summaryrefslogtreecommitdiff
path: root/src/lib/libssl/s3_lib.c
diff options
context:
space:
mode:
Diffstat (limited to 'src/lib/libssl/s3_lib.c')
-rw-r--r--src/lib/libssl/s3_lib.c2827
1 files changed, 0 insertions, 2827 deletions
diff --git a/src/lib/libssl/s3_lib.c b/src/lib/libssl/s3_lib.c
deleted file mode 100644
index 7ab6880131..0000000000
--- a/src/lib/libssl/s3_lib.c
+++ /dev/null
@@ -1,2827 +0,0 @@
1/* $OpenBSD: s3_lib.c,v 1.246 2023/07/08 16:40:13 beck Exp $ */
2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 * All rights reserved.
4 *
5 * This package is an SSL implementation written
6 * by Eric Young (eay@cryptsoft.com).
7 * The implementation was written so as to conform with Netscapes SSL.
8 *
9 * This library is free for commercial and non-commercial use as long as
10 * the following conditions are aheared to. The following conditions
11 * apply to all code found in this distribution, be it the RC4, RSA,
12 * lhash, DES, etc., code; not just the SSL code. The SSL documentation
13 * included with this distribution is covered by the same copyright terms
14 * except that the holder is Tim Hudson (tjh@cryptsoft.com).
15 *
16 * Copyright remains Eric Young's, and as such any Copyright notices in
17 * the code are not to be removed.
18 * If this package is used in a product, Eric Young should be given attribution
19 * as the author of the parts of the library used.
20 * This can be in the form of a textual message at program startup or
21 * in documentation (online or textual) provided with the package.
22 *
23 * Redistribution and use in source and binary forms, with or without
24 * modification, are permitted provided that the following conditions
25 * are met:
26 * 1. Redistributions of source code must retain the copyright
27 * notice, this list of conditions and the following disclaimer.
28 * 2. Redistributions in binary form must reproduce the above copyright
29 * notice, this list of conditions and the following disclaimer in the
30 * documentation and/or other materials provided with the distribution.
31 * 3. All advertising materials mentioning features or use of this software
32 * must display the following acknowledgement:
33 * "This product includes cryptographic software written by
34 * Eric Young (eay@cryptsoft.com)"
35 * The word 'cryptographic' can be left out if the rouines from the library
36 * being used are not cryptographic related :-).
37 * 4. If you include any Windows specific code (or a derivative thereof) from
38 * the apps directory (application code) you must include an acknowledgement:
39 * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
40 *
41 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
42 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
43 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
44 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
45 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
46 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
47 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
48 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
49 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
50 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
51 * SUCH DAMAGE.
52 *
53 * The licence and distribution terms for any publically available version or
54 * derivative of this code cannot be changed. i.e. this code cannot simply be
55 * copied and put under another distribution licence
56 * [including the GNU Public Licence.]
57 */
58/* ====================================================================
59 * Copyright (c) 1998-2007 The OpenSSL Project. All rights reserved.
60 *
61 * Redistribution and use in source and binary forms, with or without
62 * modification, are permitted provided that the following conditions
63 * are met:
64 *
65 * 1. Redistributions of source code must retain the above copyright
66 * notice, this list of conditions and the following disclaimer.
67 *
68 * 2. Redistributions in binary form must reproduce the above copyright
69 * notice, this list of conditions and the following disclaimer in
70 * the documentation and/or other materials provided with the
71 * distribution.
72 *
73 * 3. All advertising materials mentioning features or use of this
74 * software must display the following acknowledgment:
75 * "This product includes software developed by the OpenSSL Project
76 * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
77 *
78 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
79 * endorse or promote products derived from this software without
80 * prior written permission. For written permission, please contact
81 * openssl-core@openssl.org.
82 *
83 * 5. Products derived from this software may not be called "OpenSSL"
84 * nor may "OpenSSL" appear in their names without prior written
85 * permission of the OpenSSL Project.
86 *
87 * 6. Redistributions of any form whatsoever must retain the following
88 * acknowledgment:
89 * "This product includes software developed by the OpenSSL Project
90 * for use in the OpenSSL Toolkit (http://www.openssl.org/)"
91 *
92 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
93 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
94 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
95 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
96 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
97 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
98 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
99 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
100 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
101 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
102 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
103 * OF THE POSSIBILITY OF SUCH DAMAGE.
104 * ====================================================================
105 *
106 * This product includes cryptographic software written by Eric Young
107 * (eay@cryptsoft.com). This product includes software written by Tim
108 * Hudson (tjh@cryptsoft.com).
109 *
110 */
111/* ====================================================================
112 * Copyright 2002 Sun Microsystems, Inc. ALL RIGHTS RESERVED.
113 *
114 * Portions of the attached software ("Contribution") are developed by
115 * SUN MICROSYSTEMS, INC., and are contributed to the OpenSSL project.
116 *
117 * The Contribution is licensed pursuant to the OpenSSL open source
118 * license provided above.
119 *
120 * ECC cipher suite support in OpenSSL originally written by
121 * Vipul Gupta and Sumit Gupta of Sun Microsystems Laboratories.
122 *
123 */
124/* ====================================================================
125 * Copyright 2005 Nokia. All rights reserved.
126 *
127 * The portions of the attached software ("Contribution") is developed by
128 * Nokia Corporation and is licensed pursuant to the OpenSSL open source
129 * license.
130 *
131 * The Contribution, originally written by Mika Kousa and Pasi Eronen of
132 * Nokia Corporation, consists of the "PSK" (Pre-Shared Key) ciphersuites
133 * support (see RFC 4279) to OpenSSL.
134 *
135 * No patent licenses or other rights except those expressly stated in
136 * the OpenSSL open source license shall be deemed granted or received
137 * expressly, by implication, estoppel, or otherwise.
138 *
139 * No assurances are provided by Nokia that the Contribution does not
140 * infringe the patent or other intellectual property rights of any third
141 * party or that the license provides you with all the necessary rights
142 * to make use of the Contribution.
143 *
144 * THE SOFTWARE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. IN
145 * ADDITION TO THE DISCLAIMERS INCLUDED IN THE LICENSE, NOKIA
146 * SPECIFICALLY DISCLAIMS ANY LIABILITY FOR CLAIMS BROUGHT BY YOU OR ANY
147 * OTHER ENTITY BASED ON INFRINGEMENT OF INTELLECTUAL PROPERTY RIGHTS OR
148 * OTHERWISE.
149 */
150
151#include <limits.h>
152#include <stdio.h>
153
154#include <openssl/bn.h>
155#include <openssl/curve25519.h>
156#include <openssl/dh.h>
157#include <openssl/md5.h>
158#include <openssl/objects.h>
159#include <openssl/opensslconf.h>
160
161#include "bytestring.h"
162#include "dtls_local.h"
163#include "ssl_local.h"
164#include "ssl_sigalgs.h"
165#include "ssl_tlsext.h"
166#include "tls_content.h"
167
168#define SSL3_NUM_CIPHERS (sizeof(ssl3_ciphers) / sizeof(SSL_CIPHER))
169
170/*
171 * FIXED_NONCE_LEN is a macro that provides in the correct value to set the
172 * fixed nonce length in algorithms2. It is the inverse of the
173 * SSL_CIPHER_AEAD_FIXED_NONCE_LEN macro.
174 */
175#define FIXED_NONCE_LEN(x) (((x / 2) & 0xf) << 24)
176
177/* list of available SSLv3 ciphers (sorted by id) */
178const SSL_CIPHER ssl3_ciphers[] = {
179
180 /* The RSA ciphers */
181 /* Cipher 01 */
182 {
183 .valid = 1,
184 .name = SSL3_TXT_RSA_NULL_MD5,
185 .id = SSL3_CK_RSA_NULL_MD5,
186 .algorithm_mkey = SSL_kRSA,
187 .algorithm_auth = SSL_aRSA,
188 .algorithm_enc = SSL_eNULL,
189 .algorithm_mac = SSL_MD5,
190 .algorithm_ssl = SSL_SSLV3,
191 .algo_strength = SSL_STRONG_NONE,
192 .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
193 .strength_bits = 0,
194 .alg_bits = 0,
195 },
196
197 /* Cipher 02 */
198 {
199 .valid = 1,
200 .name = SSL3_TXT_RSA_NULL_SHA,
201 .id = SSL3_CK_RSA_NULL_SHA,
202 .algorithm_mkey = SSL_kRSA,
203 .algorithm_auth = SSL_aRSA,
204 .algorithm_enc = SSL_eNULL,
205 .algorithm_mac = SSL_SHA1,
206 .algorithm_ssl = SSL_SSLV3,
207 .algo_strength = SSL_STRONG_NONE,
208 .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
209 .strength_bits = 0,
210 .alg_bits = 0,
211 },
212
213 /* Cipher 04 */
214 {
215 .valid = 1,
216 .name = SSL3_TXT_RSA_RC4_128_MD5,
217 .id = SSL3_CK_RSA_RC4_128_MD5,
218 .algorithm_mkey = SSL_kRSA,
219 .algorithm_auth = SSL_aRSA,
220 .algorithm_enc = SSL_RC4,
221 .algorithm_mac = SSL_MD5,
222 .algorithm_ssl = SSL_SSLV3,
223 .algo_strength = SSL_LOW,
224 .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
225 .strength_bits = 128,
226 .alg_bits = 128,
227 },
228
229 /* Cipher 05 */
230 {
231 .valid = 1,
232 .name = SSL3_TXT_RSA_RC4_128_SHA,
233 .id = SSL3_CK_RSA_RC4_128_SHA,
234 .algorithm_mkey = SSL_kRSA,
235 .algorithm_auth = SSL_aRSA,
236 .algorithm_enc = SSL_RC4,
237 .algorithm_mac = SSL_SHA1,
238 .algorithm_ssl = SSL_SSLV3,
239 .algo_strength = SSL_LOW,
240 .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
241 .strength_bits = 128,
242 .alg_bits = 128,
243 },
244
245 /* Cipher 0A */
246 {
247 .valid = 1,
248 .name = SSL3_TXT_RSA_DES_192_CBC3_SHA,
249 .id = SSL3_CK_RSA_DES_192_CBC3_SHA,
250 .algorithm_mkey = SSL_kRSA,
251 .algorithm_auth = SSL_aRSA,
252 .algorithm_enc = SSL_3DES,
253 .algorithm_mac = SSL_SHA1,
254 .algorithm_ssl = SSL_SSLV3,
255 .algo_strength = SSL_MEDIUM,
256 .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
257 .strength_bits = 112,
258 .alg_bits = 168,
259 },
260
261 /*
262 * Ephemeral DH (DHE) ciphers.
