summaryrefslogtreecommitdiff
path: root/src/lib/libssl/s3_lib.c
diff options
context:
space:
mode:
Diffstat (limited to 'src/lib/libssl/s3_lib.c')
-rw-r--r--src/lib/libssl/s3_lib.c2811
1 files changed, 0 insertions, 2811 deletions
diff --git a/src/lib/libssl/s3_lib.c b/src/lib/libssl/s3_lib.c
deleted file mode 100644
index 9e76cf93d8..0000000000
--- a/src/lib/libssl/s3_lib.c
+++ /dev/null
@@ -1,2811 +0,0 @@
1/* $OpenBSD: s3_lib.c,v 1.242 2022/11/26 16:08:55 tb Exp $ */
2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 * All rights reserved.
4 *
5 * This package is an SSL implementation written
6 * by Eric Young (eay@cryptsoft.com).
7 * The implementation was written so as to conform with Netscapes SSL.
8 *
9 * This library is free for commercial and non-commercial use as long as
10 * the following conditions are aheared to. The following conditions
11 * apply to all code found in this distribution, be it the RC4, RSA,
12 * lhash, DES, etc., code; not just the SSL code. The SSL documentation
13 * included with this distribution is covered by the same copyright terms
14 * except that the holder is Tim Hudson (tjh@cryptsoft.com).
15 *
16 * Copyright remains Eric Young's, and as such any Copyright notices in
17 * the code are not to be removed.
18 * If this package is used in a product, Eric Young should be given attribution
19 * as the author of the parts of the library used.
20 * This can be in the form of a textual message at program startup or
21 * in documentation (online or textual) provided with the package.
22 *
23 * Redistribution and use in source and binary forms, with or without
24 * modification, are permitted provided that the following conditions
25 * are met:
26 * 1. Redistributions of source code must retain the copyright
27 * notice, this list of conditions and the following disclaimer.
28 * 2. Redistributions in binary form must reproduce the above copyright
29 * notice, this list of conditions and the following disclaimer in the
30 * documentation and/or other materials provided with the distribution.
31 * 3. All advertising materials mentioning features or use of this software
32 * must display the following acknowledgement:
33 * "This product includes cryptographic software written by
34 * Eric Young (eay@cryptsoft.com)"
35 * The word 'cryptographic' can be left out if the rouines from the library
36 * being used are not cryptographic related :-).
37 * 4. If you include any Windows specific code (or a derivative thereof) from
38 * the apps directory (application code) you must include an acknowledgement:
39 * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
40 *
41 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
42 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
43 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
44 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
45 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
46 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
47 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
48 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
49 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
50 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
51 * SUCH DAMAGE.
52 *
53 * The licence and distribution terms for any publically available version or
54 * derivative of this code cannot be changed. i.e. this code cannot simply be
55 * copied and put under another distribution licence
56 * [including the GNU Public Licence.]
57 */
58/* ====================================================================
59 * Copyright (c) 1998-2007 The OpenSSL Project. All rights reserved.
60 *
61 * Redistribution and use in source and binary forms, with or without
62 * modification, are permitted provided that the following conditions
63 * are met:
64 *
65 * 1. Redistributions of source code must retain the above copyright
66 * notice, this list of conditions and the following disclaimer.
67 *
68 * 2. Redistributions in binary form must reproduce the above copyright
69 * notice, this list of conditions and the following disclaimer in
70 * the documentation and/or other materials provided with the
71 * distribution.
72 *
73 * 3. All advertising materials mentioning features or use of this
74 * software must display the following acknowledgment:
75 * "This product includes software developed by the OpenSSL Project
76 * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
77 *
78 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
79 * endorse or promote products derived from this software without
80 * prior written permission. For written permission, please contact
81 * openssl-core@openssl.org.
82 *
83 * 5. Products derived from this software may not be called "OpenSSL"
84 * nor may "OpenSSL" appear in their names without prior written
85 * permission of the OpenSSL Project.
86 *
87 * 6. Redistributions of any form whatsoever must retain the following
88 * acknowledgment:
89 * "This product includes software developed by the OpenSSL Project
90 * for use in the OpenSSL Toolkit (http://www.openssl.org/)"
91 *
92 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
93 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
94 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
95 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
96 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
97 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
98 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
99 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
100 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
101 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
102 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
103 * OF THE POSSIBILITY OF SUCH DAMAGE.
104 * ====================================================================
105 *
106 * This product includes cryptographic software written by Eric Young
107 * (eay@cryptsoft.com). This product includes software written by Tim
108 * Hudson (tjh@cryptsoft.com).
109 *
110 */
111/* ====================================================================
112 * Copyright 2002 Sun Microsystems, Inc. ALL RIGHTS RESERVED.
113 *
114 * Portions of the attached software ("Contribution") are developed by
115 * SUN MICROSYSTEMS, INC., and are contributed to the OpenSSL project.
116 *
117 * The Contribution is licensed pursuant to the OpenSSL open source
118 * license provided above.
119 *
120 * ECC cipher suite support in OpenSSL originally written by
121 * Vipul Gupta and Sumit Gupta of Sun Microsystems Laboratories.
122 *
123 */
124/* ====================================================================
125 * Copyright 2005 Nokia. All rights reserved.
126 *
127 * The portions of the attached software ("Contribution") is developed by
128 * Nokia Corporation and is licensed pursuant to the OpenSSL open source
129 * license.
130 *
131 * The Contribution, originally written by Mika Kousa and Pasi Eronen of
132 * Nokia Corporation, consists of the "PSK" (Pre-Shared Key) ciphersuites
133 * support (see RFC 4279) to OpenSSL.
134 *
135 * No patent licenses or other rights except those expressly stated in
136 * the OpenSSL open source license shall be deemed granted or received
137 * expressly, by implication, estoppel, or otherwise.
138 *
139 * No assurances are provided by Nokia that the Contribution does not
140 * infringe the patent or other intellectual property rights of any third
141 * party or that the license provides you with all the necessary rights
142 * to make use of the Contribution.
143 *
144 * THE SOFTWARE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. IN
145 * ADDITION TO THE DISCLAIMERS INCLUDED IN THE LICENSE, NOKIA
146 * SPECIFICALLY DISCLAIMS ANY LIABILITY FOR CLAIMS BROUGHT BY YOU OR ANY
147 * OTHER ENTITY BASED ON INFRINGEMENT OF INTELLECTUAL PROPERTY RIGHTS OR
148 * OTHERWISE.
149 */
150
151#include <limits.h>
152#include <stdio.h>
153
154#include <openssl/bn.h>
155#include <openssl/curve25519.h>
156#include <openssl/dh.h>
157#include <openssl/md5.h>
158#include <openssl/objects.h>
159#include <openssl/opensslconf.h>
160
161#include "bytestring.h"
162#include "dtls_local.h"
163#include "ssl_local.h"
164#include "ssl_sigalgs.h"
165#include "ssl_tlsext.h"
166#include "tls_content.h"
167
168#define SSL3_NUM_CIPHERS (sizeof(ssl3_ciphers) / sizeof(SSL_CIPHER))
169
170/*
171 * FIXED_NONCE_LEN is a macro that provides in the correct value to set the
172 * fixed nonce length in algorithms2. It is the inverse of the
173 * SSL_CIPHER_AEAD_FIXED_NONCE_LEN macro.
174 */
175#define FIXED_NONCE_LEN(x) (((x / 2) & 0xf) << 24)
176
177/* list of available SSLv3 ciphers (sorted by id) */
178const SSL_CIPHER ssl3_ciphers[] = {
179
180 /* The RSA ciphers */
181 /* Cipher 01 */
182 {
183 .valid = 1,
184 .name = SSL3_TXT_RSA_NULL_MD5,
185 .id = SSL3_CK_RSA_NULL_MD5,
186 .algorithm_mkey = SSL_kRSA,
187 .algorithm_auth = SSL_aRSA,
188 .algorithm_enc = SSL_eNULL,
189 .algorithm_mac = SSL_MD5,
190 .algorithm_ssl = SSL_SSLV3,
191 .algo_strength = SSL_STRONG_NONE,
192 .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
193 .strength_bits = 0,
194 .alg_bits = 0,
195 },
196
197 /* Cipher 02 */
198 {
199 .valid = 1,
200 .name = SSL3_TXT_RSA_NULL_SHA,
201 .id = SSL3_CK_RSA_NULL_SHA,
202 .algorithm_mkey = SSL_kRSA,
203 .algorithm_auth = SSL_aRSA,
204 .algorithm_enc = SSL_eNULL,
205 .algorithm_mac = SSL_SHA1,
206 .algorithm_ssl = SSL_SSLV3,
207 .algo_strength = SSL_STRONG_NONE,
208 .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
209 .strength_bits = 0,
210 .alg_bits = 0,
211 },
212
213 /* Cipher 04 */
214 {
215 .valid = 1,
216 .name = SSL3_TXT_RSA_RC4_128_MD5,
217 .id = SSL3_CK_RSA_RC4_128_MD5,
218 .algorithm_mkey = SSL_kRSA,
219 .algorithm_auth = SSL_aRSA,
220 .algorithm_enc = SSL_RC4,
221 .algorithm_mac = SSL_MD5,
222 .algorithm_ssl = SSL_SSLV3,
223 .algo_strength = SSL_LOW,
224 .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
225 .strength_bits = 128,
226 .alg_bits = 128,
227 },
228
229 /* Cipher 05 */
230 {
231 .valid = 1,
232 .name = SSL3_TXT_RSA_RC4_128_SHA,
233 .id = SSL3_CK_RSA_RC4_128_SHA,
234 .algorithm_mkey = SSL_kRSA,
235 .algorithm_auth = SSL_aRSA,
236 .algorithm_enc = SSL_RC4,
237 .algorithm_mac = SSL_SHA1,
238 .algorithm_ssl = SSL_SSLV3,
239 .algo_strength = SSL_LOW,
240 .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
241 .strength_bits = 128,
242 .alg_bits = 128,
243 },
244
245 /* Cipher 0A */
246 {
247 .valid = 1,
248 .name = SSL3_TXT_RSA_DES_192_CBC3_SHA,
249 .id = SSL3_CK_RSA_DES_192_CBC3_SHA,
250 .algorithm_mkey = SSL_kRSA,
251 .algorithm_auth = SSL_aRSA,
252 .algorithm_enc = SSL_3DES,
253 .algorithm_mac = SSL_SHA1,
254 .algorithm_ssl = SSL_SSLV3,
255 .algo_strength = SSL_MEDIUM,
256 .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
257 .strength_bits = 112,
258 .alg_bits = 168,
259 },
260
261 /*
262 * Ephemeral DH (DHE) ciphers.
263 */
264
265 /* Cipher 16 */
266 {
267 .valid = 1,
268 .name = SSL3_TXT_EDH_RSA_DES_192_CBC3_SHA,
269 .id = SSL3_CK_EDH_RSA_DES_192_CBC3_SHA,
270 .algorithm_mkey = SSL_kDHE,
271 .algorithm_auth = SSL_aRSA,
272 .algorithm_enc = SSL_3DES,
273 .algorithm_mac = SSL_SHA1,
274 .algorithm_ssl = SSL_SSLV3,
275 .algo_strength = SSL_MEDIUM,
276 .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
277 .strength_bits = 112,
278 .alg_bits = 168,
279 },
280
281 /* Cipher 18 */
282 {
283 .valid = 1,
284 .name = SSL3_TXT_ADH_RC4_128_MD5,
285 .id = SSL3_CK_ADH_RC4_128_MD5,
286 .algorithm_mkey = SSL_kDHE,
287 .algorithm_auth = SSL_aNULL,
288 .algorithm_enc = SSL_RC4,
289 .algorithm_mac = SSL_MD5,
290 .algorithm_ssl = SSL_SSLV3,
291 .algo_strength = SSL_LOW,
292 .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
293 .strength_bits = 128,
294 .alg_bits = 128,
295 },
296
297 /* Cipher 1B */
298 {
299 .valid = 1,
300 .name = SSL3_TXT_ADH_DES_192_CBC_SHA,
301 .id = SSL3_CK_ADH_DES_192_CBC_SHA,
302 .algorithm_mkey = SSL_kDHE,
303 .algorithm_auth = SSL_aNULL,
304 .algorithm_enc = SSL_3DES,
305 .algorithm_mac = SSL_SHA1,
306 .algorithm_ssl = SSL_SSLV3,
307 .algo_strength = SSL_MEDIUM,
308 .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
309 .strength_bits = 112,
310 .alg_bits = 168,
311 },
312
313 /*
314 * AES ciphersuites.
