRSA,
786 .algorithm_enc = SSL_CAMELLIA128,
787 .algorithm_mac = SSL_SHA256,
788 .algorithm_ssl = SSL_TLSV1_2,
789 .algo_strength = SSL_HIGH,
790 .algorithm2 = SSL_HANDSHAKE_MAC_SHA256|TLS1_PRF_SHA256,
791 .strength_bits = 128,
792 .alg_bits = 128,
793 },
794
795 /* Cipher BE */
796 {
797 .valid = 1,
798 .name = TLS1_TXT_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA256,
799 .id = TLS1_CK_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA256,
800 .algorithm_mkey = SSL_kDHE,
801 .algorithm_auth = SSL_aRSA,
802 .algorithm_enc = SSL_CAMELLIA128,
803 .algorithm_mac = SSL_SHA256,
804 .algorithm_ssl = SSL_TLSV1_2,
805 .algo_strength = SSL_HIGH,
806 .algorithm2 = SSL_HANDSHAKE_MAC_SHA256|TLS1_PRF_SHA256,
807 .strength_bits = 128,
808 .alg_bits = 128,
809 },
810
811 /* Cipher BF */
812 {
813 .valid = 1,
814 .name = TLS1_TXT_ADH_WITH_CAMELLIA_128_CBC_SHA256,
815 .id = TLS1_CK_ADH_WITH_CAMELLIA_128_CBC_SHA256,
816 .algorithm_mkey = SSL_kDHE,
817 .algorithm_auth = SSL_aNULL,
818 .algorithm_enc = SSL_CAMELLIA128,
819 .algorithm_mac = SSL_SHA256,
820 .algorithm_ssl = SSL_TLSV1_2,
821 .algo_strength = SSL_HIGH,
822 .algorithm2 = SSL_HANDSHAKE_MAC_SHA256|TLS1_PRF_SHA256,
823 .strength_bits = 128,
824 .alg_bits = 128,
825 },
826
827 /* Cipher C0 */
828 {
829 .valid = 1,
830 .name = TLS1_TXT_RSA_WITH_CAMELLIA_256_CBC_SHA256,
831 .id = TLS1_CK_RSA_WITH_CAMELLIA_256_CBC_SHA256,
832 .algorithm_mkey = SSL_kRSA,
833 .algorithm_auth = SSL_aRSA,
834 .algorithm_enc = SSL_CAMELLIA256,
835 .algorithm_mac = SSL_SHA256,
836 .algorithm_ssl = SSL_TLSV1_2,
837 .algo_strength = SSL_HIGH,
838 .algorithm2 = SSL_HANDSHAKE_MAC_SHA256|TLS1_PRF_SHA256,
839 .strength_bits = 256,
840 .alg_bits = 256,
841 },
842
843 /* Cipher C4 */
844 {
845 .valid = 1,
846 .name = TLS1_TXT_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA256,
847 .id = TLS1_CK_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA256,
848 .algorithm_mkey = SSL_kDHE,
849 .algorithm_auth = SSL_aRSA,
850 .algorithm_enc = SSL_CAMELLIA256,
851 .algorithm_mac = SSL_SHA256,
852 .algorithm_ssl = SSL_TLSV1_2,
853 .algo_strength = SSL_HIGH,
854 .algorithm2 = SSL_HANDSHAKE_MAC_SHA256|TLS1_PRF_SHA256,
855 .strength_bits = 256,
856 .alg_bits = 256,
857 },
858
859 /* Cipher C5 */
860 {
861 .valid = 1,
862 .name = TLS1_TXT_ADH_WITH_CAMELLIA_256_CBC_SHA256,
863 .id = TLS1_CK_ADH_WITH_CAMELLIA_256_CBC_SHA256,
864 .algorithm_mkey = SSL_kDHE,
865 .algorithm_auth = SSL_aNULL,
866 .algorithm_enc = SSL_CAMELLIA256,
867 .algorithm_mac = SSL_SHA256,
868 .algorithm_ssl = SSL_TLSV1_2,
869 .algo_strength = SSL_HIGH,
870 .algorithm2 = SSL_HANDSHAKE_MAC_SHA256|TLS1_PRF_SHA256,
871 .strength_bits = 256,
872 .alg_bits = 256,
873 },
874#endif /* OPENSSL_NO_CAMELLIA */
875
876 /*
877 * TLSv1.3 cipher suites.
878 */
879
880#ifdef LIBRESSL_HAS_TLS1_3
881 /* Cipher 1301 */
882 {
883 .valid = 1,
884 .name = TLS1_3_TXT_AES_128_GCM_SHA256,
885 .id = TLS1_3_CK_AES_128_GCM_SHA256,
886 .algorithm_mkey = SSL_kTLS1_3,
887 .algorithm_auth = SSL_aTLS1_3,
888 .algorithm_enc = SSL_AES128GCM,
889 .algorithm_mac = SSL_AEAD,
890 .algorithm_ssl = SSL_TLSV1_3,
891 .algo_strength = SSL_HIGH,
892 .algorithm2 = SSL_HANDSHAKE_MAC_SHA256, /* XXX */
893 .strength_bits = 128,
894 .alg_bits = 128,
895 },
896
897 /* Cipher 1302 */
898 {
899 .valid = 1,
900 .name = TLS1_3_TXT_AES_256_GCM_SHA384,
901 .id = TLS1_3_CK_AES_256_GCM_SHA384,
902 .algorithm_mkey = SSL_kTLS1_3,
903 .algorithm_auth = SSL_aTLS1_3,
904 .algorithm_enc = SSL_AES256GCM,
905 .algorithm_mac = SSL_AEAD,
906 .algorithm_ssl = SSL_TLSV1_3,
907 .algo_strength = SSL_HIGH,
908 .algorithm2 = SSL_HANDSHAKE_MAC_SHA384, /* XXX */
909 .strength_bits = 256,
910 .alg_bits = 256,
911 },
912
913 /* Cipher 1303 */
914 {
915 .valid = 1,
916 .name = TLS1_3_TXT_CHACHA20_POLY1305_SHA256,
917 .id = TLS1_3_CK_CHACHA20_POLY1305_SHA256,
918 .algorithm_mkey = SSL_kTLS1_3,
919 .algorithm_auth = SSL_aTLS1_3,
920 .algorithm_enc = SSL_CHACHA20POLY1305,
921 .algorithm_mac = SSL_AEAD,
922 .algorithm_ssl = SSL_TLSV1_3,
923 .algo_strength = SSL_HIGH,
924 .algorithm2 = SSL_HANDSHAKE_MAC_SHA256, /* XXX */
925 .strength_bits = 256,
926 .alg_bits = 256,
927 },
928#endif
929
930 /* Cipher C006 */
931 {
932 .valid = 1,
933 .name = TLS1_TXT_ECDHE_ECDSA_WITH_NULL_SHA,
934 .id = TLS1_CK_ECDHE_ECDSA_WITH_NULL_SHA,
935 .algorithm_mkey = SSL_kECDHE,
936 .algorithm_auth = SSL_aECDSA,
937 .algorithm_enc = SSL_eNULL,
938 .algorithm_mac = SSL_SHA1,
939 .algorithm_ssl = SSL_TLSV1,
940 .algo_strength = SSL_STRONG_NONE,
941 .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
942 .strength_bits = 0,
943 .alg_bits = 0,
944 },
945
946 /* Cipher C007 */
947 {
948 .valid = 1,
949 .name = TLS1_TXT_ECDHE_ECDSA_WITH_RC4_128_SHA,
950 .id = TLS1_CK_ECDHE_ECDSA_WITH_RC4_128_SHA,
951 .algorithm_mkey = SSL_kECDHE,
952 .algorithm_auth = SSL_aECDSA,
953 .algorithm_enc = SSL_RC4,
954 .algorithm_mac = SSL_SHA1,
955 .algorithm_ssl = SSL_TLSV1,
956 .algo_strength = SSL_LOW,
957 .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
958 .strength_bits = 128,
959 .alg_bits = 128,
960 },
961
962 /* Cipher C008 */
963 {
964 .valid = 1,
965 .name = TLS1_TXT_ECDHE_ECDSA_WITH_DES_192_CBC3_SHA,
966 .id = TLS1_CK_ECDHE_ECDSA_WITH_DES_192_CBC3_SHA,
967 .algorithm_mkey = SSL_kECDHE,
968 .algorithm_auth = SSL_aECDSA,
969 .algorithm_enc = SSL_3DES,
970 .algorithm_mac = SSL_SHA1,
971 .algorithm_ssl = SSL_TLSV1,
972 .algo_strength = SSL_MEDIUM,
973 .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
974 .strength_bits = 112,
975 .alg_bits = 168,
976 },
977
978 /* Cipher C009 */
979 {
980 .valid = 1,
981 .name = TLS1_TXT_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,
982 .id = TLS1_CK_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,
983 .algorithm_mkey = SSL_kECDHE,
984 .algorithm_auth = SSL_aECDSA,
985 .algorithm_enc = SSL_AES128,
986 .algorithm_mac = SSL_SHA1,
987 .algorithm_ssl = SSL_TLSV1,
988 .algo_strength = SSL_HIGH,
989 .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
990 .strength_bits = 128,
991 .alg_bits = 128,
992 },
993
994 /* Cipher C00A */
995 {
996 .valid = 1,
997 .name = TLS1_TXT_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,
998 .id = TLS1_CK_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,
999 .algorithm_mkey = SSL_kECDHE,
1000 .algorithm_auth = SSL_aECDSA,
1001 .algorithm_enc = SSL_AES256,
1002 .algorithm_mac = SSL_SHA1,
1003 .algorithm_ssl = SSL_TLSV1,
1004 .algo_strength = SSL_HIGH,