263 */
264
265 /* Cipher 16 */
266 {
267 .valid = 1,
268 .name = SSL3_TXT_EDH_RSA_DES_192_CBC3_SHA,
269 .id = SSL3_CK_EDH_RSA_DES_192_CBC3_SHA,
270 .algorithm_mkey = SSL_kDHE,
271 .algorithm_auth = SSL_aRSA,
272 .algorithm_enc = SSL_3DES,
273 .algorithm_mac = SSL_SHA1,
274 .algorithm_ssl = SSL_SSLV3,
275 .algo_strength = SSL_MEDIUM,
276 .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
277 .strength_bits = 112,
278 .alg_bits = 168,
279 },
280
281 /* Cipher 18 */
282 {
283 .valid = 1,
284 .name = SSL3_TXT_ADH_RC4_128_MD5,
285 .id = SSL3_CK_ADH_RC4_128_MD5,
286 .algorithm_mkey = SSL_kDHE,
287 .algorithm_auth = SSL_aNULL,
288 .algorithm_enc = SSL_RC4,
289 .algorithm_mac = SSL_MD5,
290 .algorithm_ssl = SSL_SSLV3,
291 .algo_strength = SSL_LOW,
292 .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
293 .strength_bits = 128,
294 .alg_bits = 128,
295 },
296
297 /* Cipher 1B */
298 {
299 .valid = 1,
300 .name = SSL3_TXT_ADH_DES_192_CBC_SHA,
301 .id = SSL3_CK_ADH_DES_192_CBC_SHA,
302 .algorithm_mkey = SSL_kDHE,
303 .algorithm_auth = SSL_aNULL,
304 .algorithm_enc = SSL_3DES,
305 .algorithm_mac = SSL_SHA1,
306 .algorithm_ssl = SSL_SSLV3,
307 .algo_strength = SSL_MEDIUM,
308 .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
309 .strength_bits = 112,
310 .alg_bits = 168,
311 },
312
313 /*
314 * AES ciphersuites.
315 */
316
317 /* Cipher 2F */
318 {
319 .valid = 1,
320 .name = TLS1_TXT_RSA_WITH_AES_128_SHA,
321 .id = TLS1_CK_RSA_WITH_AES_128_SHA,
322 .algorithm_mkey = SSL_kRSA,
323 .algorithm_auth = SSL_aRSA,
324 .algorithm_enc = SSL_AES128,
325 .algorithm_mac = SSL_SHA1,
326 .algorithm_ssl = SSL_TLSV1,
327 .algo_strength = SSL_HIGH,
328 .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
329 .strength_bits = 128,
330 .alg_bits = 128,
331 },
332
333 /* Cipher 33 */
334 {
335 .valid = 1,
336 .name = TLS1_TXT_DHE_RSA_WITH_AES_128_SHA,
337 .id = TLS1_CK_DHE_RSA_WITH_AES_128_SHA,
338 .algorithm_mkey = SSL_kDHE,
339 .algorithm_auth = SSL_aRSA,
340 .algorithm_enc = SSL_AES128,
341 .algorithm_mac = SSL_SHA1,
342 .algorithm_ssl = SSL_TLSV1,
343 .algo_strength = SSL_HIGH,
344 .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
345 .strength_bits = 128,
346 .alg_bits = 128,
347 },
348
349 /* Cipher 34 */
350 {
351 .valid = 1,
352 .name = TLS1_TXT_ADH_WITH_AES_128_SHA,
353 .id = TLS1_CK_ADH_WITH_AES_128_SHA,
354 .algorithm_mkey = SSL_kDHE,
355 .algorithm_auth = SSL_aNULL,
356 .algorithm_enc = SSL_AES128,
357 .algorithm_mac = SSL_SHA1,
358 .algorithm_ssl = SSL_TLSV1,
359 .algo_strength = SSL_HIGH,
360 .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
361 .strength_bits = 128,
362 .alg_bits = 128,
363 },
364
365 /* Cipher 35 */
366 {
367 .valid = 1,
368 .name = TLS1_TXT_RSA_WITH_AES_256_SHA,
369 .id = TLS1_CK_RSA_WITH_AES_256_SHA,
370 .algorithm_mkey = SSL_kRSA,
371 .algorithm_auth = SSL_aRSA,
372 .algorithm_enc = SSL_AES256,
373 .algorithm_mac = SSL_SHA1,
374 .algorithm_ssl = SSL_TLSV1,
375 .algo_strength = SSL_HIGH,
376 .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
377 .strength_bits = 256,
378 .alg_bits = 256,
379 },
380
381 /* Cipher 39 */
382 {
383 .valid = 1,
384 .name = TLS1_TXT_DHE_RSA_WITH_AES_256_SHA,
385 .id = TLS1_CK_DHE_RSA_WITH_AES_256_SHA,
386 .algorithm_mkey = SSL_kDHE,
387 .algorithm_auth = SSL_aRSA,
388 .algorithm_enc = SSL_AES256,
389 .algorithm_mac = SSL_SHA1,
390 .algorithm_ssl = SSL_TLSV1,
391 .algo_strength = SSL_HIGH,
392 .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
393 .strength_bits = 256,
394 .alg_bits = 256,
395 },
396
397 /* Cipher 3A */
398 {
399 .valid = 1,
400 .name = TLS1_TXT_ADH_WITH_AES_256_SHA,
401 .id = TLS1_CK_ADH_WITH_AES_256_SHA,
402 .algorithm_mkey = SSL_kDHE,
403 .algorithm_auth = SSL_aNULL,
404 .algorithm_enc = SSL_AES256,
405 .algorithm_mac = SSL_SHA1,
406 .algorithm_ssl = SSL_TLSV1,
407 .algo_strength = SSL_HIGH,
408 .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
409 .strength_bits = 256,
410 .alg_bits = 256,
411 },
412
413 /* TLS v1.2 ciphersuites */
414 /* Cipher 3B */
415 {
416 .valid = 1,
417 .name = TLS1_TXT_RSA_WITH_NULL_SHA256,
418 .id = TLS1_CK_RSA_WITH_NULL_SHA256,
419 .algorithm_mkey = SSL_kRSA,
420 .algorithm_auth = SSL_aRSA,
421 .algorithm_enc = SSL_eNULL,
422 .algorithm_mac = SSL_SHA256,
423 .algorithm_ssl = SSL_TLSV1_2,
424 .algo_strength = SSL_STRONG_NONE,
425 .algorithm2 = SSL_HANDSHAKE_MAC_SHA256|TLS1_PRF_SHA256,
426 .strength_bits = 0,
427 .alg_bits = 0,
428 },
429
430 /* Cipher 3C */
431 {
432 .valid = 1,
433 .name = TLS1_TXT_RSA_WITH_AES_128_SHA256,
434 .id = TLS1_CK_RSA_WITH_AES_128_SHA256,
435 .algorithm_mkey = SSL_kRSA,
436 .algorithm_auth = SSL_aRSA,
437 .algorithm_enc = SSL_AES128,
438 .algorithm_mac = SSL_SHA256,
439 .algorithm_ssl = SSL_TLSV1_2,
440 .algo_strength = SSL_HIGH,
441 .algorithm2 = SSL_HANDSHAKE_MAC_SHA256|TLS1_PRF_SHA256,
442 .strength_bits = 128,
443 .alg_bits = 128,
444 },
445
446 /* Cipher 3D */
447 {
448 .valid = 1,
449 .name = TLS1_TXT_RSA_WITH_AES_256_SHA256,
450 .id = TLS1_CK_RSA_WITH_AES_256_SHA256,
451 .algorithm_mkey = SSL_kRSA,
452 .algorithm_auth = SSL_aRSA,
453 .algorithm_enc = SSL_AES256,
454 .algorithm_mac = SSL_SHA256,
455 .algorithm_ssl = SSL_TLSV1_2,
456 .algo_strength = SSL_HIGH,
457 .algorithm2 = SSL_HANDSHAKE_MAC_SHA256|TLS1_PRF_SHA256,
458 .strength_bits = 256,
459 .alg_bits = 256,
460 },
461
462#ifndef OPENSSL_NO_CAMELLIA
463 /* Camellia ciphersuites from RFC4132 (128-bit portion) */
464
465 /* Cipher 41 */
466 {
467 .valid = 1,
468 .name = TLS1_TXT_RSA_WITH_CAMELLIA_128_CBC_SHA,
469 .id = TLS1_CK_RSA_WITH_CAMELLIA_128_CBC_SHA,
470 .algorithm_mkey = SSL_kRSA,
471 .algorithm_auth = SSL_aRSA,
472 .algorithm_enc = SSL_CAMELLIA128,
473 .algorithm_mac = SSL_SHA1,
474 .algorithm_ssl = SSL_TLSV1,
475 .algo_strength = SSL_HIGH,
476 .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
477 .strength_bits = 128,
478 .alg_bits = 128,
479 },
480
481 /* Cipher 45 */
482 {
483 .valid = 1,
484 .name = TLS1_TXT_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA,
485 .id = TLS1_CK_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA,
486 .algorithm_mkey = SSL_kDHE,
487 .algorithm_auth = SSL_aRSA,
488 .algorithm_enc = SSL_CAMELLIA128,
489 .algorithm_mac = SSL_SHA1,
490 .algorithm_ssl = SSL_TLSV1,
491 .algo_strength = SSL_HIGH,
492 .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
493 .strength_bits = 128,
494 .alg_bits = 128,
495 },
496
497 /* Cipher 46 */
498 {
499 .valid = 1,
500 .name = TLS1_TXT_ADH_WITH_CAMELLIA_128_CBC_SHA,
501 .id = TLS1_CK_ADH_WITH_CAMELLIA_128_CBC_SHA,
502 .algorithm_mkey = SSL_kDHE,
503 .algorithm_auth = SSL_aNULL,
504 .algorithm_enc = SSL_CAMELLIA128,
505 .algorithm_mac = SSL_SHA1,
506 .algorithm_ssl = SSL_TLSV1,
507 .algo_strength = SSL_HIGH,
508 .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
509 .strength_bits = 128,
510 .alg_bits = 128,
511 },
512#endif /* OPENSSL_NO_CAMELLIA */
513
514 /* TLS v1.2 ciphersuites */
515 /* Cipher 67 */
516 {
517 .valid = 1,
518 .name = TLS1_TXT_DHE_RSA_WITH_AES_128_SHA256,
519 .id = TLS1_CK_DHE_RSA_WITH_AES_128_SHA256,
520 .algorithm_mkey = SSL_kDHE,
521 .algorithm_auth = SSL_aRSA,
522 .algorithm_enc = SSL_AES128,
523 .algorithm_mac = SSL_SHA256,
524 .algorithm_ssl = SSL_TLSV1_2,
525 .algo_strength = SSL_HIGH,
526 .algorithm2 = SSL_HANDSHAKE_MAC_SHA256|TLS1_PRF_SHA256,
527 .strength_bits = 128,
528 .alg_bits = 128,