315 */
316
317 /* Cipher 2F */
318 {
319 .valid = 1,
320 .name = TLS1_TXT_RSA_WITH_AES_128_SHA,
321 .id = TLS1_CK_RSA_WITH_AES_128_SHA,
322 .algorithm_mkey = SSL_kRSA,
323 .algorithm_auth = SSL_aRSA,
324 .algorithm_enc = SSL_AES128,
325 .algorithm_mac = SSL_SHA1,
326 .algorithm_ssl = SSL_TLSV1,
327 .algo_strength = SSL_HIGH,
328 .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
329 .strength_bits = 128,
330 .alg_bits = 128,
331 },
332
333 /* Cipher 33 */
334 {
335 .valid = 1,
336 .name = TLS1_TXT_DHE_RSA_WITH_AES_128_SHA,
337 .id = TLS1_CK_DHE_RSA_WITH_AES_128_SHA,
338 .algorithm_mkey = SSL_kDHE,
339 .algorithm_auth = SSL_aRSA,
340 .algorithm_enc = SSL_AES128,
341 .algorithm_mac = SSL_SHA1,
342 .algorithm_ssl = SSL_TLSV1,
343 .algo_strength = SSL_HIGH,
344 .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
345 .strength_bits = 128,
346 .alg_bits = 128,
347 },
348
349 /* Cipher 34 */
350 {
351 .valid = 1,
352 .name = TLS1_TXT_ADH_WITH_AES_128_SHA,
353 .id = TLS1_CK_ADH_WITH_AES_128_SHA,
354 .algorithm_mkey = SSL_kDHE,
355 .algorithm_auth = SSL_aNULL,
356 .algorithm_enc = SSL_AES128,
357 .algorithm_mac = SSL_SHA1,
358 .algorithm_ssl = SSL_TLSV1,
359 .algo_strength = SSL_HIGH,
360 .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
361 .strength_bits = 128,
362 .alg_bits = 128,
363 },
364
365 /* Cipher 35 */
366 {
367 .valid = 1,
368 .name = TLS1_TXT_RSA_WITH_AES_256_SHA,
369 .id = TLS1_CK_RSA_WITH_AES_256_SHA,
370 .algorithm_mkey = SSL_kRSA,
371 .algorithm_auth = SSL_aRSA,
372 .algorithm_enc = SSL_AES256,
373 .algorithm_mac = SSL_SHA1,
374 .algorithm_ssl = SSL_TLSV1,
375 .algo_strength = SSL_HIGH,
376 .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
377 .strength_bits = 256,
378 .alg_bits = 256,
379 },
380
381 /* Cipher 39 */
382 {
383 .valid = 1,
384 .name = TLS1_TXT_DHE_RSA_WITH_AES_256_SHA,
385 .id = TLS1_CK_DHE_RSA_WITH_AES_256_SHA,
386 .algorithm_mkey = SSL_kDHE,
387 .algorithm_auth = SSL_aRSA,
388 .algorithm_enc = SSL_AES256,
389 .algorithm_mac = SSL_SHA1,
390 .algorithm_ssl = SSL_TLSV1,
391 .algo_strength = SSL_HIGH,
392 .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
393 .strength_bits = 256,
394 .alg_bits = 256,
395 },
396
397 /* Cipher 3A */
398 {
399 .valid = 1,
400 .name = TLS1_TXT_ADH_WITH_AES_256_SHA,
401 .id = TLS1_CK_ADH_WITH_AES_256_SHA,
402 .algorithm_mkey = SSL_kDHE,
403 .algorithm_auth = SSL_aNULL,
404 .algorithm_enc = SSL_AES256,
405 .algorithm_mac = SSL_SHA1,
406 .algorithm_ssl = SSL_TLSV1,
407 .algo_strength = SSL_HIGH,
408 .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
409 .strength_bits = 256,
410 .alg_bits = 256,
411 },
412
413 /* TLS v1.2 ciphersuites */
414 /* Cipher 3B */
415 {
416 .valid = 1,
417 .name = TLS1_TXT_RSA_WITH_NULL_SHA256,
418 .id = TLS1_CK_RSA_WITH_NULL_SHA256,
419 .algorithm_mkey = SSL_kRSA,
420 .algorithm_auth = SSL_aRSA,
421 .algorithm_enc = SSL_eNULL,
422 .algorithm_mac = SSL_SHA256,
423 .algorithm_ssl = SSL_TLSV1_2,
424 .algo_strength = SSL_STRONG_NONE,
425 .algorithm2 = SSL_HANDSHAKE_MAC_SHA256|TLS1_PRF_SHA256,
426 .strength_bits = 0,
427 .alg_bits = 0,
428 },
429
430 /* Cipher 3C */
431 {
432 .valid = 1,
433 .name = TLS1_TXT_RSA_WITH_AES_128_SHA256,
434 .id = TLS1_CK_RSA_WITH_AES_128_SHA256,
435 .algorithm_mkey = SSL_kRSA,
436 .algorithm_auth = SSL_aRSA,
437 .algorithm_enc = SSL_AES128,
438 .algorithm_mac = SSL_SHA256,
439 .algorithm_ssl = SSL_TLSV1_2,
440 .algo_strength = SSL_HIGH,
441 .algorithm2 = SSL_HANDSHAKE_MAC_SHA256|TLS1_PRF_SHA256,
442 .strength_bits = 128,
443 .alg_bits = 128,
444 },
445
446 /* Cipher 3D */
447 {
448 .valid = 1,
449 .name = TLS1_TXT_RSA_WITH_AES_256_SHA256,
450 .id = TLS1_CK_RSA_WITH_AES_256_SHA256,
451 .algorithm_mkey = SSL_kRSA,
452 .algorithm_auth = SSL_aRSA,
453 .algorithm_enc = SSL_AES256,
454 .algorithm_mac = SSL_SHA256,
455 .algorithm_ssl = SSL_TLSV1_2,
456 .algo_strength = SSL_HIGH,
457 .algorithm2 = SSL_HANDSHAKE_MAC_SHA256|TLS1_PRF_SHA256,
458 .strength_bits = 256,
459 .alg_bits = 256,
460 },
461
462#ifndef OPENSSL_NO_CAMELLIA
463 /* Camellia ciphersuites from RFC4132 (128-bit portion) */
464
465 /* Cipher 41 */
466 {
467 .valid = 1,
468 .name = TLS1_TXT_RSA_WITH_CAMELLIA_128_CBC_SHA,
469 .id = TLS1_CK_RSA_WITH_CAMELLIA_128_CBC_SHA,
470 .algorithm_mkey = SSL_kRSA,
471 .algorithm_auth = SSL_aRSA,
472 .algorithm_enc = SSL_CAMELLIA128,
473 .algorithm_mac = SSL_SHA1,
474 .algorithm_ssl = SSL_TLSV1,
475 .algo_strength = SSL_HIGH,
476 .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
477 .strength_bits = 128,
478 .alg_bits = 128,
479 },
480
481 /* Cipher 45 */
482 {
483 .valid = 1,
484 .name = TLS1_TXT_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA,
485 .id = TLS1_CK_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA,
486 .algorithm_mkey = SSL_kDHE,
487 .algorithm_auth = SSL_aRSA,
488 .algorithm_enc = SSL_CAMELLIA128,
489 .algorithm_mac = SSL_SHA1,
490 .algorithm_ssl = SSL_TLSV1,
491 .algo_strength = SSL_HIGH,
492 .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
493 .strength_bits = 128,
494 .alg_bits = 128,
495 },
496
497 /* Cipher 46 */
498 {
499 .valid = 1,
500 .name = TLS1_TXT_ADH_WITH_CAMELLIA_128_CBC_SHA,
501 .id = TLS1_CK_ADH_WITH_CAMELLIA_128_CBC_SHA,
502 .algorithm_mkey = SSL_kDHE,
503 .algorithm_auth = SSL_aNULL,
504 .algorithm_enc = SSL_CAMELLIA128,
505 .algorithm_mac = SSL_SHA1,
506 .algorithm_ssl = SSL_TLSV1,
507 .algo_strength = SSL_HIGH,
508 .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
509 .strength_bits = 128,
510 .alg_bits = 128,
511 },
512#endif /* OPENSSL_NO_CAMELLIA */
513
514 /* TLS v1.2 ciphersuites */
515 /* Cipher 67 */
516 {
517 .valid = 1,
518 .name = TLS1_TXT_DHE_RSA_WITH_AES_128_SHA256,
519 .id = TLS1_CK_DHE_RSA_WITH_AES_128_SHA256,
520 .algorithm_mkey = SSL_kDHE,
521 .algorithm_auth = SSL_aRSA,
522 .algorithm_enc = SSL_AES128,
523 .algorithm_mac = SSL_SHA256,
524 .algorithm_ssl = SSL_TLSV1_2,
525 .algo_strength = SSL_HIGH,
526 .algorithm2 = SSL_HANDSHAKE_MAC_SHA256|TLS1_PRF_SHA256,
527 .strength_bits = 128,
528 .alg_bits = 128,
529 },
530
531 /* Cipher 6B */
532 {
533 .valid = 1,
534 .name = TLS1_TXT_DHE_RSA_WITH_AES_256_SHA256,
535 .id = TLS1_CK_DHE_RSA_WITH_AES_256_SHA256,
536 .algorithm_mkey = SSL_kDHE,
537 .algorithm_auth = SSL_aRSA,
538 .algorithm_enc = SSL_AES256,
539 .algorithm_mac = SSL_SHA256,
540 .algorithm_ssl = SSL_TLSV1_2,
541 .algo_strength = SSL_HIGH,
542 .algorithm2 = SSL_HANDSHAKE_MAC_SHA256|TLS1_PRF_SHA256,
543 .strength_bits = 256,
544 .alg_bits = 256,
545 },
546
547 /* Cipher 6C */
548 {
549 .valid = 1,
550 .name = TLS1_TXT_ADH_WITH_AES_128_SHA256,
551 .id = TLS1_CK_ADH_WITH_AES_128_SHA256,
552 .algorithm_mkey = SSL_kDHE,
553 .algorithm_auth = SSL_aNULL,
554 .algorithm_enc = SSL_AES128,
555 .algorithm_mac = SSL_SHA256,
556 .algorithm_ssl = SSL_TLSV1_2,
557 .algo_strength = SSL_HIGH,
558 .algorithm2 = SSL_HANDSHAKE_MAC_SHA256|TLS1_PRF_SHA256,
559 .strength_bits = 128,
560 .alg_bits = 128,
561 },
562
563 /* Cipher 6D */
564 {
565 .valid = 1,
566 .name = TLS1_TXT_ADH_WITH_AES_256_SHA256,
567 .id = TLS1_CK_ADH_WITH_AES_256_SHA256,
568 .algorithm_mkey = SSL_kDHE,
569 .algorithm_auth = SSL_aNULL,
570 .algorithm_enc = SSL_AES256,
571 .algorithm_mac = SSL_SHA256,
572 .algorithm_ssl = SSL_TLSV1_2,
573 .algo_strength = SSL_HIGH,
574 .algorithm2 = SSL_HANDSHAKE_MAC_SHA256|TLS1_PRF_SHA256,
575 .strength_bits = 256,
576 .alg_bits = 256,
577 },
578
579 /* GOST Ciphersuites */
580
581 /* Cipher 81 */
582 {
583 .valid = 1,
584 .name = "GOST2001-GOST89-GOST89",
585 .id = 0x3000081,
586 .algorithm_mkey = SSL_kGOST,
587 .algorithm_auth = SSL_aGOST01,
588 .algorithm_enc = SSL_eGOST2814789CNT,
589 .algorithm_mac = SSL_GOST89MAC,
590 .algorithm_ssl = SSL_TLSV1,
591 .algo_strength = SSL_HIGH,
592 .algorithm2 = SSL_HANDSHAKE_MAC_GOST94|TLS1_PRF_GOST94|
593 TLS1_STREAM_MAC,
594 .strength_bits = 256,
595 .alg_bits = 256
596 },
597
598 /* Cipher 83 */
599 {
600 .valid = 1,
601 .name = "GOST2001-NULL-GOST94",
602 .id = 0x3000083,
603 .algorithm_mkey = SSL_kGOST,
604 .algorithm_auth = SSL_aGOST01,
605 .algorithm_enc = SSL_eNULL,
606 .algorithm_mac = SSL_GOST94,
607 .algorithm_ssl = SSL_TLSV1,
608 .algo_strength = SSL_STRONG_NONE,
609 .algorithm2 = SSL_HANDSHAKE_MAC_GOST94|TLS1_PRF_GOST94,
610 .strength_bits = 0,
611 .alg_bits = 0
612 },
613
614#ifndef OPENSSL_NO_CAMELLIA
615 /* Camellia ciphersuites from RFC4132 (256-bit portion) */
616
617 /* Cipher 84 */
618 {
619 .valid = 1,
620 .name = TLS1_TXT_RSA_WITH_CAMELLIA_256_CBC_SHA,
621 .id = TLS1_CK_RSA_WITH_CAMELLIA_256_CBC_SHA,
622 .algorithm_mkey = SSL_kRSA,
623 .algorithm_auth = SSL_aRSA,
624 .algorithm_enc = SSL_CAMELLIA256,
625 .algorithm_mac = SSL_SHA1,
626 .algorithm_ssl = SSL_TLSV1,
627 .algo_strength = SSL_HIGH,
628 .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
629 .strength_bits = 256,
630 .alg_bits = 256,
631 },
632
633 /* Cipher 88 */
634 {
635 .valid = 1,
636 .name = TLS1_TXT_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA,
637 .id = TLS1_CK_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA,
638 .algorithm_mkey = SSL_kDHE,
639 .algorithm_auth = SSL_aRSA,
640 .algorithm_enc = SSL_CAMELLIA256,
641 .algorithm_mac = SSL_SHA1,
642 .algorithm_ssl = SSL_TLSV1,
643 .algo_strength = SSL_HIGH,
644 .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
645 .strength_bits = 256,
646 .alg_bits = 256,
647 },
648
649 /* Cipher 89 */
650 {
651 .valid = 1,
652 .name = TLS1_TXT_ADH_WITH_CAMELLIA_256_CBC_SHA,
653 .id = TLS1_CK_ADH_WITH_CAMELLIA_256_CBC_SHA,
654 .algorithm_mkey = SSL_kDHE,
655 .algorithm_auth = SSL_aNULL,
656 .algorithm_enc = SSL_CAMELLIA256,
657 .algorithm_mac = SSL_SHA1,
658 .algorithm_ssl = SSL_TLSV1,
659 .algo_strength = SSL_HIGH,
660 .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
661 .strength_bits = 256,
662 .alg_bits = 256,
663 },
664#endif /* OPENSSL_NO_CAMELLIA */
665
666 /*
667 * GCM ciphersuites from RFC5288.