1005 .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
1006 .strength_bits = 256,
1007 .alg_bits = 256,
1008 },
1009
1010 /* Cipher C010 */
1011 {
1012 .valid = 1,
1013 .name = TLS1_TXT_ECDHE_RSA_WITH_NULL_SHA,
1014 .id = TLS1_CK_ECDHE_RSA_WITH_NULL_SHA,
1015 .algorithm_mkey = SSL_kECDHE,
1016 .algorithm_auth = SSL_aRSA,
1017 .algorithm_enc = SSL_eNULL,
1018 .algorithm_mac = SSL_SHA1,
1019 .algorithm_ssl = SSL_TLSV1,
1020 .algo_strength = SSL_STRONG_NONE,
1021 .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
1022 .strength_bits = 0,
1023 .alg_bits = 0,
1024 },
1025
1026 /* Cipher C011 */
1027 {
1028 .valid = 1,
1029 .name = TLS1_TXT_ECDHE_RSA_WITH_RC4_128_SHA,
1030 .id = TLS1_CK_ECDHE_RSA_WITH_RC4_128_SHA,
1031 .algorithm_mkey = SSL_kECDHE,
1032 .algorithm_auth = SSL_aRSA,
1033 .algorithm_enc = SSL_RC4,
1034 .algorithm_mac = SSL_SHA1,
1035 .algorithm_ssl = SSL_TLSV1,
1036 .algo_strength = SSL_LOW,
1037 .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
1038 .strength_bits = 128,
1039 .alg_bits = 128,
1040 },
1041
1042 /* Cipher C012 */
1043 {
1044 .valid = 1,
1045 .name = TLS1_TXT_ECDHE_RSA_WITH_DES_192_CBC3_SHA,
1046 .id = TLS1_CK_ECDHE_RSA_WITH_DES_192_CBC3_SHA,
1047 .algorithm_mkey = SSL_kECDHE,
1048 .algorithm_auth = SSL_aRSA,
1049 .algorithm_enc = SSL_3DES,
1050 .algorithm_mac = SSL_SHA1,
1051 .algorithm_ssl = SSL_TLSV1,
1052 .algo_strength = SSL_MEDIUM,
1053 .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
1054 .strength_bits = 112,
1055 .alg_bits = 168,
1056 },
1057
1058 /* Cipher C013 */
1059 {
1060 .valid = 1,
1061 .name = TLS1_TXT_ECDHE_RSA_WITH_AES_128_CBC_SHA,
1062 .id = TLS1_CK_ECDHE_RSA_WITH_AES_128_CBC_SHA,
1063 .algorithm_mkey = SSL_kECDHE,
1064 .algorithm_auth = SSL_aRSA,
1065 .algorithm_enc = SSL_AES128,
1066 .algorithm_mac = SSL_SHA1,
1067 .algorithm_ssl = SSL_TLSV1,
1068 .algo_strength = SSL_HIGH,
1069 .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
1070 .strength_bits = 128,
1071 .alg_bits = 128,
1072 },
1073
1074 /* Cipher C014 */
1075 {
1076 .valid = 1,
1077 .name = TLS1_TXT_ECDHE_RSA_WITH_AES_256_CBC_SHA,
1078 .id = TLS1_CK_ECDHE_RSA_WITH_AES_256_CBC_SHA,
1079 .algorithm_mkey = SSL_kECDHE,
1080 .algorithm_auth = SSL_aRSA,
1081 .algorithm_enc = SSL_AES256,
1082 .algorithm_mac = SSL_SHA1,
1083 .algorithm_ssl = SSL_TLSV1,
1084 .algo_strength = SSL_HIGH,
1085 .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
1086 .strength_bits = 256,
1087 .alg_bits = 256,
1088 },
1089
1090 /* Cipher C015 */
1091 {
1092 .valid = 1,
1093 .name = TLS1_TXT_ECDH_anon_WITH_NULL_SHA,
1094 .id = TLS1_CK_ECDH_anon_WITH_NULL_SHA,
1095 .algorithm_mkey = SSL_kECDHE,
1096 .algorithm_auth = SSL_aNULL,
1097 .algorithm_enc = SSL_eNULL,
1098 .algorithm_mac = SSL_SHA1,
1099 .algorithm_ssl = SSL_TLSV1,
1100 .algo_strength = SSL_STRONG_NONE,
1101 .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
1102 .strength_bits = 0,
1103 .alg_bits = 0,
1104 },
1105
1106 /* Cipher C016 */
1107 {
1108 .valid = 1,
1109 .name = TLS1_TXT_ECDH_anon_WITH_RC4_128_SHA,
1110 .id = TLS1_CK_ECDH_anon_WITH_RC4_128_SHA,
1111 .algorithm_mkey = SSL_kECDHE,
1112 .algorithm_auth = SSL_aNULL,
1113 .algorithm_enc = SSL_RC4,
1114 .algorithm_mac = SSL_SHA1,
1115 .algorithm_ssl = SSL_TLSV1,
1116 .algo_strength = SSL_LOW,
1117 .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
1118 .strength_bits = 128,
1119 .alg_bits = 128,
1120 },
1121
1122 /* Cipher C017 */
1123 {
1124 .valid = 1,
1125 .name = TLS1_TXT_ECDH_anon_WITH_DES_192_CBC3_SHA,
1126 .id = TLS1_CK_ECDH_anon_WITH_DES_192_CBC3_SHA,
1127 .algorithm_mkey = SSL_kECDHE,
1128 .algorithm_auth = SSL_aNULL,
1129 .algorithm_enc = SSL_3DES,
1130 .algorithm_mac = SSL_SHA1,
1131 .algorithm_ssl = SSL_TLSV1,
1132 .algo_strength = SSL_MEDIUM,
1133 .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
1134 .strength_bits = 112,
1135 .alg_bits = 168,
1136 },
1137
1138 /* Cipher C018 */
1139 {
1140 .valid = 1,
1141 .name = TLS1_TXT_ECDH_anon_WITH_AES_128_CBC_SHA,
1142 .id = TLS1_CK_ECDH_anon_WITH_AES_128_CBC_SHA,
1143 .algorithm_mkey = SSL_kECDHE,
1144 .algorithm_auth = SSL_aNULL,
1145 .algorithm_enc = SSL_AES128,
1146 .algorithm_mac = SSL_SHA1,
1147 .algorithm_ssl = SSL_TLSV1,
1148 .algo_strength = SSL_HIGH,
1149 .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
1150 .strength_bits = 128,
1151 .alg_bits = 128,
1152 },
1153
1154 /* Cipher C019 */
1155 {
1156 .valid = 1,
1157 .name = TLS1_TXT_ECDH_anon_WITH_AES_256_CBC_SHA,
1158 .id = TLS1_CK_ECDH_anon_WITH_AES_256_CBC_SHA,
1159 .algorithm_mkey = SSL_kECDHE,
1160 .algorithm_auth = SSL_aNULL,
1161 .algorithm_enc = SSL_AES256,
1162 .algorithm_mac = SSL_SHA1,
1163 .algorithm_ssl = SSL_TLSV1,
1164 .algo_strength = SSL_HIGH,
1165 .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
1166 .strength_bits = 256,
1167 .alg_bits = 256,
1168 },
1169
1170
1171 /* HMAC based TLS v1.2 ciphersuites from RFC5289 */
1172
1173 /* Cipher C023 */
1174 {
1175 .valid = 1,
1176 .name = TLS1_TXT_ECDHE_ECDSA_WITH_AES_128_SHA256,
1177 .id = TLS1_CK_ECDHE_ECDSA_WITH_AES_128_SHA256,
1178 .algorithm_mkey = SSL_kECDHE,
1179 .algorithm_auth = SSL_aECDSA,
1180 .algorithm_enc = SSL_AES128,
1181 .algorithm_mac = SSL_SHA256,
1182 .algorithm_ssl = SSL_TLSV1_2,
1183 .algo_strength = SSL_HIGH,
1184 .algorithm2 = SSL_HANDSHAKE_MAC_SHA256|TLS1_PRF_SHA256,
1185 .strength_bits = 128,
1186 .alg_bits = 128,
1187 },
1188
1189 /* Cipher C024 */
1190 {
1191 .valid = 1,
1192 .name = TLS1_TXT_ECDHE_ECDSA_WITH_AES_256_SHA384,
1193 .id = TLS1_CK_ECDHE_ECDSA_WITH_AES_256_SHA384,
1194 .algorithm_mkey = SSL_kECDHE,
1195 .algorithm_auth = SSL_aECDSA,
1196 .algorithm_enc = SSL_AES256,
1197 .algorithm_mac = SSL_SHA384,
1198 .algorithm_ssl = SSL_TLSV1_2,
1199 .algo_strength = SSL_HIGH,
1200 .algorithm2 = SSL_HANDSHAKE_MAC_SHA384|TLS1_PRF_SHA384,
1201 .strength_bits = 256,
1202 .alg_bits = 256,
1203 },
1204
1205 /* Cipher C027 */
1206 {
1207 .valid = 1,
1208 .name = TLS1_TXT_ECDHE_RSA_WITH_AES_128_SHA256,
1209 .id = TLS1_CK_ECDHE_RSA_WITH_AES_128_SHA256,
1210 .algorithm_mkey = SSL_kECDHE,
1211 .algorithm_auth = SSL_aRSA,
1212 .algorithm_enc = SSL_AES128,
1213 .algorithm_mac = SSL_SHA256,
1214 .algorithm_ssl = SSL_TLSV1_2,
1215 .algo_strength = SSL_HIGH,
1216 .algorithm2 = SSL_HANDSHAKE_MAC_SHA256|TLS1_PRF_SHA256,
1217 .strength_bits = 128,
1218 .alg_bits = 128,
1219 },
1220
1221 /* Cipher C028 */
1222 {
1223 .valid = 1,
1224 .name = TLS1_TXT_ECDHE_RSA_WITH_AES_256_SHA384,