529 },
530
531 /* Cipher 6B */
532 {
533 .valid = 1,
534 .name = TLS1_TXT_DHE_RSA_WITH_AES_256_SHA256,
535 .id = TLS1_CK_DHE_RSA_WITH_AES_256_SHA256,
536 .algorithm_mkey = SSL_kDHE,
537 .algorithm_auth = SSL_aRSA,
538 .algorithm_enc = SSL_AES256,
539 .algorithm_mac = SSL_SHA256,
540 .algorithm_ssl = SSL_TLSV1_2,
541 .algo_strength = SSL_HIGH,
542 .algorithm2 = SSL_HANDSHAKE_MAC_SHA256|TLS1_PRF_SHA256,
543 .strength_bits = 256,
544 .alg_bits = 256,
545 },
546
547 /* Cipher 6C */
548 {
549 .valid = 1,
550 .name = TLS1_TXT_ADH_WITH_AES_128_SHA256,
551 .id = TLS1_CK_ADH_WITH_AES_128_SHA256,
552 .algorithm_mkey = SSL_kDHE,
553 .algorithm_auth = SSL_aNULL,
554 .algorithm_enc = SSL_AES128,
555 .algorithm_mac = SSL_SHA256,
556 .algorithm_ssl = SSL_TLSV1_2,
557 .algo_strength = SSL_HIGH,
558 .algorithm2 = SSL_HANDSHAKE_MAC_SHA256|TLS1_PRF_SHA256,
559 .strength_bits = 128,
560 .alg_bits = 128,
561 },
562
563 /* Cipher 6D */
564 {
565 .valid = 1,
566 .name = TLS1_TXT_ADH_WITH_AES_256_SHA256,
567 .id = TLS1_CK_ADH_WITH_AES_256_SHA256,
568 .algorithm_mkey = SSL_kDHE,
569 .algorithm_auth = SSL_aNULL,
570 .algorithm_enc = SSL_AES256,
571 .algorithm_mac = SSL_SHA256,
572 .algorithm_ssl = SSL_TLSV1_2,
573 .algo_strength = SSL_HIGH,
574 .algorithm2 = SSL_HANDSHAKE_MAC_SHA256|TLS1_PRF_SHA256,
575 .strength_bits = 256,
576 .alg_bits = 256,
577 },
578
579 /* GOST Ciphersuites */
580
581 /* Cipher 81 */
582 {
583 .valid = 1,
584 .name = "GOST2001-GOST89-GOST89",
585 .id = 0x3000081,
586 .algorithm_mkey = SSL_kGOST,
587 .algorithm_auth = SSL_aGOST01,
588 .algorithm_enc = SSL_eGOST2814789CNT,
589 .algorithm_mac = SSL_GOST89MAC,
590 .algorithm_ssl = SSL_TLSV1,
591 .algo_strength = SSL_HIGH,
592 .algorithm2 = SSL_HANDSHAKE_MAC_GOST94|TLS1_PRF_GOST94|
593 TLS1_STREAM_MAC,
594 .strength_bits = 256,
595 .alg_bits = 256
596 },
597
598 /* Cipher 83 */
599 {
600 .valid = 1,
601 .name = "GOST2001-NULL-GOST94",
602 .id = 0x3000083,
603 .algorithm_mkey = SSL_kGOST,
604 .algorithm_auth = SSL_aGOST01,
605 .algorithm_enc = SSL_eNULL,
606 .algorithm_mac = SSL_GOST94,
607 .algorithm_ssl = SSL_TLSV1,
608 .algo_strength = SSL_STRONG_NONE,
609 .algorithm2 = SSL_HANDSHAKE_MAC_GOST94|TLS1_PRF_GOST94,
610 .strength_bits = 0,
611 .alg_bits = 0
612 },
613
614#ifndef OPENSSL_NO_CAMELLIA
615 /* Camellia ciphersuites from RFC4132 (256-bit portion) */
616
617 /* Cipher 84 */
618 {
619 .valid = 1,
620 .name = TLS1_TXT_RSA_WITH_CAMELLIA_256_CBC_SHA,
621 .id = TLS1_CK_RSA_WITH_CAMELLIA_256_CBC_SHA,
622 .algorithm_mkey = SSL_kRSA,
623 .algorithm_auth = SSL_aRSA,
624 .algorithm_enc = SSL_CAMELLIA256,
625 .algorithm_mac = SSL_SHA1,
626 .algorithm_ssl = SSL_TLSV1,
627 .algo_strength = SSL_HIGH,
628 .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
629 .strength_bits = 256,
630 .alg_bits = 256,
631 },
632
633 /* Cipher 88 */
634 {
635 .valid = 1,
636 .name = TLS1_TXT_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA,
637 .id = TLS1_CK_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA,
638 .algorithm_mkey = SSL_kDHE,
639 .algorithm_auth = SSL_aRSA,
640 .algorithm_enc = SSL_CAMELLIA256,
641 .algorithm_mac = SSL_SHA1,
642 .algorithm_ssl = SSL_TLSV1,
643 .algo_strength = SSL_HIGH,
644 .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
645 .strength_bits = 256,
646 .alg_bits = 256,
647 },
648
649 /* Cipher 89 */
650 {
651 .valid = 1,
652 .name = TLS1_TXT_ADH_WITH_CAMELLIA_256_CBC_SHA,
653 .id = TLS1_CK_ADH_WITH_CAMELLIA_256_CBC_SHA,
654 .algorithm_mkey = SSL_kDHE,
655 .algorithm_auth = SSL_aNULL,
656 .algorithm_enc = SSL_CAMELLIA256,
657 .algorithm_mac = SSL_SHA1,
658 .algorithm_ssl = SSL_TLSV1,
659 .algo_strength = SSL_HIGH,
660 .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
661 .strength_bits = 256,
662 .alg_bits = 256,
663 },
664#endif /* OPENSSL_NO_CAMELLIA */
665
666 /*
667 * GCM ciphersuites from RFC5288.
668 */
669
670 /* Cipher 9C */
671 {
672 .valid = 1,
673 .name = TLS1_TXT_RSA_WITH_AES_128_GCM_SHA256,
674 .id = TLS1_CK_RSA_WITH_AES_128_GCM_SHA256,
675 .algorithm_mkey = SSL_kRSA,
676 .algorithm_auth = SSL_aRSA,
677 .algorithm_enc = SSL_AES128GCM,
678 .algorithm_mac = SSL_AEAD,
679 .algorithm_ssl = SSL_TLSV1_2,
680 .algo_strength = SSL_HIGH,
681 .algorithm2 = SSL_HANDSHAKE_MAC_SHA256|TLS1_PRF_SHA256|
682 FIXED_NONCE_LEN(4)|
683 SSL_CIPHER_ALGORITHM2_VARIABLE_NONCE_IN_RECORD,
684 .strength_bits = 128,
685 .alg_bits = 128,
686 },
687
688 /* Cipher 9D */
689 {
690 .valid = 1,
691 .name = TLS1_TXT_RSA_WITH_AES_256_GCM_SHA384,
692 .id = TLS1_CK_RSA_WITH_AES_256_GCM_SHA384,
693 .algorithm_mkey = SSL_kRSA,
694 .algorithm_auth = SSL_aRSA,
695 .algorithm_enc = SSL_AES256GCM,
696 .algorithm_mac = SSL_AEAD,
697 .algorithm_ssl = SSL_TLSV1_2,
698 .algo_strength = SSL_HIGH,
699 .algorithm2 = SSL_HANDSHAKE_MAC_SHA384|TLS1_PRF_SHA384|
700 FIXED_NONCE_LEN(4)|
701 SSL_CIPHER_ALGORITHM2_VARIABLE_NONCE_IN_RECORD,
702 .strength_bits = 256,
703 .alg_bits = 256,
704 },
705
706 /* Cipher 9E */
707 {
708 .valid = 1,
709 .name = TLS1_TXT_DHE_RSA_WITH_AES_128_GCM_SHA256,
710 .id = TLS1_CK_DHE_RSA_WITH_AES_128_GCM_SHA256,
711 .algorithm_mkey = SSL_kDHE,
712 .algorithm_auth = SSL_aRSA,
713 .algorithm_enc = SSL_AES128GCM,
714 .algorithm_mac = SSL_AEAD,
715 .algorithm_ssl = SSL_TLSV1_2,
716 .algo_strength = SSL_HIGH,
717 .algorithm2 = SSL_HANDSHAKE_MAC_SHA256|TLS1_PRF_SHA256|
718 FIXED_NONCE_LEN(4)|
719 SSL_CIPHER_ALGORITHM2_VARIABLE_NONCE_IN_RECORD,
720 .strength_bits = 128,
721 .alg_bits = 128,
722 },
723
724 /* Cipher 9F */
725 {
726 .valid = 1,
727 .name = TLS1_TXT_DHE_RSA_WITH_AES_256_GCM_SHA384,
728 .id = TLS1_CK_DHE_RSA_WITH_AES_256_GCM_SHA384,
729 .algorithm_mkey = SSL_kDHE,
730 .algorithm_auth = SSL_aRSA,
731 .algorithm_enc = SSL_AES256GCM,
732 .algorithm_mac = SSL_AEAD,
733 .algorithm_ssl = SSL_TLSV1_2,
734 .algo_strength = SSL_HIGH,
735 .algorithm2 = SSL_HANDSHAKE_MAC_SHA384|TLS1_PRF_SHA384|
736 FIXED_NONCE_LEN(4)|
737 SSL_CIPHER_ALGORITHM2_VARIABLE_NONCE_IN_RECORD,
738 .strength_bits = 256,
739 .alg_bits = 256,
740 },
741
742 /* Cipher A6 */
743 {
744 .valid = 1,
745 .name = TLS1_TXT_ADH_WITH_AES_128_GCM_SHA256,
746 .id = TLS1_CK_ADH_WITH_AES_128_GCM_SHA256,
747 .algorithm_mkey = SSL_kDHE,
748 .algorithm_auth = SSL_aNULL,
749 .algorithm_enc = SSL_AES128GCM,
750 .algorithm_mac = SSL_AEAD,
751 .algorithm_ssl = SSL_TLSV1_2,
752 .algo_strength = SSL_HIGH,
753 .algorithm2 = SSL_HANDSHAKE_MAC_SHA256|TLS1_PRF_SHA256|
754 FIXED_NONCE_LEN(4)|
755 SSL_CIPHER_ALGORITHM2_VARIABLE_NONCE_IN_RECORD,
756 .strength_bits = 128,
757 .alg_bits = 128,
758 },
759
760 /* Cipher A7 */
761 {
762 .valid = 1,
763 .name = TLS1_TXT_ADH_WITH_AES_256_GCM_SHA384,
764 .id = TLS1_CK_ADH_WITH_AES_256_GCM_SHA384,
765 .algorithm_mkey = SSL_kDHE,
766 .algorithm_auth = SSL_aNULL,
767 .algorithm_enc = SSL_AES256GCM,
768 .algorithm_mac = SSL_AEAD,
769 .algorithm_ssl = SSL_TLSV1_2,
770 .algo_strength = SSL_HIGH,
771 .algorithm2 = SSL_HANDSHAKE_MAC_SHA384|TLS1_PRF_SHA384|
772 FIXED_NONCE_LEN(4)|
773 SSL_CIPHER_ALGORITHM2_VARIABLE_NONCE_IN_RECORD,
774 .strength_bits = 256,
775 .alg_bits = 256,
776 },
777
778#ifndef OPENSSL_NO_CAMELLIA
779 /* TLS 1.2 Camellia SHA-256 ciphersuites from RFC5932 */
780
781 /* Cipher BA */
782 {
783 .valid = 1,
784 .name = TLS1_TXT_RSA_WITH_CAMELLIA_128_CBC_SHA256,
785 .id = TLS1_CK_RSA_WITH_CAMELLIA_128_CBC_SHA256,
786 .algorithm_mkey = SSL_kRSA,