668 */
669
670 /* Cipher 9C */
671 {
672 .valid = 1,
673 .name = TLS1_TXT_RSA_WITH_AES_128_GCM_SHA256,
674 .id = TLS1_CK_RSA_WITH_AES_128_GCM_SHA256,
675 .algorithm_mkey = SSL_kRSA,
676 .algorithm_auth = SSL_aRSA,
677 .algorithm_enc = SSL_AES128GCM,
678 .algorithm_mac = SSL_AEAD,
679 .algorithm_ssl = SSL_TLSV1_2,
680 .algo_strength = SSL_HIGH,
681 .algorithm2 = SSL_HANDSHAKE_MAC_SHA256|TLS1_PRF_SHA256|
682 FIXED_NONCE_LEN(4)|
683 SSL_CIPHER_ALGORITHM2_VARIABLE_NONCE_IN_RECORD,
684 .strength_bits = 128,
685 .alg_bits = 128,
686 },
687
688 /* Cipher 9D */
689 {
690 .valid = 1,
691 .name = TLS1_TXT_RSA_WITH_AES_256_GCM_SHA384,
692 .id = TLS1_CK_RSA_WITH_AES_256_GCM_SHA384,
693 .algorithm_mkey = SSL_kRSA,
694 .algorithm_auth = SSL_aRSA,
695 .algorithm_enc = SSL_AES256GCM,
696 .algorithm_mac = SSL_AEAD,
697 .algorithm_ssl = SSL_TLSV1_2,
698 .algo_strength = SSL_HIGH,
699 .algorithm2 = SSL_HANDSHAKE_MAC_SHA384|TLS1_PRF_SHA384|
700 FIXED_NONCE_LEN(4)|
701 SSL_CIPHER_ALGORITHM2_VARIABLE_NONCE_IN_RECORD,
702 .strength_bits = 256,
703 .alg_bits = 256,
704 },
705
706 /* Cipher 9E */
707 {
708 .valid = 1,
709 .name = TLS1_TXT_DHE_RSA_WITH_AES_128_GCM_SHA256,
710 .id = TLS1_CK_DHE_RSA_WITH_AES_128_GCM_SHA256,
711 .algorithm_mkey = SSL_kDHE,
712 .algorithm_auth = SSL_aRSA,
713 .algorithm_enc = SSL_AES128GCM,
714 .algorithm_mac = SSL_AEAD,
715 .algorithm_ssl = SSL_TLSV1_2,
716 .algo_strength = SSL_HIGH,
717 .algorithm2 = SSL_HANDSHAKE_MAC_SHA256|TLS1_PRF_SHA256|
718 FIXED_NONCE_LEN(4)|
719 SSL_CIPHER_ALGORITHM2_VARIABLE_NONCE_IN_RECORD,
720 .strength_bits = 128,
721 .alg_bits = 128,
722 },
723
724 /* Cipher 9F */
725 {
726 .valid = 1,
727 .name = TLS1_TXT_DHE_RSA_WITH_AES_256_GCM_SHA384,
728 .id = TLS1_CK_DHE_RSA_WITH_AES_256_GCM_SHA384,
729 .algorithm_mkey = SSL_kDHE,
730 .algorithm_auth = SSL_aRSA,
731 .algorithm_enc = SSL_AES256GCM,
732 .algorithm_mac = SSL_AEAD,
733 .algorithm_ssl = SSL_TLSV1_2,
734 .algo_strength = SSL_HIGH,
735 .algorithm2 = SSL_HANDSHAKE_MAC_SHA384|TLS1_PRF_SHA384|
736 FIXED_NONCE_LEN(4)|
737 SSL_CIPHER_ALGORITHM2_VARIABLE_NONCE_IN_RECORD,
738 .strength_bits = 256,
739 .alg_bits = 256,
740 },
741
742 /* Cipher A6 */
743 {
744 .valid = 1,
745 .name = TLS1_TXT_ADH_WITH_AES_128_GCM_SHA256,
746 .id = TLS1_CK_ADH_WITH_AES_128_GCM_SHA256,
747 .algorithm_mkey = SSL_kDHE,
748 .algorithm_auth = SSL_aNULL,
749 .algorithm_enc = SSL_AES128GCM,
750 .algorithm_mac = SSL_AEAD,
751 .algorithm_ssl = SSL_TLSV1_2,
752 .algo_strength = SSL_HIGH,
753 .algorithm2 = SSL_HANDSHAKE_MAC_SHA256|TLS1_PRF_SHA256|
754 FIXED_NONCE_LEN(4)|
755 SSL_CIPHER_ALGORITHM2_VARIABLE_NONCE_IN_RECORD,
756 .strength_bits = 128,
757 .alg_bits = 128,
758 },
759
760 /* Cipher A7 */
761 {
762 .valid = 1,
763 .name = TLS1_TXT_ADH_WITH_AES_256_GCM_SHA384,
764 .id = TLS1_CK_ADH_WITH_AES_256_GCM_SHA384,
765 .algorithm_mkey = SSL_kDHE,
766 .algorithm_auth = SSL_aNULL,
767 .algorithm_enc = SSL_AES256GCM,
768 .algorithm_mac = SSL_AEAD,
769 .algorithm_ssl = SSL_TLSV1_2,
770 .algo_strength = SSL_HIGH,
771 .algorithm2 = SSL_HANDSHAKE_MAC_SHA384|TLS1_PRF_SHA384|
772 FIXED_NONCE_LEN(4)|
773 SSL_CIPHER_ALGORITHM2_VARIABLE_NONCE_IN_RECORD,
774 .strength_bits = 256,
775 .alg_bits = 256,
776 },
777
778#ifndef OPENSSL_NO_CAMELLIA
779 /* TLS 1.2 Camellia SHA-256 ciphersuites from RFC5932 */
780
781 /* Cipher BA */
782 {
783 .valid = 1,
784 .name = TLS1_TXT_RSA_WITH_CAMELLIA_128_CBC_SHA256,
785 .id = TLS1_CK_RSA_WITH_CAMELLIA_128_CBC_SHA256,
786 .algorithm_mkey = SSL_kRSA,
787 .algorithm_auth = SSL_aRSA,
788 .algorithm_enc = SSL_CAMELLIA128,
789 .algorithm_mac = SSL_SHA256,
790 .algorithm_ssl = SSL_TLSV1_2,
791 .algo_strength = SSL_HIGH,
792 .algorithm2 = SSL_HANDSHAKE_MAC_SHA256|TLS1_PRF_SHA256,
793 .strength_bits = 128,
794 .alg_bits = 128,
795 },
796
797 /* Cipher BE */
798 {
799 .valid = 1,
800 .name = TLS1_TXT_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA256,
801 .id = TLS1_CK_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA256,
802 .algorithm_mkey = SSL_kDHE,
803 .algorithm_auth = SSL_aRSA,
804 .algorithm_enc = SSL_CAMELLIA128,
805 .algorithm_mac = SSL_SHA256,
806 .algorithm_ssl = SSL_TLSV1_2,
807 .algo_strength = SSL_HIGH,
808 .algorithm2 = SSL_HANDSHAKE_MAC_SHA256|TLS1_PRF_SHA256,
809 .strength_bits = 128,
810 .alg_bits = 128,
811 },
812
813 /* Cipher BF */
814 {
815 .valid = 1,
816 .name = TLS1_TXT_ADH_WITH_CAMELLIA_128_CBC_SHA256,
817 .id = TLS1_CK_ADH_WITH_CAMELLIA_128_CBC_SHA256,
818 .algorithm_mkey = SSL_kDHE,
819 .algorithm_auth = SSL_aNULL,
820 .algorithm_enc = SSL_CAMELLIA128,
821 .algorithm_mac = SSL_SHA256,
822 .algorithm_ssl = SSL_TLSV1_2,
823 .algo_strength = SSL_HIGH,
824 .algorithm2 = SSL_HANDSHAKE_MAC_SHA256|TLS1_PRF_SHA256,
825 .strength_bits = 128,
826 .alg_bits = 128,
827 },
828
829 /* Cipher C0 */
830 {
831 .valid = 1,
832 .name = TLS1_TXT_RSA_WITH_CAMELLIA_256_CBC_SHA256,
833 .id = TLS1_CK_RSA_WITH_CAMELLIA_256_CBC_SHA256,
834 .algorithm_mkey = SSL_kRSA,
835 .algorithm_auth = SSL_aRSA,
836 .algorithm_enc = SSL_CAMELLIA256,
837 .algorithm_mac = SSL_SHA256,
838 .algorithm_ssl = SSL_TLSV1_2,
839 .algo_strength = SSL_HIGH,
840 .algorithm2 = SSL_HANDSHAKE_MAC_SHA256|TLS1_PRF_SHA256,
841 .strength_bits = 256,
842 .alg_bits = 256,
843 },
844
845 /* Cipher C4 */
846 {
847 .valid = 1,
848 .name = TLS1_TXT_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA256,
849 .id = TLS1_CK_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA256,
850 .algorithm_mkey = SSL_kDHE,
851 .algorithm_auth = SSL_aRSA,
852 .algorithm_enc = SSL_CAMELLIA256,
853 .algorithm_mac = SSL_SHA256,
854 .algorithm_ssl = SSL_TLSV1_2,
855 .algo_strength = SSL_HIGH,
856 .algorithm2 = SSL_HANDSHAKE_MAC_SHA256|TLS1_PRF_SHA256,
857 .strength_bits = 256,
858 .alg_bits = 256,
859 },
860
861 /* Cipher C5 */
862 {
863 .valid = 1,
864 .name = TLS1_TXT_ADH_WITH_CAMELLIA_256_CBC_SHA256,
865 .id = TLS1_CK_ADH_WITH_CAMELLIA_256_CBC_SHA256,
866 .algorithm_mkey = SSL_kDHE,
867 .algorithm_auth = SSL_aNULL,
868 .algorithm_enc = SSL_CAMELLIA256,
869 .algorithm_mac = SSL_SHA256,
870 .algorithm_ssl = SSL_TLSV1_2,
871 .algo_strength = SSL_HIGH,
872 .algorithm2 = SSL_HANDSHAKE_MAC_SHA256|TLS1_PRF_SHA256,
873 .strength_bits = 256,
874 .alg_bits = 256,
875 },
876#endif /* OPENSSL_NO_CAMELLIA */
877
878 /*
879 * TLSv1.3 cipher suites.
880 */
881
882#ifdef LIBRESSL_HAS_TLS1_3
883 /* Cipher 1301 */
884 {
885 .valid = 1,
886 .name = TLS1_3_RFC_AES_128_GCM_SHA256,
887 .id = TLS1_3_CK_AES_128_GCM_SHA256,
888 .algorithm_mkey = SSL_kTLS1_3,
889 .algorithm_auth = SSL_aTLS1_3,
890 .algorithm_enc = SSL_AES128GCM,
891 .algorithm_mac = SSL_AEAD,
892 .algorithm_ssl = SSL_TLSV1_3,
893 .algo_strength = SSL_HIGH,
894 .algorithm2 = SSL_HANDSHAKE_MAC_SHA256, /* XXX */
895 .strength_bits = 128,
896 .alg_bits = 128,
897 },
898
899 /* Cipher 1302 */
900 {
901 .valid = 1,
902 .name = TLS1_3_RFC_AES_256_GCM_SHA384,
903 .id = TLS1_3_CK_AES_256_GCM_SHA384,
904 .algorithm_mkey = SSL_kTLS1_3,
905 .algorithm_auth = SSL_aTLS1_3,
906 .algorithm_enc = SSL_AES256GCM,
907 .algorithm_mac = SSL_AEAD,
908 .algorithm_ssl = SSL_TLSV1_3,
909 .algo_strength = SSL_HIGH,
910 .algorithm2 = SSL_HANDSHAKE_MAC_SHA384, /* XXX */
911 .strength_bits = 256,
912 .alg_bits = 256,
913 },
914
915 /* Cipher 1303 */
916 {
917 .valid = 1,
918 .name = TLS1_3_RFC_CHACHA20_POLY1305_SHA256,
919 .id = TLS1_3_CK_CHACHA20_POLY1305_SHA256,
920 .algorithm_mkey = SSL_kTLS1_3,
921 .algorithm_auth = SSL_aTLS1_3,
922 .algorithm_enc = SSL_CHACHA20POLY1305,
923 .algorithm_mac = SSL_AEAD,
924 .algorithm_ssl = SSL_TLSV1_3,
925 .algo_strength = SSL_HIGH,
926 .algorithm2 = SSL_HANDSHAKE_MAC_SHA256, /* XXX */
927 .strength_bits = 256,
928 .alg_bits = 256,
929 },
930#endif
931
932 /* Cipher C006 */
933 {
934 .valid = 1,
935 .name = TLS1_TXT_ECDHE_ECDSA_WITH_NULL_SHA,
936 .id = TLS1_CK_ECDHE_ECDSA_WITH_NULL_SHA,
937 .algorithm_mkey = SSL_kECDHE,
938 .algorithm_auth = SSL_aECDSA,
939 .algorithm_enc = SSL_eNULL,
940 .algorithm_mac = SSL_SHA1,
941 .algorithm_ssl = SSL_TLSV1,
942 .algo_strength = SSL_STRONG_NONE,
943 .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
944 .strength_bits = 0,
945 .alg_bits = 0,
946 },
947
948 /* Cipher C007 */
949 {
950 .valid = 1,
951 .name = TLS1_TXT_ECDHE_ECDSA_WITH_RC4_128_SHA,
952 .id = TLS1_CK_ECDHE_ECDSA_WITH_RC4_128_SHA,
953 .algorithm_mkey = SSL_kECDHE,
954 .algorithm_auth = SSL_aECDSA,
955 .algorithm_enc = SSL_RC4,
956 .algorithm_mac = SSL_SHA1,
957 .algorithm_ssl = SSL_TLSV1,
958 .algo_strength = SSL_LOW,
959 .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
960 .strength_bits = 128,
961 .alg_bits = 128,
962 },
963
964 /* Cipher C008 */
965 {
966 .valid = 1,
967 .name = TLS1_TXT_ECDHE_ECDSA_WITH_DES_192_CBC3_SHA,
968 .id = TLS1_CK_ECDHE_ECDSA_WITH_DES_192_CBC3_SHA,
969 .algorithm_mkey = SSL_kECDHE,
970 .algorithm_auth = SSL_aECDSA,
971 .algorithm_enc = SSL_3DES,
972 .algorithm_mac = SSL_SHA1,
973 .algorithm_ssl = SSL_TLSV1,
974 .algo_strength = SSL_MEDIUM,
975 .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
976 .strength_bits = 112,
977 .alg_bits = 168,
978 },
979
980 /* Cipher C009 */
981 {
982 .valid = 1,
983 .name = TLS1_TXT_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,
984 .id = TLS1_CK_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,
985 .algorithm_mkey = SSL_kECDHE,
986 .algorithm_auth = SSL_aECDSA,
987 .algorithm_enc = SSL_AES128,
988 .algorithm_mac = SSL_SHA1,
989 .algorithm_ssl = SSL_TLSV1,
990 .algo_strength = SSL_HIGH,
991 .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
992 .strength_bits = 128,
993 .alg_bits = 128,
994 },
995
996 /* Cipher C00A */
997 {
998 .valid = 1,
999 .name = TLS1_TXT_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,
1000 .id = TLS1_CK_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,
1001 .algorithm_mkey = SSL_kECDHE,
1002 .algorithm_auth = SSL_aECDSA,
1003 .algorithm_enc = SSL_AES256,
1004 .algorithm_mac = SSL_SHA1,
1005 .algorithm_ssl = SSL_TLSV1,
1006 .algo_strength = SSL_HIGH,