1225 .id = TLS1_CK_ECDHE_RSA_WITH_AES_256_SHA384,
1226 .algorithm_mkey = SSL_kECDHE,
1227 .algorithm_auth = SSL_aRSA,
1228 .algorithm_enc = SSL_AES256,
1229 .algorithm_mac = SSL_SHA384,
1230 .algorithm_ssl = SSL_TLSV1_2,
1231 .algo_strength = SSL_HIGH,
1232 .algorithm2 = SSL_HANDSHAKE_MAC_SHA384|TLS1_PRF_SHA384,
1233 .strength_bits = 256,
1234 .alg_bits = 256,
1235 },
1236
1237 /* GCM based TLS v1.2 ciphersuites from RFC5289 */
1238
1239 /* Cipher C02B */
1240 {
1241 .valid = 1,
1242 .name = TLS1_TXT_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
1243 .id = TLS1_CK_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
1244 .algorithm_mkey = SSL_kECDHE,
1245 .algorithm_auth = SSL_aECDSA,
1246 .algorithm_enc = SSL_AES128GCM,
1247 .algorithm_mac = SSL_AEAD,
1248 .algorithm_ssl = SSL_TLSV1_2,
1249 .algo_strength = SSL_HIGH,
1250 .algorithm2 = SSL_HANDSHAKE_MAC_SHA256|TLS1_PRF_SHA256|
1251 FIXED_NONCE_LEN(4)|
1252 SSL_CIPHER_ALGORITHM2_VARIABLE_NONCE_IN_RECORD,
1253 .strength_bits = 128,
1254 .alg_bits = 128,
1255 },
1256
1257 /* Cipher C02C */
1258 {
1259 .valid = 1,
1260 .name = TLS1_TXT_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
1261 .id = TLS1_CK_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
1262 .algorithm_mkey = SSL_kECDHE,
1263 .algorithm_auth = SSL_aECDSA,
1264 .algorithm_enc = SSL_AES256GCM,
1265 .algorithm_mac = SSL_AEAD,
1266 .algorithm_ssl = SSL_TLSV1_2,
1267 .algo_strength = SSL_HIGH,
1268 .algorithm2 = SSL_HANDSHAKE_MAC_SHA384|TLS1_PRF_SHA384|
1269 FIXED_NONCE_LEN(4)|
1270 SSL_CIPHER_ALGORITHM2_VARIABLE_NONCE_IN_RECORD,
1271 .strength_bits = 256,
1272 .alg_bits = 256,
1273 },
1274
1275 /* Cipher C02F */
1276 {
1277 .valid = 1,
1278 .name = TLS1_TXT_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
1279 .id = TLS1_CK_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
1280 .algorithm_mkey = SSL_kECDHE,
1281 .algorithm_auth = SSL_aRSA,
1282 .algorithm_enc = SSL_AES128GCM,
1283 .algorithm_mac = SSL_AEAD,
1284 .algorithm_ssl = SSL_TLSV1_2,
1285 .algo_strength = SSL_HIGH,
1286 .algorithm2 = SSL_HANDSHAKE_MAC_SHA256|TLS1_PRF_SHA256|
1287 FIXED_NONCE_LEN(4)|
1288 SSL_CIPHER_ALGORITHM2_VARIABLE_NONCE_IN_RECORD,
1289 .strength_bits = 128,
1290 .alg_bits = 128,
1291 },
1292
1293 /* Cipher C030 */
1294 {
1295 .valid = 1,
1296 .name = TLS1_TXT_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
1297 .id = TLS1_CK_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
1298 .algorithm_mkey = SSL_kECDHE,
1299 .algorithm_auth = SSL_aRSA,
1300 .algorithm_enc = SSL_AES256GCM,
1301 .algorithm_mac = SSL_AEAD,
1302 .algorithm_ssl = SSL_TLSV1_2,
1303 .algo_strength = SSL_HIGH,
1304 .algorithm2 = SSL_HANDSHAKE_MAC_SHA384|TLS1_PRF_SHA384|
1305 FIXED_NONCE_LEN(4)|
1306 SSL_CIPHER_ALGORITHM2_VARIABLE_NONCE_IN_RECORD,
1307 .strength_bits = 256,
1308 .alg_bits = 256,
1309 },
1310
1311 /* Cipher CCA8 */
1312 {
1313 .valid = 1,
1314 .name = TLS1_TXT_ECDHE_RSA_WITH_CHACHA20_POLY1305,
1315 .id = TLS1_CK_ECDHE_RSA_CHACHA20_POLY1305,
1316 .algorithm_mkey = SSL_kECDHE,
1317 .algorithm_auth = SSL_aRSA,
1318 .algorithm_enc = SSL_CHACHA20POLY1305,
1319 .algorithm_mac = SSL_AEAD,
1320 .algorithm_ssl = SSL_TLSV1_2,
1321 .algo_strength = SSL_HIGH,
1322 .algorithm2 = SSL_HANDSHAKE_MAC_SHA256|TLS1_PRF_SHA256|
1323 FIXED_NONCE_LEN(12),
1324 .strength_bits = 256,
1325 .alg_bits = 256,
1326 },
1327
1328 /* Cipher CCA9 */
1329 {
1330 .valid = 1,
1331 .name = TLS1_TXT_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,
1332 .id = TLS1_CK_ECDHE_ECDSA_CHACHA20_POLY1305,
1333 .algorithm_mkey = SSL_kECDHE,
1334 .algorithm_auth = SSL_aECDSA,
1335 .algorithm_enc = SSL_CHACHA20POLY1305,
1336 .algorithm_mac = SSL_AEAD,
1337 .algorithm_ssl = SSL_TLSV1_2,
1338 .algo_strength = SSL_HIGH,
1339 .algorithm2 = SSL_HANDSHAKE_MAC_SHA256|TLS1_PRF_SHA256|
1340 FIXED_NONCE_LEN(12),
1341 .strength_bits = 256,
1342 .alg_bits = 256,
1343 },
1344
1345 /* Cipher CCAA */
1346 {
1347 .valid = 1,
1348 .name = TLS1_TXT_DHE_RSA_WITH_CHACHA20_POLY1305,
1349 .id = TLS1_CK_DHE_RSA_CHACHA20_POLY1305,
1350 .algorithm_mkey = SSL_kDHE,
1351 .algorithm_auth = SSL_aRSA,
1352 .algorithm_enc = SSL_CHACHA20POLY1305,
1353 .algorithm_mac = SSL_AEAD,
1354 .algorithm_ssl = SSL_TLSV1_2,
1355 .algo_strength = SSL_HIGH,
1356 .algorithm2 = SSL_HANDSHAKE_MAC_SHA256|TLS1_PRF_SHA256|
1357 FIXED_NONCE_LEN(12),
1358 .strength_bits = 256,
1359 .alg_bits = 256,
1360 },
1361
1362 /* Cipher FF85 FIXME IANA */
1363 {
1364 .valid = 1,
1365 .name = "GOST2012256-GOST89-GOST89",
1366 .id = 0x300ff85, /* FIXME IANA */
1367 .algorithm_mkey = SSL_kGOST,
1368 .algorithm_auth = SSL_aGOST01,
1369 .algorithm_enc = SSL_eGOST2814789CNT,
1370 .algorithm_mac = SSL_GOST89MAC,
1371 .algorithm_ssl = SSL_TLSV1,
1372 .algo_strength = SSL_HIGH,
1373 .algorithm2 = SSL_HANDSHAKE_MAC_STREEBOG256|TLS1_PRF_STREEBOG256|
1374 TLS1_STREAM_MAC,
1375 .strength_bits = 256,
1376 .alg_bits = 256
1377 },
1378
1379 /* Cipher FF87 FIXME IANA */
1380 {
1381 .valid = 1,
1382 .name = "GOST2012256-NULL-STREEBOG256",
1383 .id = 0x300ff87, /* FIXME IANA */
1384 .algorithm_mkey = SSL_kGOST,
1385 .algorithm_auth = SSL_aGOST01,
1386 .algorithm_enc = SSL_eNULL,
1387 .algorithm_mac = SSL_STREEBOG256,
1388 .algorithm_ssl = SSL_TLSV1,
1389 .algo_strength = SSL_STRONG_NONE,
1390 .algorithm2 = SSL_HANDSHAKE_MAC_STREEBOG256|TLS1_PRF_STREEBOG256,
1391 .strength_bits = 0,
1392 .alg_bits = 0
1393 },
1394
1395
1396 /* end of list */
1397};
1398
1399int
1400ssl3_num_ciphers(void)
1401{
1402 return (SSL3_NUM_CIPHERS);
1403}
1404
1405const SSL_CIPHER *
1406ssl3_get_cipher(unsigned int u)
1407{
1408 if (u < SSL3_NUM_CIPHERS)
1409 return (&(ssl3_ciphers[SSL3_NUM_CIPHERS - 1 - u]));
1410 else
1411 return (NULL);
1412}
1413
1414const SSL_CIPHER *
1415ssl3_get_cipher_by_id(unsigned int id)
1416{
1417 const SSL_CIPHER *cp;
1418 SSL_CIPHER c;
1419
1420 c.id = id;
1421 cp = OBJ_bsearch_ssl_cipher_id(&c, ssl3_ciphers, SSL3_NUM_CIPHERS);
1422 if (cp != NULL && cp->valid == 1)
1423 return (cp);
1424
1425 return (NULL);
1426}
1427
1428const SSL_CIPHER *
1429ssl3_get_cipher_by_value(uint16_t value)
1430{
1431 return ssl3_get_cipher_by_id(SSL3_CK_ID | value);
1432}
1433
1434uint16_t
1435ssl3_cipher_get_value(const SSL_CIPHER *c)
1436{
1437 return (c->id & SSL3_CK_VALUE_MASK);
1438}
1439
1440int
1441ssl3_pending(const SSL *s)
1442{
1443 if (s->internal->rstate == SSL_ST_READ_BODY)
1444 return 0;
1445
1446 return (S3I(s)->rrec.type == SSL3_RT_APPLICATION_DATA) ?