787 .algorithm_auth = SSL_aRSA,
788 .algorithm_enc = SSL_CAMELLIA128,
789 .algorithm_mac = SSL_SHA256,
790 .algorithm_ssl = SSL_TLSV1_2,
791 .algo_strength = SSL_HIGH,
792 .algorithm2 = SSL_HANDSHAKE_MAC_SHA256|TLS1_PRF_SHA256,
793 .strength_bits = 128,
794 .alg_bits = 128,
795 },
796
797 /* Cipher BE */
798 {
799 .valid = 1,
800 .name = TLS1_TXT_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA256,
801 .id = TLS1_CK_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA256,
802 .algorithm_mkey = SSL_kDHE,
803 .algorithm_auth = SSL_aRSA,
804 .algorithm_enc = SSL_CAMELLIA128,
805 .algorithm_mac = SSL_SHA256,
806 .algorithm_ssl = SSL_TLSV1_2,
807 .algo_strength = SSL_HIGH,
808 .algorithm2 = SSL_HANDSHAKE_MAC_SHA256|TLS1_PRF_SHA256,
809 .strength_bits = 128,
810 .alg_bits = 128,
811 },
812
813 /* Cipher BF */
814 {
815 .valid = 1,
816 .name = TLS1_TXT_ADH_WITH_CAMELLIA_128_CBC_SHA256,
817 .id = TLS1_CK_ADH_WITH_CAMELLIA_128_CBC_SHA256,
818 .algorithm_mkey = SSL_kDHE,
819 .algorithm_auth = SSL_aNULL,
820 .algorithm_enc = SSL_CAMELLIA128,
821 .algorithm_mac = SSL_SHA256,
822 .algorithm_ssl = SSL_TLSV1_2,
823 .algo_strength = SSL_HIGH,
824 .algorithm2 = SSL_HANDSHAKE_MAC_SHA256|TLS1_PRF_SHA256,
825 .strength_bits = 128,
826 .alg_bits = 128,
827 },
828
829 /* Cipher C0 */
830 {
831 .valid = 1,
832 .name = TLS1_TXT_RSA_WITH_CAMELLIA_256_CBC_SHA256,
833 .id = TLS1_CK_RSA_WITH_CAMELLIA_256_CBC_SHA256,
834 .algorithm_mkey = SSL_kRSA,
835 .algorithm_auth = SSL_aRSA,
836 .algorithm_enc = SSL_CAMELLIA256,
837 .algorithm_mac = SSL_SHA256,
838 .algorithm_ssl = SSL_TLSV1_2,
839 .algo_strength = SSL_HIGH,
840 .algorithm2 = SSL_HANDSHAKE_MAC_SHA256|TLS1_PRF_SHA256,
841 .strength_bits = 256,
842 .alg_bits = 256,
843 },
844
845 /* Cipher C4 */
846 {
847 .valid = 1,
848 .name = TLS1_TXT_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA256,
849 .id = TLS1_CK_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA256,
850 .algorithm_mkey = SSL_kDHE,
851 .algorithm_auth = SSL_aRSA,
852 .algorithm_enc = SSL_CAMELLIA256,
853 .algorithm_mac = SSL_SHA256,
854 .algorithm_ssl = SSL_TLSV1_2,
855 .algo_strength = SSL_HIGH,
856 .algorithm2 = SSL_HANDSHAKE_MAC_SHA256|TLS1_PRF_SHA256,
857 .strength_bits = 256,
858 .alg_bits = 256,
859 },
860
861 /* Cipher C5 */
862 {
863 .valid = 1,
864 .name = TLS1_TXT_ADH_WITH_CAMELLIA_256_CBC_SHA256,
865 .id = TLS1_CK_ADH_WITH_CAMELLIA_256_CBC_SHA256,
866 .algorithm_mkey = SSL_kDHE,
867 .algorithm_auth = SSL_aNULL,
868 .algorithm_enc = SSL_CAMELLIA256,
869 .algorithm_mac = SSL_SHA256,
870 .algorithm_ssl = SSL_TLSV1_2,
871 .algo_strength = SSL_HIGH,
872 .algorithm2 = SSL_HANDSHAKE_MAC_SHA256|TLS1_PRF_SHA256,
873 .strength_bits = 256,
874 .alg_bits = 256,
875 },
876#endif /* OPENSSL_NO_CAMELLIA */
877
878 /*
879 * TLSv1.3 cipher suites.
880 */
881
882#ifdef LIBRESSL_HAS_TLS1_3
883 /* Cipher 1301 */
884 {
885 .valid = 1,
886 .name = TLS1_3_RFC_AES_128_GCM_SHA256,
887 .id = TLS1_3_CK_AES_128_GCM_SHA256,
888 .algorithm_mkey = SSL_kTLS1_3,
889 .algorithm_auth = SSL_aTLS1_3,
890 .algorithm_enc = SSL_AES128GCM,
891 .algorithm_mac = SSL_AEAD,
892 .algorithm_ssl = SSL_TLSV1_3,
893 .algo_strength = SSL_HIGH,
894 .algorithm2 = SSL_HANDSHAKE_MAC_SHA256, /* XXX */
895 .strength_bits = 128,
896 .alg_bits = 128,
897 },
898
899 /* Cipher 1302 */
900 {
901 .valid = 1,
902 .name = TLS1_3_RFC_AES_256_GCM_SHA384,
903 .id = TLS1_3_CK_AES_256_GCM_SHA384,
904 .algorithm_mkey = SSL_kTLS1_3,
905 .algorithm_auth = SSL_aTLS1_3,
906 .algorithm_enc = SSL_AES256GCM,
907 .algorithm_mac = SSL_AEAD,
908 .algorithm_ssl = SSL_TLSV1_3,
909 .algo_strength = SSL_HIGH,
910 .algorithm2 = SSL_HANDSHAKE_MAC_SHA384, /* XXX */
911 .strength_bits = 256,
912 .alg_bits = 256,
913 },
914
915 /* Cipher 1303 */
916 {
917 .valid = 1,
918 .name = TLS1_3_RFC_CHACHA20_POLY1305_SHA256,
919 .id = TLS1_3_CK_CHACHA20_POLY1305_SHA256,
920 .algorithm_mkey = SSL_kTLS1_3,
921 .algorithm_auth = SSL_aTLS1_3,
922 .algorithm_enc = SSL_CHACHA20POLY1305,
923 .algorithm_mac = SSL_AEAD,
924 .algorithm_ssl = SSL_TLSV1_3,
925 .algo_strength = SSL_HIGH,
926 .algorithm2 = SSL_HANDSHAKE_MAC_SHA256, /* XXX */
927 .strength_bits = 256,
928 .alg_bits = 256,
929 },
930#endif
931
932 /* Cipher C006 */
933 {
934 .valid = 1,
935 .name = TLS1_TXT_ECDHE_ECDSA_WITH_NULL_SHA,
936 .id = TLS1_CK_ECDHE_ECDSA_WITH_NULL_SHA,
937 .algorithm_mkey = SSL_kECDHE,
938 .algorithm_auth = SSL_aECDSA,
939 .algorithm_enc = SSL_eNULL,
940 .algorithm_mac = SSL_SHA1,
941 .algorithm_ssl = SSL_TLSV1,
942 .algo_strength = SSL_STRONG_NONE,
943 .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
944 .strength_bits = 0,
945 .alg_bits = 0,
946 },
947
948 /* Cipher C007 */
949 {
950 .valid = 1,
951 .name = TLS1_TXT_ECDHE_ECDSA_WITH_RC4_128_SHA,
952 .id = TLS1_CK_ECDHE_ECDSA_WITH_RC4_128_SHA,
953 .algorithm_mkey = SSL_kECDHE,
954 .algorithm_auth = SSL_aECDSA,
955 .algorithm_enc = SSL_RC4,
956 .algorithm_mac = SSL_SHA1,
957 .algorithm_ssl = SSL_TLSV1,
958 .algo_strength = SSL_LOW,
959 .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
960 .strength_bits = 128,
961 .alg_bits = 128,
962 },
963
964 /* Cipher C008 */
965 {
966 .valid = 1,
967 .name = TLS1_TXT_ECDHE_ECDSA_WITH_DES_192_CBC3_SHA,
968 .id = TLS1_CK_ECDHE_ECDSA_WITH_DES_192_CBC3_SHA,
969 .algorithm_mkey = SSL_kECDHE,
970 .algorithm_auth = SSL_aECDSA,
971 .algorithm_enc = SSL_3DES,
972 .algorithm_mac = SSL_SHA1,
973 .algorithm_ssl = SSL_TLSV1,
974 .algo_strength = SSL_MEDIUM,
975 .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
976 .strength_bits = 112,
977 .alg_bits = 168,
978 },
979
980 /* Cipher C009 */
981 {
982 .valid = 1,
983 .name = TLS1_TXT_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,
984 .id = TLS1_CK_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,
985 .algorithm_mkey = SSL_kECDHE,
986 .algorithm_auth = SSL_aECDSA,
987 .algorithm_enc = SSL_AES128,
988 .algorithm_mac = SSL_SHA1,
989 .algorithm_ssl = SSL_TLSV1,
990 .algo_strength = SSL_HIGH,
991 .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
992 .strength_bits = 128,
993 .alg_bits = 128,
994 },
995
996 /* Cipher C00A */
997 {
998 .valid = 1,
999 .name = TLS1_TXT_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,
1000 .id = TLS1_CK_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,
1001 .algorithm_mkey = SSL_kECDHE,
1002 .algorithm_auth = SSL_aECDSA,
1003 .algorithm_enc = SSL_AES256,
1004 .algorithm_mac = SSL_SHA1,
1005 .algorithm_ssl = SSL_TLSV1,
1006 .algo_strength = SSL_HIGH,
1007 .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
1008 .strength_bits = 256,
1009 .alg_bits = 256,
1010 },
1011
1012 /* Cipher C010 */
1013 {
1014 .valid = 1,
1015 .name = TLS1_TXT_ECDHE_RSA_WITH_NULL_SHA,
1016 .id = TLS1_CK_ECDHE_RSA_WITH_NULL_SHA,
1017 .algorithm_mkey = SSL_kECDHE,
1018 .algorithm_auth = SSL_aRSA,
1019 .algorithm_enc = SSL_eNULL,
1020 .algorithm_mac = SSL_SHA1,
1021 .algorithm_ssl = SSL_TLSV1,
1022 .algo_strength = SSL_STRONG_NONE,
1023 .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
1024 .strength_bits = 0,
1025 .alg_bits = 0,
1026 },
1027
1028 /* Cipher C011 */
1029 {
1030 .valid = 1,
1031 .name = TLS1_TXT_ECDHE_RSA_WITH_RC4_128_SHA,
1032 .id = TLS1_CK_ECDHE_RSA_WITH_RC4_128_SHA,
1033 .algorithm_mkey = SSL_kECDHE,
1034 .algorithm_auth = SSL_aRSA,
1035 .algorithm_enc = SSL_RC4,
1036 .algorithm_mac = SSL_SHA1,
1037 .algorithm_ssl = SSL_TLSV1,