1007 .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
1008 .strength_bits = 256,
1009 .alg_bits = 256,
1010 },
1011
1012 /* Cipher C010 */
1013 {
1014 .valid = 1,
1015 .name = TLS1_TXT_ECDHE_RSA_WITH_NULL_SHA,
1016 .id = TLS1_CK_ECDHE_RSA_WITH_NULL_SHA,
1017 .algorithm_mkey = SSL_kECDHE,
1018 .algorithm_auth = SSL_aRSA,
1019 .algorithm_enc = SSL_eNULL,
1020 .algorithm_mac = SSL_SHA1,
1021 .algorithm_ssl = SSL_TLSV1,
1022 .algo_strength = SSL_STRONG_NONE,
1023 .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
1024 .strength_bits = 0,
1025 .alg_bits = 0,
1026 },
1027
1028 /* Cipher C011 */
1029 {
1030 .valid = 1,
1031 .name = TLS1_TXT_ECDHE_RSA_WITH_RC4_128_SHA,
1032 .id = TLS1_CK_ECDHE_RSA_WITH_RC4_128_SHA,
1033 .algorithm_mkey = SSL_kECDHE,
1034 .algorithm_auth = SSL_aRSA,
1035 .algorithm_enc = SSL_RC4,
1036 .algorithm_mac = SSL_SHA1,
1037 .algorithm_ssl = SSL_TLSV1,
1038 .algo_strength = SSL_LOW,
1039 .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
1040 .strength_bits = 128,
1041 .alg_bits = 128,
1042 },
1043
1044 /* Cipher C012 */
1045 {
1046 .valid = 1,
1047 .name = TLS1_TXT_ECDHE_RSA_WITH_DES_192_CBC3_SHA,
1048 .id = TLS1_CK_ECDHE_RSA_WITH_DES_192_CBC3_SHA,
1049 .algorithm_mkey = SSL_kECDHE,
1050 .algorithm_auth = SSL_aRSA,
1051 .algorithm_enc = SSL_3DES,
1052 .algorithm_mac = SSL_SHA1,
1053 .algorithm_ssl = SSL_TLSV1,
1054 .algo_strength = SSL_MEDIUM,
1055 .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
1056 .strength_bits = 112,
1057 .alg_bits = 168,
1058 },
1059
1060 /* Cipher C013 */
1061 {
1062 .valid = 1,
1063 .name = TLS1_TXT_ECDHE_RSA_WITH_AES_128_CBC_SHA,
1064 .id = TLS1_CK_ECDHE_RSA_WITH_AES_128_CBC_SHA,
1065 .algorithm_mkey = SSL_kECDHE,
1066 .algorithm_auth = SSL_aRSA,
1067 .algorithm_enc = SSL_AES128,
1068 .algorithm_mac = SSL_SHA1,
1069 .algorithm_ssl = SSL_TLSV1,
1070 .algo_strength = SSL_HIGH,
1071 .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
1072 .strength_bits = 128,
1073 .alg_bits = 128,
1074 },
1075
1076 /* Cipher C014 */
1077 {
1078 .valid = 1,
1079 .name = TLS1_TXT_ECDHE_RSA_WITH_AES_256_CBC_SHA,
1080 .id = TLS1_CK_ECDHE_RSA_WITH_AES_256_CBC_SHA,
1081 .algorithm_mkey = SSL_kECDHE,
1082 .algorithm_auth = SSL_aRSA,
1083 .algorithm_enc = SSL_AES256,
1084 .algorithm_mac = SSL_SHA1,
1085 .algorithm_ssl = SSL_TLSV1,
1086 .algo_strength = SSL_HIGH,
1087 .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
1088 .strength_bits = 256,
1089 .alg_bits = 256,
1090 },
1091
1092 /* Cipher C015 */
1093 {
1094 .valid = 1,
1095 .name = TLS1_TXT_ECDH_anon_WITH_NULL_SHA,
1096 .id = TLS1_CK_ECDH_anon_WITH_NULL_SHA,
1097 .algorithm_mkey = SSL_kECDHE,
1098 .algorithm_auth = SSL_aNULL,
1099 .algorithm_enc = SSL_eNULL,
1100 .algorithm_mac = SSL_SHA1,
1101 .algorithm_ssl = SSL_TLSV1,
1102 .algo_strength = SSL_STRONG_NONE,
1103 .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
1104 .strength_bits = 0,
1105 .alg_bits = 0,
1106 },
1107
1108 /* Cipher C016 */
1109 {
1110 .valid = 1,
1111 .name = TLS1_TXT_ECDH_anon_WITH_RC4_128_SHA,
1112 .id = TLS1_CK_ECDH_anon_WITH_RC4_128_SHA,
1113 .algorithm_mkey = SSL_kECDHE,
1114 .algorithm_auth = SSL_aNULL,
1115 .algorithm_enc = SSL_RC4,
1116 .algorithm_mac = SSL_SHA1,
1117 .algorithm_ssl = SSL_TLSV1,
1118 .algo_strength = SSL_LOW,
1119 .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
1120 .strength_bits = 128,
1121 .alg_bits = 128,
1122 },
1123
1124 /* Cipher C017 */
1125 {
1126 .valid = 1,
1127 .name = TLS1_TXT_ECDH_anon_WITH_DES_192_CBC3_SHA,
1128 .id = TLS1_CK_ECDH_anon_WITH_DES_192_CBC3_SHA,
1129 .algorithm_mkey = SSL_kECDHE,
1130 .algorithm_auth = SSL_aNULL,
1131 .algorithm_enc = SSL_3DES,
1132 .algorithm_mac = SSL_SHA1,
1133 .algorithm_ssl = SSL_TLSV1,
1134 .algo_strength = SSL_MEDIUM,
1135 .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
1136 .strength_bits = 112,
1137 .alg_bits = 168,
1138 },
1139
1140 /* Cipher C018 */
1141 {
1142 .valid = 1,
1143 .name = TLS1_TXT_ECDH_anon_WITH_AES_128_CBC_SHA,
1144 .id = TLS1_CK_ECDH_anon_WITH_AES_128_CBC_SHA,
1145 .algorithm_mkey = SSL_kECDHE,
1146 .algorithm_auth = SSL_aNULL,
1147 .algorithm_enc = SSL_AES128,
1148 .algorithm_mac = SSL_SHA1,
1149 .algorithm_ssl = SSL_TLSV1,
1150 .algo_strength = SSL_HIGH,
1151 .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
1152 .strength_bits = 128,
1153 .alg_bits = 128,
1154 },
1155
1156 /* Cipher C019 */
1157 {
1158 .valid = 1,
1159 .name = TLS1_TXT_ECDH_anon_WITH_AES_256_CBC_SHA,
1160 .id = TLS1_CK_ECDH_anon_WITH_AES_256_CBC_SHA,
1161 .algorithm_mkey = SSL_kECDHE,
1162 .algorithm_auth = SSL_aNULL,
1163 .algorithm_enc = SSL_AES256,
1164 .algorithm_mac = SSL_SHA1,
1165 .algorithm_ssl = SSL_TLSV1,
1166 .algo_strength = SSL_HIGH,
1167 .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
1168 .strength_bits = 256,
1169 .alg_bits = 256,
1170 },
1171
1172
1173 /* HMAC based TLS v1.2 ciphersuites from RFC5289 */
1174
1175 /* Cipher C023 */
1176 {
1177 .valid = 1,
1178 .name = TLS1_TXT_ECDHE_ECDSA_WITH_AES_128_SHA256,
1179 .id = TLS1_CK_ECDHE_ECDSA_WITH_AES_128_SHA256,
1180 .algorithm_mkey = SSL_kECDHE,
1181 .algorithm_auth = SSL_aECDSA,
1182 .algorithm_enc = SSL_AES128,
1183 .algorithm_mac = SSL_SHA256,
1184 .algorithm_ssl = SSL_TLSV1_2,
1185 .algo_strength = SSL_HIGH,
1186 .algorithm2 = SSL_HANDSHAKE_MAC_SHA256|TLS1_PRF_SHA256,
1187 .strength_bits = 128,
1188 .alg_bits = 128,
1189 },
1190
1191 /* Cipher C024 */
1192 {
1193 .valid = 1,
1194 .name = TLS1_TXT_ECDHE_ECDSA_WITH_AES_256_SHA384,
1195 .id = TLS1_CK_ECDHE_ECDSA_WITH_AES_256_SHA384,
1196 .algorithm_mkey = SSL_kECDHE,
1197 .algorithm_auth = SSL_aECDSA,
1198 .algorithm_enc = SSL_AES256,
1199 .algorithm_mac = SSL_SHA384,
1200 .algorithm_ssl = SSL_TLSV1_2,
1201 .algo_strength = SSL_HIGH,
1202 .algorithm2 = SSL_HANDSHAKE_MAC_SHA384|TLS1_PRF_SHA384,
1203 .strength_bits = 256,
1204 .alg_bits = 256,
1205 },
1206
1207 /* Cipher C027 */
1208 {
1209 .valid = 1,
1210 .name = TLS1_TXT_ECDHE_RSA_WITH_AES_128_SHA256,
1211 .id = TLS1_CK_ECDHE_RSA_WITH_AES_128_SHA256,
1212 .algorithm_mkey = SSL_kECDHE,
1213 .algorithm_auth = SSL_aRSA,
1214 .algorithm_enc = SSL_AES128,
1215 .algorithm_mac = SSL_SHA256,
1216 .algorithm_ssl = SSL_TLSV1_2,
1217 .algo_strength = SSL_HIGH,
1218 .algorithm2 = SSL_HANDSHAKE_MAC_SHA256|TLS1_PRF_SHA256,
1219 .strength_bits = 128,
1220 .alg_bits = 128,
1221 },
1222
1223 /* Cipher C028 */
1224 {
1225 .valid = 1,
1226 .name = TLS1_TXT_ECDHE_RSA_WITH_AES_256_SHA384,
1227 .id = TLS1_CK_ECDHE_RSA_WITH_AES_256_SHA384,
1228 .algorithm_mkey = SSL_kECDHE,
1229 .algorithm_auth = SSL_aRSA,
1230 .algorithm_enc = SSL_AES256,
1231 .algorithm_mac = SSL_SHA384,
1232 .algorithm_ssl = SSL_TLSV1_2,
1233 .algo_strength = SSL_HIGH,
1234 .algorithm2 = SSL_HANDSHAKE_MAC_SHA384|TLS1_PRF_SHA384,
1235 .strength_bits = 256,
1236 .alg_bits = 256,
1237 },
1238
1239 /* GCM based TLS v1.2 ciphersuites from RFC5289 */
1240
1241 /* Cipher C02B */
1242 {
1243 .valid = 1,
1244 .name = TLS1_TXT_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
1245 .id = TLS1_CK_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
1246 .algorithm_mkey = SSL_kECDHE,
1247 .algorithm_auth = SSL_aECDSA,
1248 .algorithm_enc = SSL_AES128GCM,
1249 .algorithm_mac = SSL_AEAD,
1250 .algorithm_ssl = SSL_TLSV1_2,
1251 .algo_strength = SSL_HIGH,
1252 .algorithm2 = SSL_HANDSHAKE_MAC_SHA256|TLS1_PRF_SHA256|
1253 FIXED_NONCE_LEN(4)|
1254 SSL_CIPHER_ALGORITHM2_VARIABLE_NONCE_IN_RECORD,
1255 .strength_bits = 128,
1256 .alg_bits = 128,
1257 },
1258
1259 /* Cipher C02C */
1260 {
1261 .valid = 1,
1262 .name = TLS1_TXT_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
1263 .id = TLS1_CK_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
1264 .algorithm_mkey = SSL_kECDHE,
1265 .algorithm_auth = SSL_aECDSA,
1266 .algorithm_enc = SSL_AES256GCM,
1267 .algorithm_mac = SSL_AEAD,
1268 .algorithm_ssl = SSL_TLSV1_2,
1269 .algo_strength = SSL_HIGH,
1270 .algorithm2 = SSL_HANDSHAKE_MAC_SHA384|TLS1_PRF_SHA384|
1271 FIXED_NONCE_LEN(4)|
1272 SSL_CIPHER_ALGORITHM2_VARIABLE_NONCE_IN_RECORD,
1273 .strength_bits = 256,
1274 .alg_bits = 256,
1275 },
1276
1277 /* Cipher C02F */
1278 {
1279 .valid = 1,
1280 .name = TLS1_TXT_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
1281 .id = TLS1_CK_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
1282 .algorithm_mkey = SSL_kECDHE,
1283 .algorithm_auth = SSL_aRSA,
1284 .algorithm_enc = SSL_AES128GCM,
1285 .algorithm_mac = SSL_AEAD,
1286 .algorithm_ssl = SSL_TLSV1_2,
1287 .algo_strength = SSL_HIGH,
1288 .algorithm2 = SSL_HANDSHAKE_MAC_SHA256|TLS1_PRF_SHA256|
1289 FIXED_NONCE_LEN(4)|
1290 SSL_CIPHER_ALGORITHM2_VARIABLE_NONCE_IN_RECORD,
1291 .strength_bits = 128,
1292 .alg_bits = 128,
1293 },
1294
1295 /* Cipher C030 */
1296 {
1297 .valid = 1,
1298 .name = TLS1_TXT_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
1299 .id = TLS1_CK_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
1300 .algorithm_mkey = SSL_kECDHE,
1301 .algorithm_auth = SSL_aRSA,
1302 .algorithm_enc = SSL_AES256GCM,
1303 .algorithm_mac = SSL_AEAD,
1304 .algorithm_ssl = SSL_TLSV1_2,
1305 .algo_strength = SSL_HIGH,
1306 .algorithm2 = SSL_HANDSHAKE_MAC_SHA384|TLS1_PRF_SHA384|
1307 FIXED_NONCE_LEN(4)|
1308 SSL_CIPHER_ALGORITHM2_VARIABLE_NONCE_IN_RECORD,
1309 .strength_bits = 256,
1310 .alg_bits = 256,
1311 },
1312
1313 /* Cipher CCA8 */
1314 {
1315 .valid = 1,
1316 .name = TLS1_TXT_ECDHE_RSA_WITH_CHACHA20_POLY1305,
1317 .id = TLS1_CK_ECDHE_RSA_CHACHA20_POLY1305,
1318 .algorithm_mkey = SSL_kECDHE,
1319 .algorithm_auth = SSL_aRSA,
1320 .algorithm_enc = SSL_CHACHA20POLY1305,
1321 .algorithm_mac = SSL_AEAD,
1322 .algorithm_ssl = SSL_TLSV1_2,
1323 .algo_strength = SSL_HIGH,
1324 .algorithm2 = SSL_HANDSHAKE_MAC_SHA256|TLS1_PRF_SHA256|
1325 FIXED_NONCE_LEN(12),
1326 .strength_bits = 256,
1327 .alg_bits = 256,
1328 },
1329
1330 /* Cipher CCA9 */
1331 {
1332 .valid = 1,
1333 .name = TLS1_TXT_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,
1334 .id = TLS1_CK_ECDHE_ECDSA_CHACHA20_POLY1305,