1447 S3I(s)->rrec.length : 0;
1448}
1449
1450int
1451ssl3_handshake_msg_hdr_len(SSL *s)
1452{
1453 return (SSL_is_dtls(s) ? DTLS1_HM_HEADER_LENGTH :
1454 SSL3_HM_HEADER_LENGTH);
1455}
1456
1457int
1458ssl3_handshake_msg_start(SSL *s, CBB *handshake, CBB *body, uint8_t msg_type)
1459{
1460 int ret = 0;
1461
1462 if (!CBB_init(handshake, SSL3_RT_MAX_PLAIN_LENGTH))
1463 goto err;
1464 if (!CBB_add_u8(handshake, msg_type))
1465 goto err;
1466 if (SSL_is_dtls(s)) {
1467 unsigned char *data;
1468
1469 if (!CBB_add_space(handshake, &data, DTLS1_HM_HEADER_LENGTH -
1470 SSL3_HM_HEADER_LENGTH))
1471 goto err;
1472 }
1473 if (!CBB_add_u24_length_prefixed(handshake, body))
1474 goto err;
1475
1476 ret = 1;
1477
1478 err:
1479 return (ret);
1480}
1481
1482int
1483ssl3_handshake_msg_finish(SSL *s, CBB *handshake)
1484{
1485 unsigned char *data = NULL;
1486 size_t outlen;
1487 int ret = 0;
1488
1489 if (!CBB_finish(handshake, &data, &outlen))
1490 goto err;
1491
1492 if (outlen > INT_MAX)
1493 goto err;
1494
1495 if (!BUF_MEM_grow_clean(s->internal->init_buf, outlen))
1496 goto err;
1497
1498 memcpy(s->internal->init_buf->data, data, outlen);
1499
1500 s->internal->init_num = (int)outlen;
1501 s->internal->init_off = 0;
1502
1503 if (SSL_is_dtls(s)) {
1504 unsigned long len;
1505 uint8_t msg_type;
1506 CBS cbs;
1507
1508 CBS_init(&cbs, data, outlen);
1509 if (!CBS_get_u8(&cbs, &msg_type))
1510 goto err;
1511
1512 len = outlen - ssl3_handshake_msg_hdr_len(s);
1513
1514 dtls1_set_message_header(s, msg_type, len, 0, len);
1515 dtls1_buffer_message(s, 0);
1516 }
1517
1518 ret = 1;
1519
1520 err:
1521 free(data);
1522
1523 return (ret);
1524}
1525
1526int
1527ssl3_handshake_write(SSL *s)
1528{
1529 return ssl3_record_write(s, SSL3_RT_HANDSHAKE);
1530}
1531
1532int
1533ssl3_record_write(SSL *s, int type)
1534{
1535 if (SSL_is_dtls(s))
1536 return dtls1_do_write(s, type);
1537
1538 return ssl3_do_write(s, type);
1539}
1540
1541int
1542ssl3_new(SSL *s)
1543{
1544 if ((s->s3 = calloc(1, sizeof(*s->s3))) == NULL)
1545 return (0);
1546 if ((S3I(s) = calloc(1, sizeof(*S3I(s)))) == NULL) {
1547 free(s->s3);
1548 return (0);
1549 }
1550
1551 s->method->ssl_clear(s);
1552
1553 return (1);
1554}
1555
1556void
1557ssl3_free(SSL *s)
1558{
1559 if (s == NULL)
1560 return;
1561
1562 tls1_cleanup_key_block(s);
1563 ssl3_release_read_buffer(s);
1564 ssl3_release_write_buffer(s);
1565 freezero(S3I(s)->hs.sigalgs, S3I(s)->hs.sigalgs_len);
1566
1567 DH_free(S3I(s)->tmp.dh);
1568 EC_KEY_free(S3I(s)->tmp.ecdh);
1569 freezero(S3I(s)->tmp.x25519, X25519_KEY_LENGTH);
1570
1571 tls13_key_share_free(S3I(s)->hs.tls13.key_share);
1572 tls13_secrets_destroy(S3I(s)->hs.tls13.secrets);
1573 freezero(S3I(s)->hs.tls13.cookie, S3I(s)->hs.tls13.cookie_len);
1574 tls13_clienthello_hash_clear(&S3I(s)->hs.tls13);
1575
1576 sk_X509_NAME_pop_free(S3I(s)->hs.tls12.ca_names, X509_NAME_free);
1577
1578 tls1_transcript_free(s);
1579 tls1_transcript_hash_free(s);
1580
1581 free(S3I(s)->alpn_selected);
1582
1583 freezero(S3I(s), sizeof(*S3I(s)));
1584 freezero(s->s3, sizeof(*s->s3));
1585
1586 s->s3 = NULL;
1587}
1588
1589void
1590ssl3_clear(SSL *s)
1591{
1592 struct ssl3_state_internal_st *internal;
1593 unsigned char *rp, *wp;
1594 size_t rlen, wlen;
1595
1596 tls1_cleanup_key_block(s);
1597 sk_X509_NAME_pop_free(S3I(s)->hs.tls12.ca_names, X509_NAME_free);
1598
1599 DH_free(S3I(s)->tmp.dh);
1600 S3I(s)->tmp.dh = NULL;
1601 EC_KEY_free(S3I(s)->tmp.ecdh);
1602 S3I(s)->tmp.ecdh = NULL;
1603 S3I(s)->tmp.ecdh_nid = NID_undef;
1604 freezero(S3I(s)->tmp.x25519, X25519_KEY_LENGTH);
1605 S3I(s)->tmp.x25519 = NULL;
1606
1607 freezero(S3I(s)->hs.sigalgs, S3I(s)->hs.sigalgs_len);
1608 S3I(s)->hs.sigalgs = NULL;
1609 S3I(s)->hs.sigalgs_len = 0;
1610
1611 tls13_key_share_free(S3I(s)->hs.tls13.key_share);
1612 S3I(s)->hs.tls13.key_share = NULL;
1613
1614 tls13_secrets_destroy(S3I(s)->hs.tls13.secrets);
1615 S3I(s)->hs.tls13.secrets = NULL;
1616 freezero(S3I(s)->hs.tls13.cookie, S3I(s)->hs.tls13.cookie_len);
1617 S3I(s)->hs.tls13.cookie = NULL;
1618 S3I(s)->hs.tls13.cookie_len = 0;
1619 tls13_clienthello_hash_clear(&S3I(s)->hs.tls13);
1620
1621 S3I(s)->hs.extensions_seen = 0;
1622
1623 rp = S3I(s)->rbuf.buf;
1624 wp = S3I(s)->wbuf.buf;
1625 rlen = S3I(s)->rbuf.len;
1626 wlen = S3I(s)->wbuf.len;
1627
1628 tls1_transcript_free(s);
1629 tls1_transcript_hash_free(s);
1630
1631 free(S3I(s)->alpn_selected);
1632 S3I(s)->alpn_selected = NULL;
1633 S3I(s)->alpn_selected_len = 0;
1634
1635 memset(S3I(s), 0, sizeof(*S3I(s)));
1636 internal = S3I(s);
1637 memset(s->s3, 0, sizeof(*s->s3));
1638 S3I(s) = internal;
1639
1640 S3I(s)->rbuf.buf = rp;
1641 S3I(s)->wbuf.buf = wp;
1642 S3I(s)->rbuf.len = rlen;
1643 S3I(s)->wbuf.len = wlen;
1644
1645 ssl_free_wbio_buffer(s);
1646
1647 /* Not needed... */
1648 S3I(s)->renegotiate = 0;
1649 S3I(s)->total_renegotiations = 0;
1650 S3I(s)->num_renegotiations = 0;
1651 S3I(s)->in_read_app_data = 0;
1652
1653 s->internal->packet_length = 0;
1654 s->version = TLS1_VERSION;
1655
1656 S3I(s)->hs.state = SSL_ST_BEFORE|((s->server) ? SSL_ST_ACCEPT : SSL_ST_CONNECT);
1657}
1658
1659long
1660_SSL_get_peer_tmp_key(SSL *s, EVP_PKEY **key)
1661{
1662 EVP_PKEY *pkey = NULL;
1663 SESS_CERT *sc;
1664 int ret = 0;
1665
1666 *key = NULL;
1667
1668 if (s->session == NULL || SSI(s)->sess_cert == NULL)
1669 return 0;
1670
1671 sc = SSI(s)->sess_cert;
1672
1673 if ((pkey = EVP_PKEY_new()) == NULL)
1674 return 0;
1675
1676 if (sc->peer_dh_tmp != NULL) {
1677 if (!EVP_PKEY_set1_DH(pkey, sc->peer_dh_tmp))
1678 goto err;
1679 } else if (sc->peer_ecdh_tmp) {
1680 if (!EVP_PKEY_set1_EC_KEY(pkey, sc->peer_ecdh_tmp))
1681 goto err;
1682 } else if (sc->peer_x25519_tmp != NULL) {
1683 if (!ssl_kex_dummy_ecdhe_x25519(pkey))
1684 goto err;
1685 } else if (S3I(s)->hs.tls13.key_share != NULL) {
1686 if (!tls13_key_share_peer_pkey(S3I(s)->hs.tls13.key_share,
1687 pkey))
1688 goto err;
1689 } else {
1690 goto err;
1691 }
1692
1693 *key = pkey;
1694 pkey = NULL;
1695
1696 ret = 1;
1697
1698 err:
1699 EVP_PKEY_free(pkey);
1700
1701 return (ret);
1702}
1703
1704static int
1705_SSL_session_reused(SSL *s)
1706{
1707 return s->internal->hit;
1708}
1709
1710static int
1711_SSL_num_renegotiations(SSL *s)
1712{
1713 return S3I(s)->num_renegotiations;
1714}
1715
1716static int
1717_SSL_clear_num_renegotiations(SSL *s)
1718{
1719 int renegs;
1720
1721 renegs = S3I(s)->num_renegotiations;
1722 S3I(s)->num_renegotiations = 0;
1723
1724 return renegs;
1725}
1726
1727static int