1038 .algo_strength = SSL_LOW,
1039 .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
1040 .strength_bits = 128,
1041 .alg_bits = 128,
1042 },
1043
1044 /* Cipher C012 */
1045 {
1046 .valid = 1,
1047 .name = TLS1_TXT_ECDHE_RSA_WITH_DES_192_CBC3_SHA,
1048 .id = TLS1_CK_ECDHE_RSA_WITH_DES_192_CBC3_SHA,
1049 .algorithm_mkey = SSL_kECDHE,
1050 .algorithm_auth = SSL_aRSA,
1051 .algorithm_enc = SSL_3DES,
1052 .algorithm_mac = SSL_SHA1,
1053 .algorithm_ssl = SSL_TLSV1,
1054 .algo_strength = SSL_MEDIUM,
1055 .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
1056 .strength_bits = 112,
1057 .alg_bits = 168,
1058 },
1059
1060 /* Cipher C013 */
1061 {
1062 .valid = 1,
1063 .name = TLS1_TXT_ECDHE_RSA_WITH_AES_128_CBC_SHA,
1064 .id = TLS1_CK_ECDHE_RSA_WITH_AES_128_CBC_SHA,
1065 .algorithm_mkey = SSL_kECDHE,
1066 .algorithm_auth = SSL_aRSA,
1067 .algorithm_enc = SSL_AES128,
1068 .algorithm_mac = SSL_SHA1,
1069 .algorithm_ssl = SSL_TLSV1,
1070 .algo_strength = SSL_HIGH,
1071 .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
1072 .strength_bits = 128,
1073 .alg_bits = 128,
1074 },
1075
1076 /* Cipher C014 */
1077 {
1078 .valid = 1,
1079 .name = TLS1_TXT_ECDHE_RSA_WITH_AES_256_CBC_SHA,
1080 .id = TLS1_CK_ECDHE_RSA_WITH_AES_256_CBC_SHA,
1081 .algorithm_mkey = SSL_kECDHE,
1082 .algorithm_auth = SSL_aRSA,
1083 .algorithm_enc = SSL_AES256,
1084 .algorithm_mac = SSL_SHA1,
1085 .algorithm_ssl = SSL_TLSV1,
1086 .algo_strength = SSL_HIGH,
1087 .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
1088 .strength_bits = 256,
1089 .alg_bits = 256,
1090 },
1091
1092 /* Cipher C015 */
1093 {
1094 .valid = 1,
1095 .name = TLS1_TXT_ECDH_anon_WITH_NULL_SHA,
1096 .id = TLS1_CK_ECDH_anon_WITH_NULL_SHA,
1097 .algorithm_mkey = SSL_kECDHE,
1098 .algorithm_auth = SSL_aNULL,
1099 .algorithm_enc = SSL_eNULL,
1100 .algorithm_mac = SSL_SHA1,
1101 .algorithm_ssl = SSL_TLSV1,
1102 .algo_strength = SSL_STRONG_NONE,
1103 .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
1104 .strength_bits = 0,
1105 .alg_bits = 0,
1106 },
1107
1108 /* Cipher C016 */
1109 {
1110 .valid = 1,
1111 .name = TLS1_TXT_ECDH_anon_WITH_RC4_128_SHA,
1112 .id = TLS1_CK_ECDH_anon_WITH_RC4_128_SHA,
1113 .algorithm_mkey = SSL_kECDHE,
1114 .algorithm_auth = SSL_aNULL,
1115 .algorithm_enc = SSL_RC4,
1116 .algorithm_mac = SSL_SHA1,
1117 .algorithm_ssl = SSL_TLSV1,
1118 .algo_strength = SSL_LOW,
1119 .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
1120 .strength_bits = 128,
1121 .alg_bits = 128,
1122 },
1123
1124 /* Cipher C017 */
1125 {
1126 .valid = 1,
1127 .name = TLS1_TXT_ECDH_anon_WITH_DES_192_CBC3_SHA,
1128 .id = TLS1_CK_ECDH_anon_WITH_DES_192_CBC3_SHA,
1129 .algorithm_mkey = SSL_kECDHE,
1130 .algorithm_auth = SSL_aNULL,
1131 .algorithm_enc = SSL_3DES,
1132 .algorithm_mac = SSL_SHA1,
1133 .algorithm_ssl = SSL_TLSV1,
1134 .algo_strength = SSL_MEDIUM,
1135 .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
1136 .strength_bits = 112,
1137 .alg_bits = 168,
1138 },
1139
1140 /* Cipher C018 */
1141 {
1142 .valid = 1,
1143 .name = TLS1_TXT_ECDH_anon_WITH_AES_128_CBC_SHA,
1144 .id = TLS1_CK_ECDH_anon_WITH_AES_128_CBC_SHA,
1145 .algorithm_mkey = SSL_kECDHE,
1146 .algorithm_auth = SSL_aNULL,
1147 .algorithm_enc = SSL_AES128,
1148 .algorithm_mac = SSL_SHA1,
1149 .algorithm_ssl = SSL_TLSV1,
1150 .algo_strength = SSL_HIGH,
1151 .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
1152 .strength_bits = 128,
1153 .alg_bits = 128,
1154 },
1155
1156 /* Cipher C019 */
1157 {
1158 .valid = 1,
1159 .name = TLS1_TXT_ECDH_anon_WITH_AES_256_CBC_SHA,
1160 .id = TLS1_CK_ECDH_anon_WITH_AES_256_CBC_SHA,
1161 .algorithm_mkey = SSL_kECDHE,
1162 .algorithm_auth = SSL_aNULL,
1163 .algorithm_enc = SSL_AES256,
1164 .algorithm_mac = SSL_SHA1,
1165 .algorithm_ssl = SSL_TLSV1,
1166 .algo_strength = SSL_HIGH,
1167 .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
1168 .strength_bits = 256,
1169 .alg_bits = 256,
1170 },
1171
1172
1173 /* HMAC based TLS v1.2 ciphersuites from RFC5289 */
1174
1175 /* Cipher C023 */
1176 {
1177 .valid = 1,
1178 .name = TLS1_TXT_ECDHE_ECDSA_WITH_AES_128_SHA256,
1179 .id = TLS1_CK_ECDHE_ECDSA_WITH_AES_128_SHA256,
1180 .algorithm_mkey = SSL_kECDHE,
1181 .algorithm_auth = SSL_aECDSA,
1182 .algorithm_enc = SSL_AES128,
1183 .algorithm_mac = SSL_SHA256,
1184 .algorithm_ssl = SSL_TLSV1_2,
1185 .algo_strength = SSL_HIGH,
1186 .algorithm2 = SSL_HANDSHAKE_MAC_SHA256|TLS1_PRF_SHA256,
1187 .strength_bits = 128,
1188 .alg_bits = 128,
1189 },
1190
1191 /* Cipher C024 */
1192 {
1193 .valid = 1,
1194 .name = TLS1_TXT_ECDHE_ECDSA_WITH_AES_256_SHA384,
1195 .id = TLS1_CK_ECDHE_ECDSA_WITH_AES_256_SHA384,
1196 .algorithm_mkey = SSL_kECDHE,
1197 .algorithm_auth = SSL_aECDSA,
1198 .algorithm_enc = SSL_AES256,
1199 .algorithm_mac = SSL_SHA384,
1200 .algorithm_ssl = SSL_TLSV1_2,
1201 .algo_strength = SSL_HIGH,
1202 .algorithm2 = SSL_HANDSHAKE_MAC_SHA384|TLS1_PRF_SHA384,
1203 .strength_bits = 256,
1204 .alg_bits = 256,
1205 },
1206
1207 /* Cipher C027 */
1208 {
1209 .valid = 1,
1210 .name = TLS1_TXT_ECDHE_RSA_WITH_AES_128_SHA256,
1211 .id = TLS1_CK_ECDHE_RSA_WITH_AES_128_SHA256,
1212 .algorithm_mkey = SSL_kECDHE,
1213 .algorithm_auth = SSL_aRSA,
1214 .algorithm_enc = SSL_AES128,
1215 .algorithm_mac = SSL_SHA256,
1216 .algorithm_ssl = SSL_TLSV1_2,
1217 .algo_strength = SSL_HIGH,
1218 .algorithm2 = SSL_HANDSHAKE_MAC_SHA256|TLS1_PRF_SHA256,
1219 .strength_bits = 128,
1220 .alg_bits = 128,
1221 },
1222
1223 /* Cipher C028 */
1224 {
1225 .valid = 1,
1226 .name = TLS1_TXT_ECDHE_RSA_WITH_AES_256_SHA384,
1227 .id = TLS1_CK_ECDHE_RSA_WITH_AES_256_SHA384,
1228 .algorithm_mkey = SSL_kECDHE,
1229 .algorithm_auth = SSL_aRSA,
1230 .algorithm_enc = SSL_AES256,
1231 .algorithm_mac = SSL_SHA384,
1232 .algorithm_ssl = SSL_TLSV1_2,
1233 .algo_strength = SSL_HIGH,
1234 .algorithm2 = SSL_HANDSHAKE_MAC_SHA384|TLS1_PRF_SHA384,
1235 .strength_bits = 256,
1236 .alg_bits = 256,
1237 },
1238
1239 /* GCM based TLS v1.2 ciphersuites from RFC5289 */
1240
1241 /* Cipher C02B */
1242 {
1243 .valid = 1,
1244 .name = TLS1_TXT_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
1245 .id = TLS1_CK_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
1246 .algorithm_mkey = SSL_kECDHE,
1247 .algorithm_auth = SSL_aECDSA,
1248 .algorithm_enc = SSL_AES128GCM,
1249 .algorithm_mac = SSL_AEAD,
1250 .algorithm_ssl = SSL_TLSV1_2,
1251 .algo_strength = SSL_HIGH,
1252 .algorithm2 = SSL_HANDSHAKE_MAC_SHA256|TLS1_PRF_SHA256|
1253 FIXED_NONCE_LEN(4)|
1254 SSL_CIPHER_ALGORITHM2_VARIABLE_NONCE_IN_RECORD,
1255 .strength_bits = 128,
1256 .alg_bits = 128,
1257 },
1258
1259 /* Cipher C02C */
1260 {
1261 .valid = 1,
1262 .name = TLS1_TXT_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
1263 .id = TLS1_CK_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
1264 .algorithm_mkey = SSL_kECDHE,
1265 .algorithm_auth = SSL_aECDSA,
1266 .algorithm_enc = SSL_AES256GCM,
1267 .algorithm_mac = SSL_AEAD,
1268 .algorithm_ssl = SSL_TLSV1_2,
1269 .algo_strength = SSL_HIGH,
1270 .algorithm2 = SSL_HANDSHAKE_MAC_SHA384|TLS1_PRF_SHA384|
1271 FIXED_NONCE_LEN(4)|
1272 SSL_CIPHER_ALGORITHM2_VARIABLE_NONCE_IN_RECORD,
1273 .strength_bits = 256,
1274 .alg_bits = 256,
1275 },
1276
1277 /* Cipher C02F */
1278 {
1279 .valid = 1,
1280 .name = TLS1_TXT_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
1281 .id = TLS1_CK_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