1335 .algorithm_mkey = SSL_kECDHE,
1336 .algorithm_auth = SSL_aECDSA,
1337 .algorithm_enc = SSL_CHACHA20POLY1305,
1338 .algorithm_mac = SSL_AEAD,
1339 .algorithm_ssl = SSL_TLSV1_2,
1340 .algo_strength = SSL_HIGH,
1341 .algorithm2 = SSL_HANDSHAKE_MAC_SHA256|TLS1_PRF_SHA256|
1342 FIXED_NONCE_LEN(12),
1343 .strength_bits = 256,
1344 .alg_bits = 256,
1345 },
1346
1347 /* Cipher CCAA */
1348 {
1349 .valid = 1,
1350 .name = TLS1_TXT_DHE_RSA_WITH_CHACHA20_POLY1305,
1351 .id = TLS1_CK_DHE_RSA_CHACHA20_POLY1305,
1352 .algorithm_mkey = SSL_kDHE,
1353 .algorithm_auth = SSL_aRSA,
1354 .algorithm_enc = SSL_CHACHA20POLY1305,
1355 .algorithm_mac = SSL_AEAD,
1356 .algorithm_ssl = SSL_TLSV1_2,
1357 .algo_strength = SSL_HIGH,
1358 .algorithm2 = SSL_HANDSHAKE_MAC_SHA256|TLS1_PRF_SHA256|
1359 FIXED_NONCE_LEN(12),
1360 .strength_bits = 256,
1361 .alg_bits = 256,
1362 },
1363
1364 /* Cipher FF85 FIXME IANA */
1365 {
1366 .valid = 1,
1367 .name = "GOST2012256-GOST89-GOST89",
1368 .id = 0x300ff85, /* FIXME IANA */
1369 .algorithm_mkey = SSL_kGOST,
1370 .algorithm_auth = SSL_aGOST01,
1371 .algorithm_enc = SSL_eGOST2814789CNT,
1372 .algorithm_mac = SSL_GOST89MAC,
1373 .algorithm_ssl = SSL_TLSV1,
1374 .algo_strength = SSL_HIGH,
1375 .algorithm2 = SSL_HANDSHAKE_MAC_STREEBOG256|TLS1_PRF_STREEBOG256|
1376 TLS1_STREAM_MAC,
1377 .strength_bits = 256,
1378 .alg_bits = 256
1379 },
1380
1381 /* Cipher FF87 FIXME IANA */
1382 {
1383 .valid = 1,
1384 .name = "GOST2012256-NULL-STREEBOG256",
1385 .id = 0x300ff87, /* FIXME IANA */
1386 .algorithm_mkey = SSL_kGOST,
1387 .algorithm_auth = SSL_aGOST01,
1388 .algorithm_enc = SSL_eNULL,
1389 .algorithm_mac = SSL_STREEBOG256,
1390 .algorithm_ssl = SSL_TLSV1,
1391 .algo_strength = SSL_STRONG_NONE,
1392 .algorithm2 = SSL_HANDSHAKE_MAC_STREEBOG256|TLS1_PRF_STREEBOG256,
1393 .strength_bits = 0,
1394 .alg_bits = 0
1395 },
1396
1397
1398 /* end of list */
1399};
1400
1401int
1402ssl3_num_ciphers(void)
1403{
1404 return (SSL3_NUM_CIPHERS);
1405}
1406
1407const SSL_CIPHER *
1408ssl3_get_cipher(unsigned int u)
1409{
1410 if (u < SSL3_NUM_CIPHERS)
1411 return (&(ssl3_ciphers[SSL3_NUM_CIPHERS - 1 - u]));
1412 else
1413 return (NULL);
1414}
1415
1416const SSL_CIPHER *
1417ssl3_get_cipher_by_id(unsigned int id)
1418{
1419 const SSL_CIPHER *cp;
1420 SSL_CIPHER c;
1421
1422 c.id = id;
1423 cp = OBJ_bsearch_ssl_cipher_id(&c, ssl3_ciphers, SSL3_NUM_CIPHERS);
1424 if (cp != NULL && cp->valid == 1)
1425 return (cp);
1426
1427 return (NULL);
1428}
1429
1430const SSL_CIPHER *
1431ssl3_get_cipher_by_value(uint16_t value)
1432{
1433 return ssl3_get_cipher_by_id(SSL3_CK_ID | value);
1434}
1435
1436uint16_t
1437ssl3_cipher_get_value(const SSL_CIPHER *c)
1438{
1439 return (c->id & SSL3_CK_VALUE_MASK);
1440}
1441
1442int
1443ssl3_pending(const SSL *s)
1444{
1445 if (s->s3->rcontent == NULL)
1446 return 0;
1447 if (tls_content_type(s->s3->rcontent) != SSL3_RT_APPLICATION_DATA)
1448 return 0;
1449
1450 return tls_content_remaining(s->s3->rcontent);
1451}
1452
1453int
1454ssl3_handshake_msg_hdr_len(SSL *s)
1455{
1456 return (SSL_is_dtls(s) ? DTLS1_HM_HEADER_LENGTH :
1457 SSL3_HM_HEADER_LENGTH);
1458}
1459
1460int
1461ssl3_handshake_msg_start(SSL *s, CBB *handshake, CBB *body, uint8_t msg_type)
1462{
1463 int ret = 0;
1464
1465 if (!CBB_init(handshake, SSL3_RT_MAX_PLAIN_LENGTH))
1466 goto err;
1467 if (!CBB_add_u8(handshake, msg_type))
1468 goto err;
1469 if (SSL_is_dtls(s)) {
1470 unsigned char *data;
1471
1472 if (!CBB_add_space(handshake, &data, DTLS1_HM_HEADER_LENGTH -
1473 SSL3_HM_HEADER_LENGTH))
1474 goto err;
1475 }
1476 if (!CBB_add_u24_length_prefixed(handshake, body))
1477 goto err;
1478
1479 ret = 1;
1480
1481 err:
1482 return (ret);
1483}
1484
1485int
1486ssl3_handshake_msg_finish(SSL *s, CBB *handshake)
1487{
1488 unsigned char *data = NULL;
1489 size_t outlen;
1490 int ret = 0;
1491
1492 if (!CBB_finish(handshake, &data, &outlen))
1493 goto err;
1494
1495 if (outlen > INT_MAX)
1496 goto err;
1497
1498 if (!BUF_MEM_grow_clean(s->init_buf, outlen))
1499 goto err;
1500
1501 memcpy(s->init_buf->data, data, outlen);
1502
1503 s->init_num = (int)outlen;
1504 s->init_off = 0;
1505
1506 if (SSL_is_dtls(s)) {
1507 unsigned long len;
1508 uint8_t msg_type;
1509 CBS cbs;
1510
1511 CBS_init(&cbs, data, outlen);
1512 if (!CBS_get_u8(&cbs, &msg_type))
1513 goto err;
1514
1515 len = outlen - ssl3_handshake_msg_hdr_len(s);
1516
1517 dtls1_set_message_header(s, msg_type, len, 0, len);
1518 dtls1_buffer_message(s, 0);
1519 }
1520
1521 ret = 1;
1522
1523 err:
1524 free(data);
1525
1526 return (ret);
1527}
1528
1529int
1530ssl3_handshake_write(SSL *s)
1531{
1532 return ssl3_record_write(s, SSL3_RT_HANDSHAKE);
1533}
1534
1535int
1536ssl3_record_write(SSL *s, int type)
1537{
1538 if (SSL_is_dtls(s))
1539 return dtls1_do_write(s, type);
1540
1541 return ssl3_do_write(s, type);
1542}
1543
1544int
1545ssl3_new(SSL *s)
1546{
1547 if ((s->s3 = calloc(1, sizeof(*s->s3))) == NULL)
1548 return (0);
1549
1550 s->method->ssl_clear(s);
1551
1552 return (1);
1553}
1554
1555void
1556ssl3_free(SSL *s)
1557{
1558 if (s == NULL)
1559 return;
1560
1561 tls1_cleanup_key_block(s);
1562 ssl3_release_read_buffer(s);
1563 ssl3_release_write_buffer(s);
1564
1565 tls_content_free(s->s3->rcontent);
1566
1567 tls_buffer_free(s->s3->alert_fragment);
1568 tls_buffer_free(s->s3->handshake_fragment);
1569
1570 freezero(s->s3->hs.sigalgs, s->s3->hs.sigalgs_len);
1571 sk_X509_pop_free(s->s3->hs.peer_certs, X509_free);
1572 sk_X509_pop_free(s->s3->hs.peer_certs_no_leaf, X509_free);
1573 tls_key_share_free(s->s3->hs.key_share);
1574
1575 tls13_secrets_destroy(s->s3->hs.tls13.secrets);
1576 freezero(s->s3->hs.tls13.cookie, s->s3->hs.tls13.cookie_len);
1577 tls13_clienthello_hash_clear(&s->s3->hs.tls13);
1578
1579 tls_buffer_free(s->s3->hs.tls13.quic_read_buffer);
1580
1581 sk_X509_NAME_pop_free(s->s3->hs.tls12.ca_names, X509_NAME_free);
1582 sk_X509_pop_free(s->verified_chain, X509_free);
1583
1584 tls1_transcript_free(s);
1585 tls1_transcript_hash_free(s);
1586
1587 free(s->s3->alpn_selected);
1588
1589 freezero(s->s3->peer_quic_transport_params,
1590 s->s3->peer_quic_transport_params_len);
1591
1592 freezero(s->s3, sizeof(*s->s3));
1593
1594 s->s3 = NULL;
1595}
1596
1597void
1598ssl3_clear(SSL *s)
1599{
1600 unsigned char *rp, *wp;
1601 size_t rlen, wlen;
1602
1603 tls1_cleanup_key_block(s);
1604 sk_X509_NAME_pop_free(s->s3->hs.tls12.ca_names, X509_NAME_free);
1605 sk_X509_pop_free(s->verified_chain, X509_free);
1606 s->verified_chain = NULL;
1607
1608 tls_buffer_free(s->s3->alert_fragment);
1609 s->s3->alert_fragment = NULL;
1610 tls_buffer_free(s->s3->handshake_fragment);
1611 s->s3->handshake_fragment = NULL;
1612
1613 freezero(s->s3->hs.sigalgs, s->s3->hs.sigalgs_len);
1614 s->s3->hs.sigalgs = NULL;
1615 s->s3->hs.sigalgs_len = 0;
1616
1617 sk_X509_pop_free(s->s3->hs.peer_certs, X509_free);
1618 s->s3->hs.peer_certs = NULL;
1619 sk_X509_pop_free(s->s3->hs.peer_certs_no_leaf, X509_free);
1620 s->s3->hs.peer_certs_no_leaf = NULL;
1621
1622 tls_key_share_free(s->s3->hs.key_share);
1623 s->s3->hs.key_share = NULL;
1624
1625 tls13_secrets_destroy(s->s3->hs.tls13.secrets);
1626 s->s3->hs.tls13.secrets = NULL;
1627 freezero(s->s3->hs.tls13.cookie, s->s3->hs.tls13.cookie_len);
1628 s->s3->hs.tls13.cookie = NULL;
1629 s->s3->hs.tls13.cookie_len = 0;
1630 tls13_clienthello_hash_clear(&s->s3->hs.tls13);
1631
1632 tls_buffer_free(s->s3->hs.tls13.quic_read_buffer);
1633 s->s3->hs.tls13.quic_read_buffer = NULL;
1634 s->s3->hs.tls13.quic_read_level = ssl_encryption_initial;
1635 s->s3->hs.tls13.quic_write_level = ssl_encryption_initial;
1636
1637 s->s3->hs.extensions_seen = 0;
1638
1639 rp = s->s3->rbuf.buf;
1640 wp = s->s3->wbuf.buf;
1641 rlen = s->s3->rbuf.len;
1642 wlen = s->s3->wbuf.len;
1643
1644 tls_content_free(s->s3->rcontent);
1645 s->s3->rcontent = NULL;
1646
1647 tls1_transcript_free(s);
1648 tls1_transcript_hash_free(s);
1649
1650 free(s->s3->alpn_selected);
1651 s->s3->alpn_selected = NULL;
1652 s->s3->alpn_selected_len = 0;
1653
1654 freezero(s->s3->peer_quic_transport_params,
1655 s->s3->peer_quic_transport_params_len);
1656 s->s3->peer_quic_transport_params = NULL;
1657 s->s3->peer_quic_transport_params_len = 0;
1658
1659 memset(s->s3, 0, sizeof(*s->s3));
1660
1661 s->s3->rbuf.buf = rp;
1662 s->s3->wbuf.buf = wp;
1663 s->s3->rbuf.len = rlen;
1664 s->s3->wbuf.len = wlen;
1665
1666 ssl_free_wbio_buffer(s);
1667
1668 /* Not needed... */
1669 s->s3->renegotiate = 0;
1670 s->s3->total_renegotiations = 0;
1671 s->s3->num_renegotiations = 0;
1672 s->s3->in_read_app_data = 0;
1673
1674 s->packet_length = 0;
1675 s->version = TLS1_VERSION;
1676
1677 s->s3->hs.state = SSL_ST_BEFORE|((s->server) ? SSL_ST_ACCEPT : SSL_ST_CONNECT);
1678}
1679
1680long
1681_SSL_get_shared_group(SSL *s, long n)
1682{
1683 size_t count;
1684 int nid;
1685
1686 /* OpenSSL document that they return -1 for clients. They return 0. */
1687 if (!s->server)
1688 return 0;
1689
1690 if (n == -1) {
1691 if (!tls1_count_shared_groups(s, &count))
1692 return 0;
1693
1694 if (count > LONG_MAX)
1695 count = LONG_MAX;
1696
1697 return count;
1698 }
1699
1700 /* Undocumented special case added for Suite B profile support. */
1701 if (n == -2)
1702 n = 0;
1703
1704 if (n < 0)
1705 return 0;
1706
1707 if (!tls1_get_shared_group_by_index(s, n, &nid))
1708 return NID_undef;
1709
1710 return nid;
1711}
1712
1713long
1714_SSL_get_peer_tmp_key(SSL *s, EVP_PKEY **key)
1715{
1716 EVP_PKEY *pkey = NULL;
1717 int ret = 0;
1718
1719 *key = NULL;
1720
1721 if (s->s3->hs.key_share == NULL)
1722 goto err;
1723
1724 if ((pkey = EVP_PKEY_new()) == NULL)
1725 goto err;
1726 if (!tls_key_share_peer_pkey(s->s3->hs.key_share, pkey))
1727 goto err;
1728
1729 *key = pkey;
1730 pkey = NULL;
1731
1732 ret = 1;
1733
1734 err:
1735 EVP_PKEY_free(pkey);
1736
1737 return (ret);
1738}
1739
1740static int
1741_SSL_session_reused(SSL *s)
1742{
1743 return s->hit;