1728_SSL_total_renegotiations(SSL *s)
1729{
1730 return S3I(s)->total_renegotiations;
1731}
1732
1733static int
1734_SSL_set_tmp_dh(SSL *s, DH *dh)
1735{
1736 DH *dh_tmp;
1737
1738 if (dh == NULL) {
1739 SSLerror(s, ERR_R_PASSED_NULL_PARAMETER);
1740 return 0;
1741 }
1742
1743 if ((dh_tmp = DHparams_dup(dh)) == NULL) {
1744 SSLerror(s, ERR_R_DH_LIB);
1745 return 0;
1746 }
1747
1748 DH_free(s->cert->dh_tmp);
1749 s->cert->dh_tmp = dh_tmp;
1750
1751 return 1;
1752}
1753
1754static int
1755_SSL_set_dh_auto(SSL *s, int state)
1756{
1757 s->cert->dh_tmp_auto = state;
1758 return 1;
1759}
1760
1761static int
1762_SSL_set_tmp_ecdh(SSL *s, EC_KEY *ecdh)
1763{
1764 const EC_GROUP *group;
1765 int nid;
1766
1767 if (ecdh == NULL)
1768 return 0;
1769 if ((group = EC_KEY_get0_group(ecdh)) == NULL)
1770 return 0;
1771
1772 nid = EC_GROUP_get_curve_name(group);
1773 return SSL_set1_groups(s, &nid, 1);
1774}
1775
1776static int
1777_SSL_set_ecdh_auto(SSL *s, int state)
1778{
1779 return 1;
1780}
1781
1782static int
1783_SSL_set_tlsext_host_name(SSL *s, const char *name)
1784{
1785 free(s->tlsext_hostname);
1786 s->tlsext_hostname = NULL;
1787
1788 if (name == NULL)
1789 return 1;
1790
1791 if (strlen(name) > TLSEXT_MAXLEN_host_name) {
1792 SSLerror(s, SSL_R_SSL3_EXT_INVALID_SERVERNAME);
1793 return 0;
1794 }
1795
1796 if ((s->tlsext_hostname = strdup(name)) == NULL) {
1797 SSLerror(s, ERR_R_INTERNAL_ERROR);
1798 return 0;
1799 }
1800
1801 return 1;
1802}
1803
1804static int
1805_SSL_set_tlsext_debug_arg(SSL *s, void *arg)
1806{
1807 s->internal->tlsext_debug_arg = arg;
1808 return 1;
1809}
1810
1811static int
1812_SSL_set_tlsext_status_type(SSL *s, int type)
1813{
1814 s->tlsext_status_type = type;
1815 return 1;
1816}
1817
1818static int
1819_SSL_get_tlsext_status_exts(SSL *s, STACK_OF(X509_EXTENSION) **exts)
1820{
1821 *exts = s->internal->tlsext_ocsp_exts;
1822 return 1;
1823}
1824
1825static int
1826_SSL_set_tlsext_status_exts(SSL *s, STACK_OF(X509_EXTENSION) *exts)
1827{
1828 /* XXX - leak... */
1829 s->internal->tlsext_ocsp_exts = exts;
1830 return 1;
1831}
1832
1833static int
1834_SSL_get_tlsext_status_ids(SSL *s, STACK_OF(OCSP_RESPID) **ids)
1835{
1836 *ids = s->internal->tlsext_ocsp_ids;
1837 return 1;
1838}
1839
1840static int
1841_SSL_set_tlsext_status_ids(SSL *s, STACK_OF(OCSP_RESPID) *ids)
1842{
1843 /* XXX - leak... */
1844 s->internal->tlsext_ocsp_ids = ids;
1845 return 1;
1846}
1847
1848static int
1849_SSL_get_tlsext_status_ocsp_resp(SSL *s, unsigned char **resp)
1850{
1851 if (s->internal->tlsext_ocsp_resp != NULL &&
1852 s->internal->tlsext_ocsp_resp_len < INT_MAX) {
1853 *resp = s->internal->tlsext_ocsp_resp;
1854 return (int)s->internal->tlsext_ocsp_resp_len;
1855 }
1856
1857 *resp = NULL;
1858
1859 return -1;
1860}
1861
1862static int
1863_SSL_set_tlsext_status_ocsp_resp(SSL *s, unsigned char *resp, int resp_len)
1864{
1865 free(s->internal->tlsext_ocsp_resp);
1866 s->internal->tlsext_ocsp_resp = NULL;
1867 s->internal->tlsext_ocsp_resp_len = 0;
1868
1869 if (resp_len < 0)
1870 return 0;
1871
1872 s->internal->tlsext_ocsp_resp = resp;
1873 s->internal->tlsext_ocsp_resp_len = (size_t)resp_len;
1874
1875 return 1;
1876}
1877
1878int
1879SSL_set0_chain(SSL *ssl, STACK_OF(X509) *chain)
1880{
1881 return ssl_cert_set0_chain(ssl->cert, chain);
1882}
1883
1884int
1885SSL_set1_chain(SSL *ssl, STACK_OF(X509) *chain)
1886{
1887 return ssl_cert_set1_chain(ssl->cert, chain);
1888}
1889
1890int
1891SSL_add0_chain_cert(SSL *ssl, X509 *x509)
1892{
1893 return ssl_cert_add0_chain_cert(ssl->cert, x509);
1894}
1895
1896int
1897SSL_add1_chain_cert(SSL *ssl, X509 *x509)
1898{
1899 return ssl_cert_add1_chain_cert(ssl->cert, x509);
1900}
1901
1902int
1903SSL_get0_chain_certs(const SSL *ssl, STACK_OF(X509) **out_chain)
1904{
1905 *out_chain = NULL;
1906
1907 if (ssl->cert->key != NULL)
1908 *out_chain = ssl->cert->key->chain;
1909
1910 return 1;
1911}
1912
1913int
1914SSL_clear_chain_certs(SSL *ssl)
1915{
1916 return ssl_cert_set0_chain(ssl->cert, NULL);
1917}
1918
1919int
1920SSL_set1_groups(SSL *s, const int *groups, size_t groups_len)
1921{
1922 return tls1_set_groups(&s->internal->tlsext_supportedgroups,
1923 &s->internal->tlsext_supportedgroups_length, groups, groups_len);
1924}
1925
1926int
1927SSL_set1_groups_list(SSL *s, const char *groups)
1928{
1929 return tls1_set_group_list(&s->internal->tlsext_supportedgroups,
1930 &s->internal->tlsext_supportedgroups_length, groups);
1931}
1932
1933static int
1934_SSL_get_signature_nid(SSL *s, int *nid)
1935{
1936 const struct ssl_sigalg *sigalg;
1937
1938 if ((sigalg = S3I(s)->hs.our_sigalg) == NULL)
1939 return 0;
1940
1941 *nid = EVP_MD_type(sigalg->md());
1942
1943 return 1;
1944}
1945
1946static int
1947_SSL_get_peer_signature_nid(SSL *s, int *nid)
1948{
1949 const struct ssl_sigalg *sigalg;
1950
1951 if ((sigalg = S3I(s)->hs.peer_sigalg) == NULL)
1952 return 0;
1953
1954 *nid = EVP_MD_type(sigalg->md());
1955
1956 return 1;
1957}
1958
1959int
1960SSL_get_signature_type_nid(const SSL *s, int *nid)
1961{
1962 const struct ssl_sigalg *sigalg;
1963
1964 if ((sigalg = S3I(s)->hs.our_sigalg) == NULL)
1965 return 0;
1966
1967 *nid = sigalg->key_type;
1968 if (sigalg->key_type == EVP_PKEY_RSA &&
1969 (sigalg->flags & SIGALG_FLAG_RSA_PSS))
1970 *nid = EVP_PKEY_RSA_PSS;
1971
1972 return 1;
1973}
1974
1975int
1976SSL_get_peer_signature_type_nid(const SSL *s, int *nid)
1977{
1978 const struct ssl_sigalg *sigalg;
1979
1980 if ((sigalg = S3I(s)->hs.peer_sigalg) == NULL)
1981 return 0;
1982
1983 *nid = sigalg->key_type;
1984 if (sigalg->key_type == EVP_PKEY_RSA &&
1985 (sigalg->flags & SIGALG_FLAG_RSA_PSS))
1986 *nid = EVP_PKEY_RSA_PSS;
1987
1988 return 1;
1989}
1990
1991long
1992ssl3_ctrl(SSL *s, int cmd, long larg, void *parg)
1993{
1994 switch (cmd) {
1995 case SSL_CTRL_GET_SESSION_REUSED:
1996 return _SSL_session_reused(s);
1997
1998 case SSL_CTRL_GET_NUM_RENEGOTIATIONS:
1999 return _SSL_num_renegotiations(s);
2000
2001 case SSL_CTRL_CLEAR_NUM_RENEGOTIATIONS:
2002 return _SSL_clear_num_renegotiations(s);
2003
2004 case SSL_CTRL_GET_TOTAL_RENEGOTIATIONS:
2005 return _SSL_total_renegotiations(s);
2006
2007 case SSL_CTRL_SET_TMP_DH:
2008 return _SSL_set_tmp_dh(s, parg);
2009
2010 case SSL_CTRL_SET_TMP_DH_CB:
2011 SSLerror(s, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
2012 return 0;
2013
2014 case SSL_CTRL_SET_DH_AUTO:
2015 return _SSL_set_dh_auto(s, larg);
2016
2017 case SSL_CTRL_SET_TMP_ECDH:
2018 return _SSL_set_tmp_ecdh(s, parg);
2019
2020 case SSL_CTRL_SET_TMP_ECDH_CB:
2021 SSLerror(s, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
2022 return 0;
2023
2024 case SSL_CTRL_SET_ECDH_AUTO:
2025 return _SSL_set_ecdh_auto(s, larg);
2026
2027 case SSL_CTRL_SET_TLSEXT_HOSTNAME:
2028 if (larg != TLSEXT_NAMETYPE_host_name) {
2029 SSLerror(s, SSL_R_SSL3_EXT_INVALID_SERVERNAME_TYPE);
2030 return 0;
2031 }
2032 return _SSL_set_tlsext_host_name(s, parg);
2033
2034 case SSL_CTRL_SET_TLSEXT_DEBUG_ARG:
2035 return _SSL_set_tlsext_debug_arg(s, parg);
2036
2037 case SSL_CTRL_SET_TLSEXT_STATUS_REQ_TYPE:
2038 return _SSL_set_tlsext_status_type(s, larg);
2039
2040 case SSL_CTRL_GET_TLSEXT_STATUS_REQ_EXTS:
2041 return _SSL_get_tlsext_status_exts(s, parg);
2042
2043 case SSL_CTRL_SET_TLSEXT_STATUS_REQ_EXTS:
2044 return _SSL_set_tlsext_status_exts(s, parg);
2045
2046 case SSL_CTRL_GET_TLSEXT_STATUS_REQ_IDS:
2047 return _SSL_get_tlsext_status_ids(s, parg);
2048
2049 case SSL_CTRL_SET_TLSEXT_STATUS_REQ_IDS:
2050 return _SSL_set_tlsext_status_ids(s, parg);
2051
2052 case SSL_CTRL_GET_TLSEXT_STATUS_REQ_OCSP_RESP:
2053 return _SSL_get_tlsext_status_ocsp_resp(s, parg);
2054
2055 case SSL_CTRL_SET_TLSEXT_STATUS_REQ_OCSP_RESP:
2056 return _SSL_set_tlsext_status_ocsp_resp(s, parg, larg);
2057
2058 case SSL_CTRL_CHAIN:
2059 if (larg == 0)
2060 return SSL_set0_chain(s, (STACK_OF(X509) *)parg);
2061 else
2062 return SSL_set1_chain(s, (STACK_OF(X509) *)parg);
2063
2064 case SSL_CTRL_CHAIN_CERT:
2065 if (larg == 0)
2066 return SSL_add0_chain_cert(s, (X509 *)parg);
2067 else
2068 return SSL_add1_chain_cert(s, (X509 *)parg);
2069
2070 case SSL_CTRL_GET_CHAIN_CERTS:
2071 return SSL_get0_chain_certs(s, (STACK_OF(X509) **)parg);
2072
2073 case SSL_CTRL_SET_GROUPS:
2074 return SSL_set1_groups(s, parg, larg);
2075
2076 case SSL_CTRL_SET_GROUPS_LIST:
2077 return SSL_set1_groups_list(s, parg);
2078
2079 /* XXX - rename to SSL_CTRL_GET_PEER_TMP_KEY and remove server check. */
2080 case SSL_CTRL_GET_SERVER_TMP_KEY:
2081 if (s->server != 0)
2082 return 0;
2083 return _SSL_get_peer_tmp_key(s, parg);
2084
2085 case SSL_CTRL_GET_MIN_PROTO_VERSION:
2086 return SSL_get_min_proto_version(s);
2087
2088 case SSL_CTRL_GET_MAX_PROTO_VERSION:
2089 return SSL_get_max_proto_version(s);
2090
2091 case SSL_CTRL_SET_MIN_PROTO_VERSION:
2092 if (larg < 0 || larg > UINT16_MAX)
2093 return 0;
2094 return SSL_set_min_proto_version(s, larg);
2095
2096 case SSL_CTRL_SET_MAX_PROTO_VERSION:
2097 if (larg < 0 || larg > UINT16_MAX)
2098 return 0;
2099 return SSL_set_max_proto_version(s, larg);
2100
2101 case SSL_CTRL_GET_SIGNATURE_NID:
2102 return _SSL_get_signature_nid(s, parg);
2103
2104 case SSL_CTRL_GET_PEER_SIGNATURE_NID:
2105 return _SSL_get_peer_signature_nid(s, parg);
2106
2107 /*
2108 * Legacy controls that should eventually be removed.
2109 */
2110 case SSL_CTRL_GET_CLIENT_CERT_REQUEST:
2111 return 0;
2112
2113 case SSL_CTRL_GET_FLAGS:
2114 return (int)(s->s3->flags);
2115
2116 case SSL_CTRL_NEED_TMP_RSA:
2117 return 0;
2118
2119 case SSL_CTRL_SET_TMP_RSA:
2120 case SSL_CTRL_SET_TMP_RSA_CB:
2121 SSLerror(s, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
2122 return 0;
2123 }
2124
2125 return 0;
2126}
2127
2128long
2129ssl3_callback_ctrl(SSL *s, int cmd, void (*fp)(void))
2130{
2131 switch (cmd) {
2132 case SSL_CTRL_SET_TMP_RSA_CB:
2133 SSLerror(s, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
2134 return 0;
2135
2136 case SSL_CTRL_SET_TMP_DH_CB:
2137 s->cert->dh_tmp_cb = (DH *(*)(SSL *, int, int))fp;
2138 return 1;
2139
2140 case SSL_CTRL_SET_TMP_ECDH_CB:
2141 return 1;
2142
2143 case SSL_CTRL_SET_TLSEXT_DEBUG_CB:
2144 s->internal->tlsext_debug_cb = (void (*)(SSL *, int , int,
2145 unsigned char *, int, void *))fp;
2146 return 1;
2147 }
2148
2149 return 0;
2150}
2151
2152static int
2153_SSL_CTX_set_tmp_dh(SSL_CTX *ctx, DH *dh)
2154{
2155 DH *dh_tmp;
2156
2157 if ((dh_tmp = DHparams_dup(dh)) == NULL) {
2158 SSLerrorx(ERR_R_DH_LIB);
2159 return 0;
2160 }
2161
2162 DH_free(ctx->internal->cert->dh_tmp);
2163 ctx->internal->cert->dh_tmp = dh_tmp;
2164
2165 return 1;
2166}
2167
2168static int
2169_SSL_CTX_set_dh_auto(SSL_CTX *ctx, int state)
2170{
2171 ctx->internal->cert->dh_tmp_auto = state;
2172 return 1;
2173}
2174
2175static int
2176_SSL_CTX_set_tmp_ecdh(SSL_CTX *ctx, EC_KEY *ecdh)
2177{
2178 const EC_GROUP *group;
2179 int nid;
2180
2181 if (ecdh == NULL)
2182 return 0;
2183 if ((group = EC_KEY_get0_group(ecdh)) == NULL)
2184 return 0;
2185
2186 nid = EC_GROUP_get_curve_name(group);
2187 return SSL_CTX_set1_groups(ctx, &nid, 1);
2188}
2189
2190static int
2191_SSL_CTX_set_ecdh_auto(SSL_CTX *ctx, int state)
2192{
2193 return 1;
2194}
2195
2196static int
2197_SSL_CTX_set_tlsext_servername_arg(SSL_CTX *ctx, void *arg)
2198{
2199 ctx->internal->tlsext_servername_arg = arg;
2200 return 1;
2201}
2202
2203static int
2204_SSL_CTX_get_tlsext_ticket_keys(SSL_CTX *ctx, unsigned char *keys, int keys_len)
2205{
2206 if (keys == NULL)
2207 return 48;
2208
2209 if (keys_len != 48) {
2210 SSLerrorx(SSL_R_INVALID_TICKET_KEYS_LENGTH);
2211 return 0;
2212 }
2213
2214 memcpy(keys, ctx->internal->tlsext_tick_key_name, 16);
2215 memcpy(keys + 16, ctx->internal->tlsext_tick_hmac_key, 16);
2216 memcpy(keys + 32, ctx->internal->tlsext_tick_aes_key, 16);
2217
2218 return 1;
2219}
2220
2221static int
2222_SSL_CTX_set_tlsext_ticket_keys(SSL_CTX *ctx, unsigned char *keys, int keys_len)
2223{
2224 if (keys == NULL)
2225 return 48;
2226
2227 if (keys_len != 48) {
2228 SSLerrorx(SSL_R_INVALID_TICKET_KEYS_LENGTH);
2229 return 0;
2230 }
2231
2232 memcpy(ctx->internal->tlsext_tick_key_name, keys, 16);
2233 memcpy(ctx->internal->tlsext_tick_hmac_key, keys + 16, 16);
2234 memcpy(ctx->internal->tlsext_tick_aes_key, keys + 32, 16);
2235
2236 return 1;
2237}
2238
2239static int
2240_SSL_CTX_get_tlsext_status_arg(SSL_CTX *ctx, void **arg)
2241{
2242 *arg = ctx->internal->tlsext_status_arg;
2243 return 1;
2244}
2245
2246static int
2247_SSL_CTX_set_tlsext_status_arg(SSL_CTX *ctx, void *arg)
2248{
2249 ctx->internal->tlsext_status_arg = arg;
2250 return 1;
2251}
2252
2253int
2254SSL_CTX_set0_chain(SSL_CTX *ctx, STACK_OF(X509) *chain)
2255{
2256 return ssl_cert_set0_chain(ctx->internal->cert, chain);
2257}
2258
2259int
2260SSL_CTX_set1_chain(SSL_CTX *ctx, STACK_OF(X509) *chain)
2261{
2262 return ssl_cert_set1_chain(ctx->internal->cert, chain);
2263}
2264
2265int
2266SSL_CTX_add0_chain_cert(SSL_CTX *ctx, X509 *x509)
2267{
2268 return ssl_cert_add0_chain_cert(ctx->internal->cert, x509);
2269}
2270
2271int
2272SSL_CTX_add1_chain_cert(SSL_CTX *ctx, X509 *x509)