1282 .algorithm_mkey = SSL_kECDHE,
1283 .algorithm_auth = SSL_aRSA,
1284 .algorithm_enc = SSL_AES128GCM,
1285 .algorithm_mac = SSL_AEAD,
1286 .algorithm_ssl = SSL_TLSV1_2,
1287 .algo_strength = SSL_HIGH,
1288 .algorithm2 = SSL_HANDSHAKE_MAC_SHA256|TLS1_PRF_SHA256|
1289 FIXED_NONCE_LEN(4)|
1290 SSL_CIPHER_ALGORITHM2_VARIABLE_NONCE_IN_RECORD,
1291 .strength_bits = 128,
1292 .alg_bits = 128,
1293 },
1294
1295 /* Cipher C030 */
1296 {
1297 .valid = 1,
1298 .name = TLS1_TXT_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
1299 .id = TLS1_CK_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
1300 .algorithm_mkey = SSL_kECDHE,
1301 .algorithm_auth = SSL_aRSA,
1302 .algorithm_enc = SSL_AES256GCM,
1303 .algorithm_mac = SSL_AEAD,
1304 .algorithm_ssl = SSL_TLSV1_2,
1305 .algo_strength = SSL_HIGH,
1306 .algorithm2 = SSL_HANDSHAKE_MAC_SHA384|TLS1_PRF_SHA384|
1307 FIXED_NONCE_LEN(4)|
1308 SSL_CIPHER_ALGORITHM2_VARIABLE_NONCE_IN_RECORD,
1309 .strength_bits = 256,
1310 .alg_bits = 256,
1311 },
1312
1313 /* Cipher CCA8 */
1314 {
1315 .valid = 1,
1316 .name = TLS1_TXT_ECDHE_RSA_WITH_CHACHA20_POLY1305,
1317 .id = TLS1_CK_ECDHE_RSA_CHACHA20_POLY1305,
1318 .algorithm_mkey = SSL_kECDHE,
1319 .algorithm_auth = SSL_aRSA,
1320 .algorithm_enc = SSL_CHACHA20POLY1305,
1321 .algorithm_mac = SSL_AEAD,
1322 .algorithm_ssl = SSL_TLSV1_2,
1323 .algo_strength = SSL_HIGH,
1324 .algorithm2 = SSL_HANDSHAKE_MAC_SHA256|TLS1_PRF_SHA256|
1325 FIXED_NONCE_LEN(12),
1326 .strength_bits = 256,
1327 .alg_bits = 256,
1328 },
1329
1330 /* Cipher CCA9 */
1331 {
1332 .valid = 1,
1333 .name = TLS1_TXT_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,
1334 .id = TLS1_CK_ECDHE_ECDSA_CHACHA20_POLY1305,
1335 .algorithm_mkey = SSL_kECDHE,
1336 .algorithm_auth = SSL_aECDSA,
1337 .algorithm_enc = SSL_CHACHA20POLY1305,
1338 .algorithm_mac = SSL_AEAD,
1339 .algorithm_ssl = SSL_TLSV1_2,
1340 .algo_strength = SSL_HIGH,
1341 .algorithm2 = SSL_HANDSHAKE_MAC_SHA256|TLS1_PRF_SHA256|
1342 FIXED_NONCE_LEN(12),
1343 .strength_bits = 256,
1344 .alg_bits = 256,
1345 },
1346
1347 /* Cipher CCAA */
1348 {
1349 .valid = 1,
1350 .name = TLS1_TXT_DHE_RSA_WITH_CHACHA20_POLY1305,
1351 .id = TLS1_CK_DHE_RSA_CHACHA20_POLY1305,
1352 .algorithm_mkey = SSL_kDHE,
1353 .algorithm_auth = SSL_aRSA,
1354 .algorithm_enc = SSL_CHACHA20POLY1305,
1355 .algorithm_mac = SSL_AEAD,
1356 .algorithm_ssl = SSL_TLSV1_2,
1357 .algo_strength = SSL_HIGH,
1358 .algorithm2 = SSL_HANDSHAKE_MAC_SHA256|TLS1_PRF_SHA256|
1359 FIXED_NONCE_LEN(12),
1360 .strength_bits = 256,
1361 .alg_bits = 256,
1362 },
1363
1364 /* Cipher FF85 FIXME IANA */
1365 {
1366 .valid = 1,
1367 .name = "GOST2012256-GOST89-GOST89",
1368 .id = 0x300ff85, /* FIXME IANA */
1369 .algorithm_mkey = SSL_kGOST,
1370 .algorithm_auth = SSL_aGOST01,
1371 .algorithm_enc = SSL_eGOST2814789CNT,
1372 .algorithm_mac = SSL_GOST89MAC,
1373 .algorithm_ssl = SSL_TLSV1,
1374 .algo_strength = SSL_HIGH,
1375 .algorithm2 = SSL_HANDSHAKE_MAC_STREEBOG256|TLS1_PRF_STREEBOG256|
1376 TLS1_STREAM_MAC,
1377 .strength_bits = 256,
1378 .alg_bits = 256
1379 },
1380
1381 /* Cipher FF87 FIXME IANA */
1382 {
1383 .valid = 1,
1384 .name = "GOST2012256-NULL-STREEBOG256",
1385 .id = 0x300ff87, /* FIXME IANA */
1386 .algorithm_mkey = SSL_kGOST,
1387 .algorithm_auth = SSL_aGOST01,
1388 .algorithm_enc = SSL_eNULL,
1389 .algorithm_mac = SSL_STREEBOG256,
1390 .algorithm_ssl = SSL_TLSV1,
1391 .algo_strength = SSL_STRONG_NONE,
1392 .algorithm2 = SSL_HANDSHAKE_MAC_STREEBOG256|TLS1_PRF_STREEBOG256,
1393 .strength_bits = 0,
1394 .alg_bits = 0
1395 },
1396
1397
1398 /* end of list */
1399};
1400
1401int
1402ssl3_num_ciphers(void)
1403{
1404 return (SSL3_NUM_CIPHERS);
1405}
1406
1407const SSL_CIPHER *
1408ssl3_get_cipher(unsigned int u)
1409{
1410 if (u < SSL3_NUM_CIPHERS)
1411 return (&(ssl3_ciphers[SSL3_NUM_CIPHERS - 1 - u]));
1412 else
1413 return (NULL);
1414}
1415
1416const SSL_CIPHER *
1417ssl3_get_cipher_by_id(unsigned int id)
1418{
1419 const SSL_CIPHER *cp;
1420 SSL_CIPHER c;
1421
1422 c.id = id;
1423 cp = OBJ_bsearch_ssl_cipher_id(&c, ssl3_ciphers, SSL3_NUM_CIPHERS);
1424 if (cp != NULL && cp->valid == 1)
1425 return (cp);
1426
1427 return (NULL);
1428}
1429
1430const SSL_CIPHER *
1431ssl3_get_cipher_by_value(uint16_t value)
1432{
1433 return ssl3_get_cipher_by_id(SSL3_CK_ID | value);
1434}
1435
1436uint16_t
1437ssl3_cipher_get_value(const SSL_CIPHER *c)
1438{
1439 return (c->id & SSL3_CK_VALUE_MASK);
1440}
1441
1442int
1443ssl3_pending(const SSL *s)
1444{
1445 if (s->s3->rcontent == NULL)
1446 return 0;
1447 if (tls_content_type(s->s3->rcontent) != SSL3_RT_APPLICATION_DATA)
1448 return 0;
1449
1450 return tls_content_remaining(s->s3->rcontent);
1451}
1452
1453int
1454ssl3_handshake_msg_hdr_len(SSL *s)
1455{
1456 return (SSL_is_dtls(s) ? DTLS1_HM_HEADER_LENGTH :
1457 SSL3_HM_HEADER_LENGTH);
1458}
1459
1460int
1461ssl3_handshake_msg_start(SSL *s, CBB *handshake, CBB *body, uint8_t msg_type)
1462{
1463 int ret = 0;
1464
1465 if (!CBB_init(handshake, SSL3_RT_MAX_PLAIN_LENGTH))
1466 goto err;
1467 if (!CBB_add_u8(handshake, msg_type))
1468 goto err;
1469 if (SSL_is_dtls(s)) {
1470 unsigned char *data;
1471
1472 if (!CBB_add_space(handshake, &data, DTLS1_HM_HEADER_LENGTH -
1473 SSL3_HM_HEADER_LENGTH))
1474 goto err;
1475 }
1476 if (!CBB_add_u24_length_prefixed(handshake, body))
1477 goto err;
1478
1479 ret = 1;
1480
1481 err:
1482 return (ret);
1483}
1484
1485int
1486ssl3_handshake_msg_finish(SSL *s, CBB *handshake)
1487{
1488 unsigned char *data = NULL;
1489 size_t outlen;
1490 int ret = 0;
1491
1492 if (!CBB_finish(handshake, &data, &outlen))
1493 goto err;
1494
1495 if (outlen > INT_MAX)
1496 goto err;
1497
1498 if (!BUF_MEM_grow_clean(s->init_buf, outlen))
1499 goto err;
1500
1501 memcpy(s->init_buf->data, data, outlen);
1502
1503 s->init_num = (int)outlen;
1504 s->init_off = 0;
1505
1506 if (SSL_is_dtls(s)) {
1507 unsigned long len;
1508 uint8_t msg_type;
1509 CBS cbs;
1510
1511 CBS_init(&cbs, data, outlen);
1512 if (!CBS_get_u8(&cbs, &msg_type))
1513 goto err;
1514
1515 len = outlen - ssl3_handshake_msg_hdr_len(s);
1516
1517 dtls1_set_message_header(s, msg_type, len, 0, len);
1518 dtls1_buffer_message(s, 0);
1519 }
1520
1521 ret = 1;
1522
1523 err:
1524 free(data);
1525
1526 return (ret);
1527}
1528
1529int
1530ssl3_handshake_write(SSL *s)
1531{
1532 return ssl3_record_write(s, SSL3_RT_HANDSHAKE);
1533}
1534
1535int
1536ssl3_record_write(SSL *s, int type)
1537{
1538 if (SSL_is_dtls(s))
1539 return dtls1_do_write(s, type);
1540
1541 return ssl3_do_write(s, type);
1542}
1543
1544int
1545ssl3_new(SSL *s)
1546{
1547 if ((s->s3 = calloc(1, sizeof(*s->s3))) == NULL)
1548 return (0);
1549
1550 s->method->ssl_clear(s);
1551
1552 return (1);
1553}
1554
1555void
1556ssl3_free(SSL *s)
1557{
1558 if (s == NULL)
1559 return;
1560
1561 tls1_cleanup_key_block(s);
1562 ssl3_release_read_buffer(s);
1563 ssl3_release_write_buffer(s);
1564
1565 tls_content_free(s->s3->rcontent);
1566
1567 tls_buffer_free(s->s3->alert_fragment);
1568 tls_buffer_free(s->s3->handshake_fragment);
1569
1570 freezero(s->s3->hs.sigalgs, s->s3->hs.sigalgs_len);
1571 sk_X509_pop_free(s->s3->hs.peer_certs, X509_free);
1572 sk_X509_pop_free(s->s3->hs.peer_certs_no_leaf, X509_free);
1573 sk_X509_pop_free(s->s3->hs.verified_chain, X509_free);
1574 tls_key_share_free(s->s3->hs.key_share);
1575