1744}
1745
1746static int
1747_SSL_num_renegotiations(SSL *s)
1748{
1749 return s->s3->num_renegotiations;
1750}
1751
1752static int
1753_SSL_clear_num_renegotiations(SSL *s)
1754{
1755 int renegs;
1756
1757 renegs = s->s3->num_renegotiations;
1758 s->s3->num_renegotiations = 0;
1759
1760 return renegs;
1761}
1762
1763static int
1764_SSL_total_renegotiations(SSL *s)
1765{
1766 return s->s3->total_renegotiations;
1767}
1768
1769static int
1770_SSL_set_tmp_dh(SSL *s, DH *dh)
1771{
1772 DH *dhe_params;
1773
1774 if (dh == NULL) {
1775 SSLerror(s, ERR_R_PASSED_NULL_PARAMETER);
1776 return 0;
1777 }
1778
1779 if (!ssl_security_dh(s, dh)) {
1780 SSLerror(s, SSL_R_DH_KEY_TOO_SMALL);
1781 return 0;
1782 }
1783
1784 if ((dhe_params = DHparams_dup(dh)) == NULL) {
1785 SSLerror(s, ERR_R_DH_LIB);
1786 return 0;
1787 }
1788
1789 DH_free(s->cert->dhe_params);
1790 s->cert->dhe_params = dhe_params;
1791
1792 return 1;
1793}
1794
1795static int
1796_SSL_set_dh_auto(SSL *s, int state)
1797{
1798 s->cert->dhe_params_auto = state;
1799 return 1;
1800}
1801
1802static int
1803_SSL_set_tmp_ecdh(SSL *s, EC_KEY *ecdh)
1804{
1805 const EC_GROUP *group;
1806 int nid;
1807
1808 if (ecdh == NULL)
1809 return 0;
1810 if ((group = EC_KEY_get0_group(ecdh)) == NULL)
1811 return 0;
1812
1813 nid = EC_GROUP_get_curve_name(group);
1814 return SSL_set1_groups(s, &nid, 1);
1815}
1816
1817static int
1818_SSL_set_ecdh_auto(SSL *s, int state)
1819{
1820 return 1;
1821}
1822
1823static int
1824_SSL_set_tlsext_host_name(SSL *s, const char *name)
1825{
1826 int is_ip;
1827 CBS cbs;
1828
1829 free(s->tlsext_hostname);
1830 s->tlsext_hostname = NULL;
1831
1832 if (name == NULL)
1833 return 1;
1834
1835 CBS_init(&cbs, name, strlen(name));
1836
1837 if (!tlsext_sni_is_valid_hostname(&cbs, &is_ip)) {
1838 SSLerror(s, SSL_R_SSL3_EXT_INVALID_SERVERNAME);
1839 return 0;
1840 }
1841 if ((s->tlsext_hostname = strdup(name)) == NULL) {
1842 SSLerror(s, ERR_R_INTERNAL_ERROR);
1843 return 0;
1844 }
1845
1846 return 1;
1847}
1848
1849static int
1850_SSL_set_tlsext_debug_arg(SSL *s, void *arg)
1851{
1852 s->tlsext_debug_arg = arg;
1853 return 1;
1854}
1855
1856static int
1857_SSL_get_tlsext_status_type(SSL *s)
1858{
1859 return s->tlsext_status_type;
1860}
1861
1862static int
1863_SSL_set_tlsext_status_type(SSL *s, int type)
1864{
1865 s->tlsext_status_type = type;
1866 return 1;
1867}
1868
1869static int
1870_SSL_get_tlsext_status_exts(SSL *s, STACK_OF(X509_EXTENSION) **exts)
1871{
1872 *exts = s->tlsext_ocsp_exts;
1873 return 1;
1874}
1875
1876static int
1877_SSL_set_tlsext_status_exts(SSL *s, STACK_OF(X509_EXTENSION) *exts)
1878{
1879 /* XXX - leak... */
1880 s->tlsext_ocsp_exts = exts;
1881 return 1;
1882}
1883
1884static int
1885_SSL_get_tlsext_status_ids(SSL *s, STACK_OF(OCSP_RESPID) **ids)
1886{
1887 *ids = s->tlsext_ocsp_ids;
1888 return 1;
1889}
1890
1891static int
1892_SSL_set_tlsext_status_ids(SSL *s, STACK_OF(OCSP_RESPID) *ids)
1893{
1894 /* XXX - leak... */
1895 s->tlsext_ocsp_ids = ids;
1896 return 1;
1897}
1898
1899static int
1900_SSL_get_tlsext_status_ocsp_resp(SSL *s, unsigned char **resp)
1901{
1902 if (s->tlsext_ocsp_resp != NULL &&
1903 s->tlsext_ocsp_resp_len < INT_MAX) {
1904 *resp = s->tlsext_ocsp_resp;
1905 return (int)s->tlsext_ocsp_resp_len;
1906 }
1907
1908 *resp = NULL;
1909
1910 return -1;
1911}
1912
1913static int
1914_SSL_set_tlsext_status_ocsp_resp(SSL *s, unsigned char *resp, int resp_len)
1915{
1916 free(s->tlsext_ocsp_resp);
1917 s->tlsext_ocsp_resp = NULL;
1918 s->tlsext_ocsp_resp_len = 0;
1919
1920 if (resp_len < 0)
1921 return 0;
1922
1923 s->tlsext_ocsp_resp = resp;
1924 s->tlsext_ocsp_resp_len = (size_t)resp_len;
1925
1926 return 1;
1927}
1928
1929int
1930SSL_set0_chain(SSL *ssl, STACK_OF(X509) *chain)
1931{
1932 return ssl_cert_set0_chain(NULL, ssl, chain);
1933}
1934
1935int
1936SSL_set1_chain(SSL *ssl, STACK_OF(X509) *chain)
1937{
1938 return ssl_cert_set1_chain(NULL, ssl, chain);
1939}
1940
1941int
1942SSL_add0_chain_cert(SSL *ssl, X509 *x509)
1943{
1944 return ssl_cert_add0_chain_cert(NULL, ssl, x509);
1945}
1946
1947int
1948SSL_add1_chain_cert(SSL *ssl, X509 *x509)
1949{
1950 return ssl_cert_add1_chain_cert(NULL, ssl, x509);
1951}
1952
1953int
1954SSL_get0_chain_certs(const SSL *ssl, STACK_OF(X509) **out_chain)
1955{
1956 *out_chain = NULL;
1957
1958 if (ssl->cert->key != NULL)
1959 *out_chain = ssl->cert->key->chain;
1960
1961 return 1;
1962}
1963
1964int
1965SSL_clear_chain_certs(SSL *ssl)
1966{
1967 return ssl_cert_set0_chain(NULL, ssl, NULL);
1968}
1969
1970int
1971SSL_set1_groups(SSL *s, const int *groups, size_t groups_len)
1972{
1973 return tls1_set_groups(&s->tlsext_supportedgroups,
1974 &s->tlsext_supportedgroups_length, groups, groups_len);
1975}
1976
1977int
1978SSL_set1_groups_list(SSL *s, const char *groups)
1979{
1980 return tls1_set_group_list(&s->tlsext_supportedgroups,
1981 &s->tlsext_supportedgroups_length, groups);
1982}
1983
1984static int
1985_SSL_get_signature_nid(SSL *s, int *nid)
1986{
1987 const struct ssl_sigalg *sigalg;
1988
1989 if ((sigalg = s->s3->hs.our_sigalg) == NULL)
1990 return 0;
1991
1992 *nid = EVP_MD_type(sigalg->md());
1993
1994 return 1;
1995}
1996
1997static int
1998_SSL_get_peer_signature_nid(SSL *s, int *nid)
1999{
2000 const struct ssl_sigalg *sigalg;
2001
2002 if ((sigalg = s->s3->hs.peer_sigalg) == NULL)
2003 return 0;
2004
2005 *nid = EVP_MD_type(sigalg->md());
2006
2007 return 1;
2008}
2009
2010int
2011SSL_get_signature_type_nid(const SSL *s, int *nid)
2012{
2013 const struct ssl_sigalg *sigalg;
2014
2015 if ((sigalg = s->s3->hs.our_sigalg) == NULL)
2016 return 0;
2017
2018 *nid = sigalg->key_type;
2019 if (sigalg->key_type == EVP_PKEY_RSA &&
2020 (sigalg->flags & SIGALG_FLAG_RSA_PSS))
2021 *nid = EVP_PKEY_RSA_PSS;
2022
2023 return 1;
2024}
2025
2026int
2027SSL_get_peer_signature_type_nid(const SSL *s, int *nid)
2028{
2029 const struct ssl_sigalg *sigalg;
2030
2031 if ((sigalg = s->s3->hs.peer_sigalg) == NULL)
2032 return 0;
2033
2034 *nid = sigalg->key_type;
2035 if (sigalg->key_type == EVP_PKEY_RSA &&
2036 (sigalg->flags & SIGALG_FLAG_RSA_PSS))
2037 *nid = EVP_PKEY_RSA_PSS;
2038
2039 return 1;
2040}
2041
2042long
2043ssl3_ctrl(SSL *s, int cmd, long larg, void *parg)
2044{
2045 switch (cmd) {
2046 case SSL_CTRL_GET_SESSION_REUSED:
2047 return _SSL_session_reused(s);
2048
2049 case SSL_CTRL_GET_NUM_RENEGOTIATIONS:
2050 return _SSL_num_renegotiations(s);
2051
2052 case SSL_CTRL_CLEAR_NUM_RENEGOTIATIONS:
2053 return _SSL_clear_num_renegotiations(s);
2054
2055 case SSL_CTRL_GET_TOTAL_RENEGOTIATIONS:
2056 return _SSL_total_renegotiations(s);
2057
2058 case SSL_CTRL_SET_TMP_DH:
2059 return _SSL_set_tmp_dh(s, parg);
2060
2061 case SSL_CTRL_SET_TMP_DH_CB:
2062 SSLerror(s, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
2063 return 0;
2064
2065 case SSL_CTRL_SET_DH_AUTO:
2066 return _SSL_set_dh_auto(s, larg);
2067
2068 case SSL_CTRL_SET_TMP_ECDH:
2069 return _SSL_set_tmp_ecdh(s, parg);
2070
2071 case SSL_CTRL_SET_TMP_ECDH_CB:
2072 SSLerror(s, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
2073 return 0;
2074
2075 case SSL_CTRL_SET_ECDH_AUTO:
2076 return _SSL_set_ecdh_auto(s, larg);
2077
2078 case SSL_CTRL_SET_TLSEXT_HOSTNAME:
2079 if (larg != TLSEXT_NAMETYPE_host_name) {
2080 SSLerror(s, SSL_R_SSL3_EXT_INVALID_SERVERNAME_TYPE);
2081 return 0;
2082 }
2083 return _SSL_set_tlsext_host_name(s, parg);
2084
2085 case SSL_CTRL_SET_TLSEXT_DEBUG_ARG:
2086 return _SSL_set_tlsext_debug_arg(s, parg);
2087
2088 case SSL_CTRL_GET_TLSEXT_STATUS_REQ_TYPE:
2089 return _SSL_get_tlsext_status_type(s);
2090
2091 case SSL_CTRL_SET_TLSEXT_STATUS_REQ_TYPE:
2092 return _SSL_set_tlsext_status_type(s, larg);
2093
2094 case SSL_CTRL_GET_TLSEXT_STATUS_REQ_EXTS:
2095 return _SSL_get_tlsext_status_exts(s, parg);
2096
2097 case SSL_CTRL_SET_TLSEXT_STATUS_REQ_EXTS:
2098 return _SSL_set_tlsext_status_exts(s, parg);
2099
2100 case SSL_CTRL_GET_TLSEXT_STATUS_REQ_IDS:
2101 return _SSL_get_tlsext_status_ids(s, parg);
2102
2103 case SSL_CTRL_SET_TLSEXT_STATUS_REQ_IDS:
2104 return _SSL_set_tlsext_status_ids(s, parg);
2105
2106 case SSL_CTRL_GET_TLSEXT_STATUS_REQ_OCSP_RESP:
2107 return _SSL_get_tlsext_status_ocsp_resp(s, parg);
2108
2109 case SSL_CTRL_SET_TLSEXT_STATUS_REQ_OCSP_RESP:
2110 return _SSL_set_tlsext_status_ocsp_resp(s, parg, larg);
2111
2112 case SSL_CTRL_CHAIN:
2113 if (larg == 0)
2114 return SSL_set0_chain(s, (STACK_OF(X509) *)parg);
2115 else
2116 return SSL_set1_chain(s, (STACK_OF(X509) *)parg);
2117
2118 case SSL_CTRL_CHAIN_CERT:
2119 if (larg == 0)
2120 return SSL_add0_chain_cert(s, (X509 *)parg);
2121 else
2122 return SSL_add1_chain_cert(s, (X509 *)parg);
2123
2124 case SSL_CTRL_GET_CHAIN_CERTS:
2125 return SSL_get0_chain_certs(s, (STACK_OF(X509) **)parg);
2126
2127 case SSL_CTRL_SET_GROUPS:
2128 return SSL_set1_groups(s, parg, larg);
2129
2130 case SSL_CTRL_SET_GROUPS_LIST:
2131 return SSL_set1_groups_list(s, parg);
2132
2133 case SSL_CTRL_GET_SHARED_GROUP:
2134 return _SSL_get_shared_group(s, larg);
2135
2136 /* XXX - rename to SSL_CTRL_GET_PEER_TMP_KEY and remove server check. */
2137 case SSL_CTRL_GET_SERVER_TMP_KEY:
2138 if (s->server != 0)
2139 return 0;
2140 return _SSL_get_peer_tmp_key(s, parg);
2141
2142 case SSL_CTRL_GET_MIN_PROTO_VERSION:
2143 return SSL_get_min_proto_version(s);
2144
2145 case SSL_CTRL_GET_MAX_PROTO_VERSION:
2146 return SSL_get_max_proto_version(s);
2147
2148 case SSL_CTRL_SET_MIN_PROTO_VERSION:
2149 if (larg < 0 || larg > UINT16_MAX)
2150 return 0;
2151 return SSL_set_min_proto_version(s, larg);
2152
2153 case SSL_CTRL_SET_MAX_PROTO_VERSION:
2154 if (larg < 0 || larg > UINT16_MAX)
2155 return 0;
2156 return SSL_set_max_proto_version(s, larg);
2157
2158 case SSL_CTRL_GET_SIGNATURE_NID:
2159 return _SSL_get_signature_nid(s, parg);
2160
2161 case SSL_CTRL_GET_PEER_SIGNATURE_NID:
2162 return _SSL_get_peer_signature_nid(s, parg);
2163
2164 /*
2165 * Legacy controls that should eventually be removed.