2273{
2274 return ssl_cert_add1_chain_cert(ctx->internal->cert, x509);
2275}
2276
2277int
2278SSL_CTX_get0_chain_certs(const SSL_CTX *ctx, STACK_OF(X509) **out_chain)
2279{
2280 *out_chain = NULL;
2281
2282 if (ctx->internal->cert->key != NULL)
2283 *out_chain = ctx->internal->cert->key->chain;
2284
2285 return 1;
2286}
2287
2288int
2289SSL_CTX_clear_chain_certs(SSL_CTX *ctx)
2290{
2291 return ssl_cert_set0_chain(ctx->internal->cert, NULL);
2292}
2293
2294static int
2295_SSL_CTX_add_extra_chain_cert(SSL_CTX *ctx, X509 *cert)
2296{
2297 if (ctx->extra_certs == NULL) {
2298 if ((ctx->extra_certs = sk_X509_new_null()) == NULL)
2299 return 0;
2300 }
2301 if (sk_X509_push(ctx->extra_certs, cert) == 0)
2302 return 0;
2303
2304 return 1;
2305}
2306
2307static int
2308_SSL_CTX_get_extra_chain_certs(SSL_CTX *ctx, STACK_OF(X509) **certs)
2309{
2310 *certs = ctx->extra_certs;
2311 if (*certs == NULL)
2312 *certs = ctx->internal->cert->key->chain;
2313
2314 return 1;
2315}
2316
2317static int
2318_SSL_CTX_get_extra_chain_certs_only(SSL_CTX *ctx, STACK_OF(X509) **certs)
2319{
2320 *certs = ctx->extra_certs;
2321 return 1;
2322}
2323
2324static int
2325_SSL_CTX_clear_extra_chain_certs(SSL_CTX *ctx)
2326{
2327 sk_X509_pop_free(ctx->extra_certs, X509_free);
2328 ctx->extra_certs = NULL;
2329 return 1;
2330}
2331
2332int
2333SSL_CTX_set1_groups(SSL_CTX *ctx, const int *groups, size_t groups_len)
2334{
2335 return tls1_set_groups(&ctx->internal->tlsext_supportedgroups,
2336 &ctx->internal->tlsext_supportedgroups_length, groups, groups_len);
2337}
2338
2339int
2340SSL_CTX_set1_groups_list(SSL_CTX *ctx, const char *groups)
2341{
2342 return tls1_set_group_list(&ctx->internal->tlsext_supportedgroups,
2343 &ctx->internal->tlsext_supportedgroups_length, groups);
2344}
2345
2346long
2347ssl3_ctx_ctrl(SSL_CTX *ctx, int cmd, long larg, void *parg)
2348{
2349 switch (cmd) {
2350 case SSL_CTRL_SET_TMP_DH:
2351 return _SSL_CTX_set_tmp_dh(ctx, parg);
2352
2353 case SSL_CTRL_SET_TMP_DH_CB:
2354 SSLerrorx(ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
2355 return 0;
2356
2357 case SSL_CTRL_SET_DH_AUTO:
2358 return _SSL_CTX_set_dh_auto(ctx, larg);
2359
2360 case SSL_CTRL_SET_TMP_ECDH:
2361 return _SSL_CTX_set_tmp_ecdh(ctx, parg);
2362
2363 case SSL_CTRL_SET_TMP_ECDH_CB:
2364 SSLerrorx(ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
2365 return 0;
2366
2367 case SSL_CTRL_SET_ECDH_AUTO:
2368 return _SSL_CTX_set_ecdh_auto(ctx, larg);
2369
2370 case SSL_CTRL_SET_TLSEXT_SERVERNAME_ARG:
2371 return _SSL_CTX_set_tlsext_servername_arg(ctx, parg);
2372
2373 case SSL_CTRL_GET_TLSEXT_TICKET_KEYS:
2374 return _SSL_CTX_get_tlsext_ticket_keys(ctx, parg, larg);
2375
2376 case SSL_CTRL_SET_TLSEXT_TICKET_KEYS:
2377 return _SSL_CTX_set_tlsext_ticket_keys(ctx, parg, larg);
2378
2379 case SSL_CTRL_GET_TLSEXT_STATUS_REQ_CB_ARG:
2380 return _SSL_CTX_get_tlsext_status_arg(ctx, parg);
2381
2382 case SSL_CTRL_SET_TLSEXT_STATUS_REQ_CB_ARG:
2383 return _SSL_CTX_set_tlsext_status_arg(ctx, parg);
2384
2385 case SSL_CTRL_CHAIN:
2386 if (larg == 0)
2387 return SSL_CTX_set0_chain(ctx, (STACK_OF(X509) *)parg);
2388 else
2389 return SSL_CTX_set1_chain(ctx, (STACK_OF(X509) *)parg);
2390
2391 case SSL_CTRL_CHAIN_CERT:
2392 if (larg == 0)
2393 return SSL_CTX_add0_chain_cert(ctx, (X509 *)parg);
2394 else
2395 return SSL_CTX_add1_chain_cert(ctx, (X509 *)parg);
2396
2397 case SSL_CTRL_GET_CHAIN_CERTS:
2398 return SSL_CTX_get0_chain_certs(ctx, (STACK_OF(X509) **)parg);
2399
2400 case SSL_CTRL_EXTRA_CHAIN_CERT:
2401 return _SSL_CTX_add_extra_chain_cert(ctx, parg);
2402
2403 case SSL_CTRL_GET_EXTRA_CHAIN_CERTS:
2404 if (larg == 0)
2405 return _SSL_CTX_get_extra_chain_certs(ctx, parg);
2406 else
2407 return _SSL_CTX_get_extra_chain_certs_only(ctx, parg);
2408
2409 case SSL_CTRL_CLEAR_EXTRA_CHAIN_CERTS:
2410 return _SSL_CTX_clear_extra_chain_certs(ctx);
2411
2412 case SSL_CTRL_SET_GROUPS:
2413 return SSL_CTX_set1_groups(ctx, parg, larg);
2414
2415 case SSL_CTRL_SET_GROUPS_LIST:
2416 return SSL_CTX_set1_groups_list(ctx, parg);
2417
2418 case SSL_CTRL_GET_MIN_PROTO_VERSION:
2419 return SSL_CTX_get_min_proto_version(ctx);
2420
2421 case SSL_CTRL_GET_MAX_PROTO_VERSION:
2422 return SSL_CTX_get_max_proto_version(ctx);
2423
2424 case SSL_CTRL_SET_MIN_PROTO_VERSION:
2425 if (larg < 0 || larg > UINT16_MAX)
2426 return 0;
2427 return SSL_CTX_set_min_proto_version(ctx, larg);
2428
2429 case SSL_CTRL_SET_MAX_PROTO_VERSION:
2430 if (larg < 0 || larg > UINT16_MAX)
2431 return 0;
2432 return SSL_CTX_set_max_proto_version(ctx, larg);
2433
2434 /*
2435 * Legacy controls that should eventually be removed.
2436 */
2437 case SSL_CTRL_NEED_TMP_RSA:
2438 return 0;
2439
2440 case SSL_CTRL_SET_TMP_RSA:
2441 case SSL_CTRL_SET_TMP_RSA_CB:
2442 SSLerrorx(ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
2443 return 0;
2444 }
2445
2446 return 0;
2447}
2448
2449long
2450ssl3_ctx_callback_ctrl(SSL_CTX *ctx, int cmd, void (*fp)(void))
2451{
2452 switch (cmd) {
2453 case SSL_CTRL_SET_TMP_RSA_CB:
2454 SSLerrorx(ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
2455 return 0;
2456
2457 case SSL_CTRL_SET_TMP_DH_CB:
2458 ctx->internal->cert->dh_tmp_cb =
2459 (DH *(*)(SSL *, int, int))fp;
2460 return 1;
2461
2462 case SSL_CTRL_SET_TMP_ECDH_CB:
2463 return 1;
2464
2465 case SSL_CTRL_SET_TLSEXT_SERVERNAME_CB:
2466 ctx->internal->tlsext_servername_callback =
2467 (int (*)(SSL *, int *, void *))fp;
2468 return 1;
2469
2470 case SSL_CTRL_GET_TLSEXT_STATUS_REQ_CB:
2471 *(int (**)(SSL *, void *))fp = ctx->internal->tlsext_status_cb;
2472 return 1;
2473
2474 case SSL_CTRL_SET_TLSEXT_STATUS_REQ_CB:
2475 ctx->internal->tlsext_status_cb = (int (*)(SSL *, void *))fp;
2476 return 1;
2477
2478 case SSL_CTRL_SET_TLSEXT_TICKET_KEY_CB:
2479 ctx->internal->tlsext_ticket_key_cb = (int (*)(SSL *, unsigned char *,
2480 unsigned char *, EVP_CIPHER_CTX *, HMAC_CTX *, int))fp;
2481 return 1;
2482 }
2483
2484 return 0;
2485}
2486
2487SSL_CIPHER *
2488ssl3_choose_cipher(SSL *s, STACK_OF(SSL_CIPHER) *clnt,
2489 STACK_OF(SSL_CIPHER) *srvr)
2490{
2491 unsigned long alg_k, alg_a, mask_k, mask_a;
2492 STACK_OF(SSL_CIPHER) *prio, *allow;
2493 SSL_CIPHER *c, *ret = NULL;
2494 int can_use_ecc;
2495 int i, ii, ok;
2496 CERT *cert;
2497
2498 /* Let's see which ciphers we can support */
2499 cert = s->cert;
2500
2501 can_use_ecc = (tls1_get_shared_curve(s) != NID_undef);
2502
2503 /*
2504 * Do not set the compare functions, because this may lead to a
2505 * reordering by "id". We want to keep the original ordering.