1576 tls13_secrets_destroy(s->s3->hs.tls13.secrets);
1577 freezero(s->s3->hs.tls13.cookie, s->s3->hs.tls13.cookie_len);
1578 tls13_clienthello_hash_clear(&s->s3->hs.tls13);
1579
1580 tls_buffer_free(s->s3->hs.tls13.quic_read_buffer);
1581
1582 sk_X509_NAME_pop_free(s->s3->hs.tls12.ca_names, X509_NAME_free);
1583
1584 tls1_transcript_free(s);
1585 tls1_transcript_hash_free(s);
1586
1587 free(s->s3->alpn_selected);
1588
1589 freezero(s->s3->peer_quic_transport_params,
1590 s->s3->peer_quic_transport_params_len);
1591
1592 freezero(s->s3, sizeof(*s->s3));
1593
1594 s->s3 = NULL;
1595}
1596
1597void
1598ssl3_clear(SSL *s)
1599{
1600 unsigned char *rp, *wp;
1601 size_t rlen, wlen;
1602
1603 tls1_cleanup_key_block(s);
1604 sk_X509_NAME_pop_free(s->s3->hs.tls12.ca_names, X509_NAME_free);
1605
1606 tls_buffer_free(s->s3->alert_fragment);
1607 s->s3->alert_fragment = NULL;
1608 tls_buffer_free(s->s3->handshake_fragment);
1609 s->s3->handshake_fragment = NULL;
1610
1611 freezero(s->s3->hs.sigalgs, s->s3->hs.sigalgs_len);
1612 s->s3->hs.sigalgs = NULL;
1613 s->s3->hs.sigalgs_len = 0;
1614
1615 sk_X509_pop_free(s->s3->hs.peer_certs, X509_free);
1616 s->s3->hs.peer_certs = NULL;
1617 sk_X509_pop_free(s->s3->hs.peer_certs_no_leaf, X509_free);
1618 s->s3->hs.peer_certs_no_leaf = NULL;
1619 sk_X509_pop_free(s->s3->hs.verified_chain, X509_free);
1620 s->s3->hs.verified_chain = NULL;
1621
1622 tls_key_share_free(s->s3->hs.key_share);
1623 s->s3->hs.key_share = NULL;
1624
1625 tls13_secrets_destroy(s->s3->hs.tls13.secrets);
1626 s->s3->hs.tls13.secrets = NULL;
1627 freezero(s->s3->hs.tls13.cookie, s->s3->hs.tls13.cookie_len);
1628 s->s3->hs.tls13.cookie = NULL;
1629 s->s3->hs.tls13.cookie_len = 0;
1630 tls13_clienthello_hash_clear(&s->s3->hs.tls13);
1631
1632 tls_buffer_free(s->s3->hs.tls13.quic_read_buffer);
1633 s->s3->hs.tls13.quic_read_buffer = NULL;
1634 s->s3->hs.tls13.quic_read_level = ssl_encryption_initial;
1635 s->s3->hs.tls13.quic_write_level = ssl_encryption_initial;
1636
1637 s->s3->hs.extensions_seen = 0;
1638
1639 rp = s->s3->rbuf.buf;
1640 wp = s->s3->wbuf.buf;
1641 rlen = s->s3->rbuf.len;
1642 wlen = s->s3->wbuf.len;
1643
1644 tls_content_free(s->s3->rcontent);
1645 s->s3->rcontent = NULL;
1646
1647 tls1_transcript_free(s);
1648 tls1_transcript_hash_free(s);
1649
1650 free(s->s3->alpn_selected);
1651 s->s3->alpn_selected = NULL;
1652 s->s3->alpn_selected_len = 0;
1653
1654 freezero(s->s3->peer_quic_transport_params,
1655 s->s3->peer_quic_transport_params_len);
1656 s->s3->peer_quic_transport_params = NULL;
1657 s->s3->peer_quic_transport_params_len = 0;
1658
1659 memset(s->s3, 0, sizeof(*s->s3));
1660
1661 s->s3->rbuf.buf = rp;
1662 s->s3->wbuf.buf = wp;
1663 s->s3->rbuf.len = rlen;
1664 s->s3->wbuf.len = wlen;
1665
1666 ssl_free_wbio_buffer(s);
1667
1668 /* Not needed... */
1669 s->s3->renegotiate = 0;
1670 s->s3->total_renegotiations = 0;
1671 s->s3->num_renegotiations = 0;
1672 s->s3->in_read_app_data = 0;
1673
1674 s->packet_length = 0;
1675 s->version = TLS1_2_VERSION;
1676
1677 s->s3->hs.state = SSL_ST_BEFORE|((s->server) ? SSL_ST_ACCEPT : SSL_ST_CONNECT);
1678}
1679
1680long
1681_SSL_get_shared_group(SSL *s, long n)
1682{
1683 size_t count;
1684 int nid;
1685
1686 /* OpenSSL document that they return -1 for clients. They return 0. */
1687 if (!s->server)
1688 return 0;
1689
1690 if (n == -1) {
1691 if (!tls1_count_shared_groups(s, &count))
1692 return 0;
1693
1694 if (count > LONG_MAX)
1695 count = LONG_MAX;
1696
1697 return count;
1698 }
1699
1700 /* Undocumented special case added for Suite B profile support. */
1701 if (n == -2)
1702 n = 0;
1703
1704 if (n < 0)
1705 return 0;
1706
1707 if (!tls1_get_shared_group_by_index(s, n, &nid))
1708 return NID_undef;
1709
1710 return nid;
1711}
1712
1713long
1714_SSL_get_peer_tmp_key(SSL *s, EVP_PKEY **key)
1715{
1716 EVP_PKEY *pkey = NULL;
1717 int ret = 0;
1718
1719 *key = NULL;
1720
1721 if (s->s3->hs.key_share == NULL)
1722 goto err;
1723
1724 if ((pkey = EVP_PKEY_new()) == NULL)
1725 goto err;
1726 if (!tls_key_share_peer_pkey(s->s3->hs.key_share, pkey))
1727 goto err;
1728
1729 *key = pkey;
1730 pkey = NULL;
1731
1732 ret = 1;
1733
1734 err:
1735 EVP_PKEY_free(pkey);
1736
1737 return (ret);
1738}
1739
1740static int
1741_SSL_session_reused(SSL *s)
1742{
1743 return s->hit;
1744}
1745
1746static int
1747_SSL_num_renegotiations(SSL *s)
1748{
1749 return s->s3->num_renegotiations;
1750}
1751
1752static int
1753_SSL_clear_num_renegotiations(SSL *s)
1754{
1755 int renegs;
1756
1757 renegs = s->s3->num_renegotiations;
1758 s->s3->num_renegotiations = 0;
1759
1760 return renegs;
1761}
1762
1763static int
1764_SSL_total_renegotiations(SSL *s)
1765{
1766 return s->s3->total_renegotiations;
1767}
1768
1769static int
1770_SSL_set_tmp_dh(SSL *s, DH *dh)
1771{
1772 DH *dhe_params;
1773
1774 if (dh == NULL) {
1775 SSLerror(s, ERR_R_PASSED_NULL_PARAMETER);
1776 return 0;
1777 }
1778
1779 if (!ssl_security_dh(s, dh)) {
1780 SSLerror(s, SSL_R_DH_KEY_TOO_SMALL);
1781 return 0;
1782 }
1783
1784 if ((dhe_params = DHparams_dup(dh)) == NULL) {
1785 SSLerror(s, ERR_R_DH_LIB);
1786 return 0;
1787 }
1788
1789 DH_free(s->cert->dhe_params);
1790 s->cert->dhe_params = dhe_params;
1791
1792 return 1;
1793}
1794
1795static int
1796_SSL_set_dh_auto(SSL *s, int state)
1797{
1798 s->cert->dhe_params_auto = state;
1799 return 1;
1800}
1801
1802static int
1803_SSL_set_tmp_ecdh(SSL *s, EC_KEY *ecdh)
1804{
1805 const EC_GROUP *group;
1806 int nid;
1807
1808 if (ecdh == NULL)
1809 return 0;
1810 if ((group = EC_KEY_get0_group(ecdh)) == NULL)
1811 return 0;
1812
1813 nid = EC_GROUP_get_curve_name(group);
1814 return SSL_set1_groups(s, &nid, 1);
1815}
1816
1817static int
1818_SSL_set_ecdh_auto(SSL *s, int state)
1819{
1820 return 1;
1821}
1822
1823static int
1824_SSL_set_tlsext_host_name(SSL *s, const char *name)
1825{
1826 int is_ip;
1827 CBS cbs;
1828
1829 free(s->tlsext_hostname);
1830 s->tlsext_hostname = NULL;
1831
1832 if (name == NULL)
1833 return 1;
1834
1835 CBS_init(&cbs, name, strlen(name));
1836
1837 if (!tlsext_sni_is_valid_hostname(&cbs, &is_ip)) {
1838 SSLerror(s, SSL_R_SSL3_EXT_INVALID_SERVERNAME);
1839 return 0;
1840 }
1841 if ((s->tlsext_hostname = strdup(name)) == NULL) {
1842 SSLerror(s, ERR_R_INTERNAL_ERROR);
1843 return 0;
1844 }
1845
1846 return 1;
1847}
1848
1849static int
1850_SSL_set_tlsext_debug_arg(SSL *s, void *arg)
1851{
1852 s->tlsext_debug_arg = arg;
1853 return 1;
1854}
1855
1856static int
1857_SSL_get_tlsext_status_type(SSL *s)
1858{
1859 return s->tlsext_status_type;
1860}
1861
1862static int
1863_SSL_set_tlsext_status_type(SSL *s, int type)
1864{
1865 s->tlsext_status_type = type;
1866 return 1;
1867}
1868
1869static int
1870_SSL_get_tlsext_status_exts(SSL *s, STACK_OF(X509_EXTENSION) **exts)
1871{
1872 *exts = s->tlsext_ocsp_exts;
1873 return 1;
1874}
1875
1876static int
1877_SSL_set_tlsext_status_exts(SSL *s, STACK_OF(X509_EXTENSION) *exts)
1878{
1879 /* XXX - leak... */
1880 s->tlsext_ocsp_exts = exts;
1881 return 1;
1882}
1883
1884static int
1885_SSL_get_tlsext_status_ids(SSL *s, STACK_OF(OCSP_RESPID) **ids)
1886{
1887 *ids = s->tlsext_ocsp_ids;
1888 return 1;
1889}
1890
1891static int
1892_SSL_set_tlsext_status_ids(SSL *s, STACK_OF(OCSP_RESPID) *ids)
1893{
1894 /* XXX - leak... */
1895 s->tlsext_ocsp_ids = ids;
1896 return 1;
1897}
1898
1899static int