2166 */
2167 case SSL_CTRL_GET_CLIENT_CERT_REQUEST:
2168 return 0;
2169
2170 case SSL_CTRL_GET_FLAGS:
2171 return (int)(s->s3->flags);
2172
2173 case SSL_CTRL_NEED_TMP_RSA:
2174 return 0;
2175
2176 case SSL_CTRL_SET_TMP_RSA:
2177 case SSL_CTRL_SET_TMP_RSA_CB:
2178 SSLerror(s, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
2179 return 0;
2180 }
2181
2182 return 0;
2183}
2184
2185long
2186ssl3_callback_ctrl(SSL *s, int cmd, void (*fp)(void))
2187{
2188 switch (cmd) {
2189 case SSL_CTRL_SET_TMP_RSA_CB:
2190 SSLerror(s, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
2191 return 0;
2192
2193 case SSL_CTRL_SET_TMP_DH_CB:
2194 s->cert->dhe_params_cb = (DH *(*)(SSL *, int, int))fp;
2195 return 1;
2196
2197 case SSL_CTRL_SET_TMP_ECDH_CB:
2198 return 1;
2199
2200 case SSL_CTRL_SET_TLSEXT_DEBUG_CB:
2201 s->tlsext_debug_cb = (void (*)(SSL *, int , int,
2202 unsigned char *, int, void *))fp;
2203 return 1;
2204 }
2205
2206 return 0;
2207}
2208
2209static int
2210_SSL_CTX_set_tmp_dh(SSL_CTX *ctx, DH *dh)
2211{
2212 DH *dhe_params;
2213
2214 if (dh == NULL) {
2215 SSLerrorx(ERR_R_PASSED_NULL_PARAMETER);
2216 return 0;
2217 }
2218
2219 if (!ssl_ctx_security_dh(ctx, dh)) {
2220 SSLerrorx(SSL_R_DH_KEY_TOO_SMALL);
2221 return 0;
2222 }
2223
2224 if ((dhe_params = DHparams_dup(dh)) == NULL) {
2225 SSLerrorx(ERR_R_DH_LIB);
2226 return 0;
2227 }
2228
2229 DH_free(ctx->cert->dhe_params);
2230 ctx->cert->dhe_params = dhe_params;
2231
2232 return 1;
2233}
2234
2235static int
2236_SSL_CTX_set_dh_auto(SSL_CTX *ctx, int state)
2237{
2238 ctx->cert->dhe_params_auto = state;
2239 return 1;
2240}
2241
2242static int
2243_SSL_CTX_set_tmp_ecdh(SSL_CTX *ctx, EC_KEY *ecdh)
2244{
2245 const EC_GROUP *group;
2246 int nid;
2247
2248 if (ecdh == NULL)
2249 return 0;
2250 if ((group = EC_KEY_get0_group(ecdh)) == NULL)
2251 return 0;
2252
2253 nid = EC_GROUP_get_curve_name(group);
2254 return SSL_CTX_set1_groups(ctx, &nid, 1);
2255}
2256
2257static int
2258_SSL_CTX_set_ecdh_auto(SSL_CTX *ctx, int state)
2259{
2260 return 1;
2261}
2262
2263static int
2264_SSL_CTX_set_tlsext_servername_arg(SSL_CTX *ctx, void *arg)
2265{
2266 ctx->tlsext_servername_arg = arg;
2267 return 1;
2268}
2269
2270static int
2271_SSL_CTX_get_tlsext_ticket_keys(SSL_CTX *ctx, unsigned char *keys, int keys_len)
2272{
2273 if (keys == NULL)
2274 return 48;
2275
2276 if (keys_len != 48) {
2277 SSLerrorx(SSL_R_INVALID_TICKET_KEYS_LENGTH);
2278 return 0;
2279 }
2280
2281 memcpy(keys, ctx->tlsext_tick_key_name, 16);
2282 memcpy(keys + 16, ctx->tlsext_tick_hmac_key, 16);
2283 memcpy(keys + 32, ctx->tlsext_tick_aes_key, 16);
2284
2285 return 1;
2286}
2287
2288static int
2289_SSL_CTX_set_tlsext_ticket_keys(SSL_CTX *ctx, unsigned char *keys, int keys_len)
2290{
2291 if (keys == NULL)
2292 return 48;
2293
2294 if (keys_len != 48) {
2295 SSLerrorx(SSL_R_INVALID_TICKET_KEYS_LENGTH);
2296 return 0;
2297 }
2298
2299 memcpy(ctx->tlsext_tick_key_name, keys, 16);
2300 memcpy(ctx->tlsext_tick_hmac_key, keys + 16, 16);
2301 memcpy(ctx->tlsext_tick_aes_key, keys + 32, 16);
2302
2303 return 1;
2304}
2305
2306static int
2307_SSL_CTX_get_tlsext_status_arg(SSL_CTX *ctx, void **arg)
2308{
2309 *arg = ctx->tlsext_status_arg;
2310 return 1;
2311}
2312
2313static int
2314_SSL_CTX_set_tlsext_status_arg(SSL_CTX *ctx, void *arg)
2315{
2316 ctx->tlsext_status_arg = arg;
2317 return 1;
2318}
2319
2320int
2321SSL_CTX_set0_chain(SSL_CTX *ctx, STACK_OF(X509) *chain)
2322{
2323 return ssl_cert_set0_chain(ctx, NULL, chain);
2324}
2325
2326int
2327SSL_CTX_set1_chain(SSL_CTX *ctx, STACK_OF(X509) *chain)
2328{
2329 return ssl_cert_set1_chain(ctx, NULL, chain);
2330}
2331
2332int
2333SSL_CTX_add0_chain_cert(SSL_CTX *ctx, X509 *x509)
2334{
2335 return ssl_cert_add0_chain_cert(ctx, NULL, x509);
2336}
2337
2338int
2339SSL_CTX_add1_chain_cert(SSL_CTX *ctx, X509 *x509)
2340{
2341 return ssl_cert_add1_chain_cert(ctx, NULL, x509);
2342}
2343
2344int
2345SSL_CTX_get0_chain_certs(const SSL_CTX *ctx, STACK_OF(X509) **out_chain)
2346{
2347 *out_chain = NULL;
2348
2349 if (ctx->cert->key != NULL)
2350 *out_chain = ctx->cert->key->chain;
2351
2352 return 1;
2353}
2354
2355int
2356SSL_CTX_clear_chain_certs(SSL_CTX *ctx)
2357{
2358 return ssl_cert_set0_chain(ctx, NULL, NULL);
2359}
2360
2361static int
2362_SSL_CTX_add_extra_chain_cert(SSL_CTX *ctx, X509 *cert)
2363{
2364 if (ctx->extra_certs == NULL) {
2365 if ((ctx->extra_certs = sk_X509_new_null()) == NULL)
2366 return 0;
2367 }
2368 if (sk_X509_push(ctx->extra_certs, cert) == 0)
2369 return 0;
2370
2371 return 1;
2372}
2373
2374static int
2375_SSL_CTX_get_extra_chain_certs(SSL_CTX *ctx, STACK_OF(X509) **certs)
2376{
2377 *certs = ctx->extra_certs;
2378 if (*certs == NULL)
2379 *certs = ctx->cert->key->chain;
2380
2381 return 1;
2382}
2383
2384static int
2385_SSL_CTX_get_extra_chain_certs_only(SSL_CTX *ctx, STACK_OF(X509) **certs)
2386{
2387 *certs = ctx->extra_certs;
2388 return 1;
2389}
2390
2391static int
2392_SSL_CTX_clear_extra_chain_certs(SSL_CTX *ctx)
2393{
2394 sk_X509_pop_free(ctx->extra_certs, X509_free);
2395 ctx->extra_certs = NULL;
2396 return 1;
2397}
2398
2399int
2400SSL_CTX_set1_groups(SSL_CTX *ctx, const int *groups, size_t groups_len)
2401{
2402 return tls1_set_groups(&ctx->tlsext_supportedgroups,
2403 &ctx->tlsext_supportedgroups_length, groups, groups_len);
2404}
2405
2406int
2407SSL_CTX_set1_groups_list(SSL_CTX *ctx, const char *groups)
2408{
2409 return tls1_set_group_list(&ctx->tlsext_supportedgroups,
2410 &ctx->tlsext_supportedgroups_length, groups);
2411}
2412
2413long
2414ssl3_ctx_ctrl(SSL_CTX *ctx, int cmd, long larg, void *parg)
2415{
2416 switch (cmd) {
2417 case SSL_CTRL_SET_TMP_DH:
2418 return _SSL_CTX_set_tmp_dh(ctx, parg);
2419
2420 case SSL_CTRL_SET_TMP_DH_CB:
2421 SSLerrorx(ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
2422 return 0;
2423
2424 case SSL_CTRL_SET_DH_AUTO:
2425 return _SSL_CTX_set_dh_auto(ctx, larg);
2426
2427 case SSL_CTRL_SET_TMP_ECDH:
2428 return _SSL_CTX_set_tmp_ecdh(ctx, parg);
2429
2430 case SSL_CTRL_SET_TMP_ECDH_CB:
2431 SSLerrorx(ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
2432 return 0;
2433
2434 case SSL_CTRL_SET_ECDH_AUTO:
2435 return _SSL_CTX_set_ecdh_auto(ctx, larg);
2436
2437 case SSL_CTRL_SET_TLSEXT_SERVERNAME_ARG:
2438 return _SSL_CTX_set_tlsext_servername_arg(ctx, parg);
2439
2440 case SSL_CTRL_GET_TLSEXT_TICKET_KEYS:
2441 return _SSL_CTX_get_tlsext_ticket_keys(ctx, parg, larg);
2442
2443 case SSL_CTRL_SET_TLSEXT_TICKET_KEYS:
2444 return _SSL_CTX_set_tlsext_ticket_keys(ctx, parg, larg);
2445
2446 case SSL_CTRL_GET_TLSEXT_STATUS_REQ_CB_ARG:
2447 return _SSL_CTX_get_tlsext_status_arg(ctx, parg);
2448
2449 case SSL_CTRL_SET_TLSEXT_STATUS_REQ_CB_ARG:
2450 return _SSL_CTX_set_tlsext_status_arg(ctx, parg);
2451
2452 case SSL_CTRL_CHAIN:
2453 if (larg == 0)
2454 return SSL_CTX_set0_chain(ctx, (STACK_OF(X509) *)parg);
2455 else
2456 return SSL_CTX_set1_chain(ctx, (STACK_OF(X509) *)parg);
2457
2458 case SSL_CTRL_CHAIN_CERT:
2459 if (larg == 0)
2460 return SSL_CTX_add0_chain_cert(ctx, (X509 *)parg);
2461 else
2462 return SSL_CTX_add1_chain_cert(ctx, (X509 *)parg);
2463
2464 case SSL_CTRL_GET_CHAIN_CERTS:
2465 return SSL_CTX_get0_chain_certs(ctx, (STACK_OF(X509) **)parg);
2466
2467 case SSL_CTRL_EXTRA_CHAIN_CERT:
2468 return _SSL_CTX_add_extra_chain_cert(ctx, parg);
2469
2470 case SSL_CTRL_GET_EXTRA_CHAIN_CERTS:
2471 if (larg == 0)
2472 return _SSL_CTX_get_extra_chain_certs(ctx, parg);
2473 else
2474 return _SSL_CTX_get_extra_chain_certs_only(ctx, parg);
2475
2476 case SSL_CTRL_CLEAR_EXTRA_CHAIN_CERTS:
2477 return _SSL_CTX_clear_extra_chain_certs(ctx);
2478
2479 case SSL_CTRL_SET_GROUPS:
2480 return SSL_CTX_set1_groups(ctx, parg, larg);
2481
2482 case SSL_CTRL_SET_GROUPS_LIST:
2483 return SSL_CTX_set1_groups_list(ctx, parg);
2484
2485 case SSL_CTRL_GET_MIN_PROTO_VERSION:
2486 return SSL_CTX_get_min_proto_version(ctx);
2487
2488 case SSL_CTRL_GET_MAX_PROTO_VERSION:
2489 return SSL_CTX_get_max_proto_version(ctx);
2490
2491 case SSL_CTRL_SET_MIN_PROTO_VERSION:
2492 if (larg < 0 || larg > UINT16_MAX)
2493 return 0;
2494 return SSL_CTX_set_min_proto_version(ctx, larg);
2495
2496 case SSL_CTRL_SET_MAX_PROTO_VERSION:
2497 if (larg < 0 || larg > UINT16_MAX)
2498 return 0;
2499 return SSL_CTX_set_max_proto_version(ctx, larg);
2500
2501 /*
2502 * Legacy controls that should eventually be removed.