2506 * We may pay a price in performance during sk_SSL_CIPHER_find(),
2507 * but would have to pay with the price of sk_SSL_CIPHER_dup().
2508 */
2509
2510 if (s->internal->options & SSL_OP_CIPHER_SERVER_PREFERENCE) {
2511 prio = srvr;
2512 allow = clnt;
2513 } else {
2514 prio = clnt;
2515 allow = srvr;
2516 }
2517
2518 for (i = 0; i < sk_SSL_CIPHER_num(prio); i++) {
2519 c = sk_SSL_CIPHER_value(prio, i);
2520
2521 /* Skip TLS v1.2 only ciphersuites if not supported. */
2522 if ((c->algorithm_ssl & SSL_TLSV1_2) &&
2523 !SSL_USE_TLS1_2_CIPHERS(s))
2524 continue;
2525
2526 /* Skip TLS v1.3 only ciphersuites if not supported. */
2527 if ((c->algorithm_ssl & SSL_TLSV1_3) &&
2528 !SSL_USE_TLS1_3_CIPHERS(s))
2529 continue;
2530
2531 /* If TLS v1.3, only allow TLS v1.3 ciphersuites. */
2532 if (SSL_USE_TLS1_3_CIPHERS(s) &&
2533 !(c->algorithm_ssl & SSL_TLSV1_3))
2534 continue;
2535
2536 ssl_set_cert_masks(cert, c);
2537 mask_k = cert->mask_k;
2538 mask_a = cert->mask_a;
2539
2540 alg_k = c->algorithm_mkey;
2541 alg_a = c->algorithm_auth;
2542
2543 ok = (alg_k & mask_k) && (alg_a & mask_a);
2544
2545 /*
2546 * If we are considering an ECC cipher suite that uses our
2547 * certificate check it.
2548 */
2549 if (alg_a & SSL_aECDSA)
2550 ok = ok && tls1_check_ec_server_key(s);
2551 /*
2552 * If we are considering an ECC cipher suite that uses
2553 * an ephemeral EC key check it.
2554 */
2555 if (alg_k & SSL_kECDHE)
2556 ok = ok && can_use_ecc;
2557
2558 if (!ok)
2559 continue;
2560 ii = sk_SSL_CIPHER_find(allow, c);
2561 if (ii >= 0) {
2562 ret = sk_SSL_CIPHER_value(allow, ii);
2563 break;
2564 }
2565 }
2566 return (ret);
2567}
2568
2569int
2570ssl3_get_req_cert_types(SSL *s, CBB *cbb)
2571{
2572 unsigned long alg_k;
2573
2574 alg_k = S3I(s)->hs.cipher->algorithm_mkey;
2575
2576#ifndef OPENSSL_NO_GOST
2577 if ((alg_k & SSL_kGOST) != 0) {
2578 if (!CBB_add_u8(cbb, TLS_CT_GOST01_SIGN))
2579 return 0;
2580 if (!CBB_add_u8(cbb, TLS_CT_GOST12_256_SIGN))
2581 return 0;
2582 if (!CBB_add_u8(cbb, TLS_CT_GOST12_512_SIGN))
2583 return 0;
2584 if (!CBB_add_u8(cbb, TLS_CT_GOST12_256_SIGN_COMPAT))
2585 return 0;
2586 if (!CBB_add_u8(cbb, TLS_CT_GOST12_512_SIGN_COMPAT))
2587 return 0;
2588 }
2589#endif
2590
2591 if ((alg_k & SSL_kDHE) != 0) {
2592 if (!CBB_add_u8(cbb, SSL3_CT_RSA_FIXED_DH))
2593 return 0;
2594 }
2595
2596 if (!CBB_add_u8(cbb, SSL3_CT_RSA_SIGN))
2597 return 0;
2598
2599 /*
2600 * ECDSA certs can be used with RSA cipher suites as well
2601 * so we don't need to check for SSL_kECDH or SSL_kECDHE.
2602 */
2603 if (!CBB_add_u8(cbb, TLS_CT_ECDSA_SIGN))
2604 return 0;
2605
2606 return 1;
2607}
2608
2609int
2610ssl3_shutdown(SSL *s)
2611{
2612 int ret;
2613
2614 /*
2615 * Don't do anything much if we have not done the handshake or
2616 * we don't want to send messages :-)
2617 */
2618 if ((s->internal->quiet_shutdown) || (S3I(s)->hs.state == SSL_ST_BEFORE)) {
2619 s->internal->shutdown = (SSL_SENT_SHUTDOWN|SSL_RECEIVED_SHUTDOWN);
2620 return (1);
2621 }
2622
2623 if (!(s->internal->shutdown & SSL_SENT_SHUTDOWN)) {
2624 s->internal->shutdown|=SSL_SENT_SHUTDOWN;
2625 ssl3_send_alert(s, SSL3_AL_WARNING, SSL_AD_CLOSE_NOTIFY);
2626 /*
2627 * Our shutdown alert has been sent now, and if it still needs
2628 * to be written, S3I(s)->alert_dispatch will be true
2629 */
2630 if (S3I(s)->alert_dispatch)
2631 return(-1); /* return WANT_WRITE */
2632 } else if (S3I(s)->alert_dispatch) {
2633 /* resend it if not sent */
2634 ret = ssl3_dispatch_alert(s);
2635 if (ret == -1) {
2636 /*
2637 * We only get to return -1 here the 2nd/Nth
2638 * invocation, we must have already signalled
2639 * return 0 upon a previous invoation,
2640 * return WANT_WRITE
2641 */
2642 return (ret);
2643 }
2644 } else if (!(s->internal->shutdown & SSL_RECEIVED_SHUTDOWN)) {
2645 /* If we are waiting for a close from our peer, we are closed */
2646 s->method->ssl_read_bytes(s, 0, NULL, 0, 0);
2647 if (!(s->internal->shutdown & SSL_RECEIVED_SHUTDOWN)) {
2648 return(-1); /* return WANT_READ */
2649 }
2650 }
2651
2652 if ((s->internal->shutdown == (SSL_SENT_SHUTDOWN|SSL_RECEIVED_SHUTDOWN)) &&
2653 !S3I(s)->alert_dispatch)
2654 return (1);
2655 else
2656 return (0);
2657}
2658
2659int
2660ssl3_write(SSL *s, const void *buf, int len)
2661{
2662 errno = 0;
2663
2664 if (S3I(s)->renegotiate)
2665 ssl3_renegotiate_check(s);
2666
2667 return s->method->ssl_write_bytes(s, SSL3_RT_APPLICATION_DATA,
2668 buf, len);
2669}
2670
2671static int
2672ssl3_read_internal(SSL *s, void *buf, int len, int peek)
2673{
2674 int ret;
2675
2676 errno = 0;
2677 if (S3I(s)->renegotiate)
2678 ssl3_renegotiate_check(s);
2679 S3I(s)->in_read_app_data = 1;
2680
2681 ret = s->method->ssl_read_bytes(s, SSL3_RT_APPLICATION_DATA, buf, len,
2682 peek);
2683 if ((ret == -1) && (S3I(s)->in_read_app_data == 2)) {
2684 /*
2685 * ssl3_read_bytes decided to call s->internal->handshake_func,
2686 * which called ssl3_read_bytes to read handshake data.
2687 * However, ssl3_read_bytes actually found application data
2688 * and thinks that application data makes sense here; so disable
2689 * handshake processing and try to read application data again.
2690 */
2691 s->internal->in_handshake++;
2692 ret = s->method->ssl_read_bytes(s, SSL3_RT_APPLICATION_DATA,
2693 buf, len, peek);
2694 s->internal->in_handshake--;
2695 } else
2696 S3I(s)->in_read_app_data = 0;
2697
2698 return (ret);
2699}
2700
2701int
2702ssl3_read(SSL *s, void *buf, int len)
2703{
2704 return ssl3_read_internal(s, buf, len, 0);
2705}
2706
2707int
2708ssl3_peek(SSL *s, void *buf, int len)
2709{
2710 return ssl3_read_internal(s, buf, len, 1);
2711}
2712
2713int
2714ssl3_renegotiate(SSL *s)
2715{
2716 if (s->internal->handshake_func == NULL)
2717 return (1);
2718
2719 if (s->s3->flags & SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS)
2720 return (0);
2721
2722 S3I(s)->renegotiate = 1;
2723 return (1);
2724}
2725
2726int
2727ssl3_renegotiate_check(SSL *s)
2728{
2729 int ret = 0;
2730
2731 if (S3I(s)->renegotiate) {
2732 if ((S3I(s)->rbuf.left == 0) && (S3I(s)->wbuf.left == 0) &&
2733 !SSL_in_init(s)) {
2734 /*
2735 * If we are the server, and we have sent
2736 * a 'RENEGOTIATE' message, we need to go
2737 * to SSL_ST_ACCEPT.
2738 */
2739 /* SSL_ST_ACCEPT */
2740 S3I(s)->hs.state = SSL_ST_RENEGOTIATE;
2741 S3I(s)->renegotiate = 0;
2742 S3I(s)->num_renegotiations++;
2743 S3I(s)->total_renegotiations++;
2744 ret = 1;
2745 }
2746 }
2747 return (ret);
2748}
generated by cgit v1.2.3-55-g6feb (git 2.39.1) at 2026-02-12 19:29:56 +0000