2503 */
2504 case SSL_CTRL_NEED_TMP_RSA:
2505 return 0;
2506
2507 case SSL_CTRL_SET_TMP_RSA:
2508 case SSL_CTRL_SET_TMP_RSA_CB:
2509 SSLerrorx(ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
2510 return 0;
2511 }
2512
2513 return 0;
2514}
2515
2516long
2517ssl3_ctx_callback_ctrl(SSL_CTX *ctx, int cmd, void (*fp)(void))
2518{
2519 switch (cmd) {
2520 case SSL_CTRL_SET_TMP_RSA_CB:
2521 SSLerrorx(ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
2522 return 0;
2523
2524 case SSL_CTRL_SET_TMP_DH_CB:
2525 ctx->cert->dhe_params_cb =
2526 (DH *(*)(SSL *, int, int))fp;
2527 return 1;
2528
2529 case SSL_CTRL_SET_TMP_ECDH_CB:
2530 return 1;
2531
2532 case SSL_CTRL_SET_TLSEXT_SERVERNAME_CB:
2533 ctx->tlsext_servername_callback =
2534 (int (*)(SSL *, int *, void *))fp;
2535 return 1;
2536
2537 case SSL_CTRL_GET_TLSEXT_STATUS_REQ_CB:
2538 *(int (**)(SSL *, void *))fp = ctx->tlsext_status_cb;
2539 return 1;
2540
2541 case SSL_CTRL_SET_TLSEXT_STATUS_REQ_CB:
2542 ctx->tlsext_status_cb = (int (*)(SSL *, void *))fp;
2543 return 1;
2544
2545 case SSL_CTRL_SET_TLSEXT_TICKET_KEY_CB:
2546 ctx->tlsext_ticket_key_cb = (int (*)(SSL *, unsigned char *,
2547 unsigned char *, EVP_CIPHER_CTX *, HMAC_CTX *, int))fp;
2548 return 1;
2549 }
2550
2551 return 0;
2552}
2553
2554SSL_CIPHER *
2555ssl3_choose_cipher(SSL *s, STACK_OF(SSL_CIPHER) *clnt,
2556 STACK_OF(SSL_CIPHER) *srvr)
2557{
2558 unsigned long alg_k, alg_a, mask_k, mask_a;
2559 STACK_OF(SSL_CIPHER) *prio, *allow;
2560 SSL_CIPHER *c, *ret = NULL;
2561 int can_use_ecc;
2562 int i, ii, nid, ok;
2563 SSL_CERT *cert;
2564
2565 /* Let's see which ciphers we can support */
2566 cert = s->cert;
2567
2568 can_use_ecc = tls1_get_supported_group(s, &nid);
2569
2570 /*
2571 * Do not set the compare functions, because this may lead to a
2572 * reordering by "id". We want to keep the original ordering.
2573 * We may pay a price in performance during sk_SSL_CIPHER_find(),
2574 * but would have to pay with the price of sk_SSL_CIPHER_dup().
2575 */
2576
2577 if (s->options & SSL_OP_CIPHER_SERVER_PREFERENCE) {
2578 prio = srvr;
2579 allow = clnt;
2580 } else {
2581 prio = clnt;
2582 allow = srvr;
2583 }
2584
2585 for (i = 0; i < sk_SSL_CIPHER_num(prio); i++) {
2586 c = sk_SSL_CIPHER_value(prio, i);
2587
2588 /* Skip TLS v1.2 only ciphersuites if not supported. */
2589 if ((c->algorithm_ssl & SSL_TLSV1_2) &&
2590 !SSL_USE_TLS1_2_CIPHERS(s))
2591 continue;
2592
2593 /* Skip TLS v1.3 only ciphersuites if not supported. */
2594 if ((c->algorithm_ssl & SSL_TLSV1_3) &&
2595 !SSL_USE_TLS1_3_CIPHERS(s))
2596 continue;
2597
2598 /* If TLS v1.3, only allow TLS v1.3 ciphersuites. */
2599 if (SSL_USE_TLS1_3_CIPHERS(s) &&
2600 !(c->algorithm_ssl & SSL_TLSV1_3))
2601 continue;
2602
2603 if (!ssl_security_shared_cipher(s, c))
2604 continue;
2605
2606 ssl_set_cert_masks(cert, c);
2607 mask_k = cert->mask_k;
2608 mask_a = cert->mask_a;
2609
2610 alg_k = c->algorithm_mkey;
2611 alg_a = c->algorithm_auth;
2612
2613 ok = (alg_k & mask_k) && (alg_a & mask_a);
2614
2615 /*
2616 * If we are considering an ECC cipher suite that uses our
2617 * certificate check it.
2618 */
2619 if (alg_a & SSL_aECDSA)
2620 ok = ok && tls1_check_ec_server_key(s);
2621 /*
2622 * If we are considering an ECC cipher suite that uses
2623 * an ephemeral EC key check it.
2624 */
2625 if (alg_k & SSL_kECDHE)
2626 ok = ok && can_use_ecc;
2627
2628 if (!ok)
2629 continue;
2630 ii = sk_SSL_CIPHER_find(allow, c);
2631 if (ii >= 0) {
2632 ret = sk_SSL_CIPHER_value(allow, ii);
2633 break;
2634 }
2635 }
2636 return (ret);
2637}
2638
2639int
2640ssl3_get_req_cert_types(SSL *s, CBB *cbb)
2641{
2642 unsigned long alg_k;
2643
2644 alg_k = s->s3->hs.cipher->algorithm_mkey;
2645
2646#ifndef OPENSSL_NO_GOST
2647 if ((alg_k & SSL_kGOST) != 0) {
2648 if (!CBB_add_u8(cbb, TLS_CT_GOST01_SIGN))
2649 return 0;
2650 if (!CBB_add_u8(cbb, TLS_CT_GOST12_256_SIGN))
2651 return 0;
2652 if (!CBB_add_u8(cbb, TLS_CT_GOST12_512_SIGN))
2653 return 0;
2654 if (!CBB_add_u8(cbb, TLS_CT_GOST12_256_SIGN_COMPAT))
2655 return 0;
2656 if (!CBB_add_u8(cbb, TLS_CT_GOST12_512_SIGN_COMPAT))
2657 return 0;
2658 }
2659#endif
2660
2661 if ((alg_k & SSL_kDHE) != 0) {
2662 if (!CBB_add_u8(cbb, SSL3_CT_RSA_FIXED_DH))
2663 return 0;
2664 }
2665
2666 if (!CBB_add_u8(cbb, SSL3_CT_RSA_SIGN))
2667 return 0;
2668
2669 /*
2670 * ECDSA certs can be used with RSA cipher suites as well
2671 * so we don't need to check for SSL_kECDH or SSL_kECDHE.
2672 */
2673 if (!CBB_add_u8(cbb, TLS_CT_ECDSA_SIGN))
2674 return 0;
2675
2676 return 1;
2677}
2678
2679int
2680ssl3_shutdown(SSL *s)
2681{
2682 int ret;
2683
2684 /*
2685 * Don't do anything much if we have not done the handshake or
2686 * we don't want to send messages :-)
2687 */
2688 if ((s->quiet_shutdown) || (s->s3->hs.state == SSL_ST_BEFORE)) {
2689 s->shutdown = (SSL_SENT_SHUTDOWN|SSL_RECEIVED_SHUTDOWN);
2690 return (1);
2691 }
2692
2693 if (!(s->shutdown & SSL_SENT_SHUTDOWN)) {
2694 s->shutdown|=SSL_SENT_SHUTDOWN;
2695 ssl3_send_alert(s, SSL3_AL_WARNING, SSL_AD_CLOSE_NOTIFY);
2696 /*
2697 * Our shutdown alert has been sent now, and if it still needs
2698 * to be written, s->s3->alert_dispatch will be true
2699 */
2700 if (s->s3->alert_dispatch)
2701 return (-1); /* return WANT_WRITE */
2702 } else if (s->s3->alert_dispatch) {
2703 /* resend it if not sent */
2704 ret = ssl3_dispatch_alert(s);
2705 if (ret == -1) {
2706 /*
2707 * We only get to return -1 here the 2nd/Nth
2708 * invocation, we must have already signalled
2709 * return 0 upon a previous invoation,
2710 * return WANT_WRITE
2711 */
2712 return (ret);
2713 }
2714 } else if (!(s->shutdown & SSL_RECEIVED_SHUTDOWN)) {
2715 /* If we are waiting for a close from our peer, we are closed */
2716 s->method->ssl_read_bytes(s, 0, NULL, 0, 0);
2717 if (!(s->shutdown & SSL_RECEIVED_SHUTDOWN)) {
2718 return (-1); /* return WANT_READ */
2719 }
2720 }
2721
2722 if ((s->shutdown == (SSL_SENT_SHUTDOWN|SSL_RECEIVED_SHUTDOWN)) &&
2723 !s->s3->alert_dispatch)
2724 return (1);
2725 else
2726 return (0);
2727}
2728
2729int
2730ssl3_write(SSL *s, const void *buf, int len)
2731{
2732 errno = 0;
2733
2734 if (s->s3->renegotiate)
2735 ssl3_renegotiate_check(s);
2736
2737 return s->method->ssl_write_bytes(s, SSL3_RT_APPLICATION_DATA,
2738 buf, len);
2739}
2740
2741static int
2742ssl3_read_internal(SSL *s, void *buf, int len, int peek)
2743{
2744 int ret;
2745
2746 errno = 0;
2747 if (s->s3->renegotiate)
2748 ssl3_renegotiate_check(s);
2749 s->s3->in_read_app_data = 1;
2750
2751 ret = s->method->ssl_read_bytes(s, SSL3_RT_APPLICATION_DATA, buf, len,
2752 peek);
2753 if ((ret == -1) && (s->s3->in_read_app_data == 2)) {
2754 /*
2755 * ssl3_read_bytes decided to call s->handshake_func,
2756 * which called ssl3_read_bytes to read handshake data.
2757 * However, ssl3_read_bytes actually found application data
2758 * and thinks that application data makes sense here; so disable
2759 * handshake processing and try to read application data again.
2760 */
2761 s->in_handshake++;
2762 ret = s->method->ssl_read_bytes(s, SSL3_RT_APPLICATION_DATA,
2763 buf, len, peek);
2764 s->in_handshake--;
2765 } else
2766 s->s3->in_read_app_data = 0;
2767
2768 return (ret);
2769}
2770
2771int
2772ssl3_read(SSL *s, void *buf, int len)
2773{
2774 return ssl3_read_internal(s, buf, len, 0);
2775}
2776
2777int
2778ssl3_peek(SSL *s, void *buf, int len)
2779{
2780 return ssl3_read_internal(s, buf, len, 1);
2781}
2782
2783int
2784ssl3_renegotiate(SSL *s)
2785{
2786 if (s->handshake_func == NULL)
2787 return 1;
2788
2789 if (s->s3->flags & SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS)
2790 return 0;
2791
2792 s->s3->renegotiate = 1;
2793
2794 return 1;
2795}
2796
2797int
2798ssl3_renegotiate_check(SSL *s)
2799{
2800 if (!s->s3->renegotiate)
2801 return 0;
2802 if (SSL_in_init(s) || s->s3->rbuf.left != 0 || s->s3->wbuf.left != 0)
2803 return 0;
2804
2805 s->s3->hs.state = SSL_ST_RENEGOTIATE;
2806 s->s3->renegotiate = 0;
2807 s->s3->num_renegotiations++;
2808 s->s3->total_renegotiations++;
2809
2810 return 1;
2811}
generated by cgit v1.2.3-55-g6feb (git 2.39.1) at 2026-02-11 16:57:42 +0000