1900_SSL_get_tlsext_status_ocsp_resp(SSL *s, unsigned char **resp)
1901{
1902 if (s->tlsext_ocsp_resp != NULL &&
1903 s->tlsext_ocsp_resp_len < INT_MAX) {
1904 *resp = s->tlsext_ocsp_resp;
1905 return (int)s->tlsext_ocsp_resp_len;
1906 }
1907
1908 *resp = NULL;
1909
1910 return -1;
1911}
1912
1913static int
1914_SSL_set_tlsext_status_ocsp_resp(SSL *s, unsigned char *resp, int resp_len)
1915{
1916 free(s->tlsext_ocsp_resp);
1917 s->tlsext_ocsp_resp = NULL;
1918 s->tlsext_ocsp_resp_len = 0;
1919
1920 if (resp_len < 0)
1921 return 0;
1922
1923 s->tlsext_ocsp_resp = resp;
1924 s->tlsext_ocsp_resp_len = (size_t)resp_len;
1925
1926 return 1;
1927}
1928
1929int
1930SSL_set0_chain(SSL *ssl, STACK_OF(X509) *chain)
1931{
1932 return ssl_cert_set0_chain(NULL, ssl, chain);
1933}
1934LSSL_ALIAS(SSL_set0_chain);
1935
1936int
1937SSL_set1_chain(SSL *ssl, STACK_OF(X509) *chain)
1938{
1939 return ssl_cert_set1_chain(NULL, ssl, chain);
1940}
1941LSSL_ALIAS(SSL_set1_chain);
1942
1943int
1944SSL_add0_chain_cert(SSL *ssl, X509 *x509)
1945{
1946 return ssl_cert_add0_chain_cert(NULL, ssl, x509);
1947}
1948LSSL_ALIAS(SSL_add0_chain_cert);
1949
1950int
1951SSL_add1_chain_cert(SSL *ssl, X509 *x509)
1952{
1953 return ssl_cert_add1_chain_cert(NULL, ssl, x509);
1954}
1955LSSL_ALIAS(SSL_add1_chain_cert);
1956
1957int
1958SSL_get0_chain_certs(const SSL *ssl, STACK_OF(X509) **out_chain)
1959{
1960 *out_chain = NULL;
1961
1962 if (ssl->cert->key != NULL)
1963 *out_chain = ssl->cert->key->chain;
1964
1965 return 1;
1966}
1967LSSL_ALIAS(SSL_get0_chain_certs);
1968
1969int
1970SSL_clear_chain_certs(SSL *ssl)
1971{
1972 return ssl_cert_set0_chain(NULL, ssl, NULL);
1973}
1974LSSL_ALIAS(SSL_clear_chain_certs);
1975
1976int
1977SSL_set1_groups(SSL *s, const int *groups, size_t groups_len)
1978{
1979 return tls1_set_groups(&s->tlsext_supportedgroups,
1980 &s->tlsext_supportedgroups_length, groups, groups_len);
1981}
1982LSSL_ALIAS(SSL_set1_groups);
1983
1984int
1985SSL_set1_groups_list(SSL *s, const char *groups)
1986{
1987 return tls1_set_group_list(&s->tlsext_supportedgroups,
1988 &s->tlsext_supportedgroups_length, groups);
1989}
1990LSSL_ALIAS(SSL_set1_groups_list);
1991
1992static int
1993_SSL_get_signature_nid(SSL *s, int *nid)
1994{
1995 const struct ssl_sigalg *sigalg;
1996
1997 if ((sigalg = s->s3->hs.our_sigalg) == NULL)
1998 return 0;
1999
2000 *nid = EVP_MD_type(sigalg->md());
2001
2002 return 1;
2003}
2004
2005static int
2006_SSL_get_peer_signature_nid(SSL *s, int *nid)
2007{
2008 const struct ssl_sigalg *sigalg;
2009
2010 if ((sigalg = s->s3->hs.peer_sigalg) == NULL)
2011 return 0;
2012
2013 *nid = EVP_MD_type(sigalg->md());
2014
2015 return 1;
2016}
2017
2018int
2019SSL_get_signature_type_nid(const SSL *s, int *nid)
2020{
2021 const struct ssl_sigalg *sigalg;
2022
2023 if ((sigalg = s->s3->hs.our_sigalg) == NULL)
2024 return 0;
2025
2026 *nid = sigalg->key_type;
2027 if (sigalg->key_type == EVP_PKEY_RSA &&
2028 (sigalg->flags & SIGALG_FLAG_RSA_PSS))
2029 *nid = EVP_PKEY_RSA_PSS;
2030
2031 return 1;
2032}
2033
2034int
2035SSL_get_peer_signature_type_nid(const SSL *s, int *nid)
2036{
2037 const struct ssl_sigalg *sigalg;
2038
2039 if ((sigalg = s->s3->hs.peer_sigalg) == NULL)
2040 return 0;
2041
2042 *nid = sigalg->key_type;
2043 if (sigalg->key_type == EVP_PKEY_RSA &&
2044 (sigalg->flags & SIGALG_FLAG_RSA_PSS))
2045 *nid = EVP_PKEY_RSA_PSS;
2046
2047 return 1;
2048}
2049
2050long
2051ssl3_ctrl(SSL *s, int cmd, long larg, void *parg)
2052{
2053 switch (cmd) {
2054 case SSL_CTRL_GET_SESSION_REUSED:
2055 return _SSL_session_reused(s);
2056
2057 case SSL_CTRL_GET_NUM_RENEGOTIATIONS:
2058 return _SSL_num_renegotiations(s);
2059
2060 case SSL_CTRL_CLEAR_NUM_RENEGOTIATIONS:
2061 return _SSL_clear_num_renegotiations(s);
2062
2063 case SSL_CTRL_GET_TOTAL_RENEGOTIATIONS:
2064 return _SSL_total_renegotiations(s);
2065
2066 case SSL_CTRL_SET_TMP_DH:
2067 return _SSL_set_tmp_dh(s, parg);
2068
2069 case SSL_CTRL_SET_TMP_DH_CB:
2070 SSLerror(s, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
2071 return 0;
2072
2073 case SSL_CTRL_SET_DH_AUTO:
2074 return _SSL_set_dh_auto(s, larg);
2075
2076 case SSL_CTRL_SET_TMP_ECDH:
2077 return _SSL_set_tmp_ecdh(s, parg);
2078
2079 case SSL_CTRL_SET_TMP_ECDH_CB:
2080 SSLerror(s, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
2081 return 0;
2082
2083 case SSL_CTRL_SET_ECDH_AUTO:
2084 return _SSL_set_ecdh_auto(s, larg);
2085
2086 case SSL_CTRL_SET_TLSEXT_HOSTNAME:
2087 if (larg != TLSEXT_NAMETYPE_host_name) {
2088 SSLerror(s, SSL_R_SSL3_EXT_INVALID_SERVERNAME_TYPE);
2089 return 0;
2090 }
2091 return _SSL_set_tlsext_host_name(s, parg);
2092
2093 case SSL_CTRL_SET_TLSEXT_DEBUG_ARG:
2094 return _SSL_set_tlsext_debug_arg(s, parg);
2095
2096 case SSL_CTRL_GET_TLSEXT_STATUS_REQ_TYPE:
2097 return _SSL_get_tlsext_status_type(s);
2098
2099 case SSL_CTRL_SET_TLSEXT_STATUS_REQ_TYPE:
2100 return _SSL_set_tlsext_status_type(s, larg);
2101
2102 case SSL_CTRL_GET_TLSEXT_STATUS_REQ_EXTS:
2103 return _SSL_get_tlsext_status_exts(s, parg);
2104
2105 case SSL_CTRL_SET_TLSEXT_STATUS_REQ_EXTS:
2106 return _SSL_set_tlsext_status_exts(s, parg);
2107
2108 case SSL_CTRL_GET_TLSEXT_STATUS_REQ_IDS:
2109 return _SSL_get_tlsext_status_ids(s, parg);
2110
2111 case SSL_CTRL_SET_TLSEXT_STATUS_REQ_IDS:
2112 return _SSL_set_tlsext_status_ids(s, parg);
2113
2114 case SSL_CTRL_GET_TLSEXT_STATUS_REQ_OCSP_RESP:
2115 return _SSL_get_tlsext_status_ocsp_resp(s, parg);
2116
2117 case SSL_CTRL_SET_TLSEXT_STATUS_REQ_OCSP_RESP:
2118 return _SSL_set_tlsext_status_ocsp_resp(s, parg, larg);
2119
2120 case SSL_CTRL_CHAIN:
2121 if (larg == 0)
2122 return SSL_set0_chain(s, (STACK_OF(X509) *)parg);
2123 else
2124 return SSL_set1_chain(s, (STACK_OF(X509) *)parg);
2125
2126 case SSL_CTRL_CHAIN_CERT:
2127 if (larg == 0)
2128 return SSL_add0_chain_cert(s, (X509 *)parg);
2129 else
2130 return SSL_add1_chain_cert(s, (X509 *)parg);
2131
2132 case SSL_CTRL_GET_CHAIN_CERTS:
2133 return SSL_get0_chain_certs(s, (STACK_OF(X509) **)parg);
2134
2135 case SSL_CTRL_SET_GROUPS:
2136 return SSL_set1_groups(s, parg, larg);
2137
2138 case SSL_CTRL_SET_GROUPS_LIST:
2139 return SSL_set1_groups_list(s, parg);
2140
2141 case SSL_CTRL_GET_SHARED_GROUP:
2142 return _SSL_get_shared_group(s, larg);
2143
2144 /* XXX - rename to SSL_CTRL_GET_PEER_TMP_KEY and remove server check. */
2145 case SSL_CTRL_GET_SERVER_TMP_KEY:
2146 if (s->server != 0)
2147 return 0;
2148 return _SSL_get_peer_tmp_key(s, parg);
2149
2150 case SSL_CTRL_GET_MIN_PROTO_VERSION:
2151 return SSL_get_min_proto_version(s);
2152
2153 case SSL_CTRL_GET_MAX_PROTO_VERSION:
2154 return SSL_get_max_proto_version(s);
2155
2156 case SSL_CTRL_SET_MIN_PROTO_VERSION:
2157 if (larg < 0 || larg > UINT16_MAX)
2158 return 0;
2159 return SSL_set_min_proto_version(s, larg);
2160
2161 case SSL_CTRL_SET_MAX_PROTO_VERSION:
2162 if (larg < 0 || larg > UINT16_MAX)
2163 return 0;
2164 return SSL_set_max_proto_version(s, larg);
2165
2166 case SSL_CTRL_GET_SIGNATURE_NID:
2167 return _SSL_get_signature_nid(s, parg);
2168
2169 case SSL_CTRL_GET_PEER_SIGNATURE_NID:
2170 return _SSL_get_peer_signature_nid(s, parg);
2171
2172 /*
2173 * Legacy controls that should eventually be removed.
2174 */
2175 case SSL_CTRL_GET_CLIENT_CERT_REQUEST:
2176 return 0;
2177
2178 case SSL_CTRL_GET_FLAGS:
2179 return (int)(s->s3->flags);
2180
2181 case SSL_CTRL_NEED_TMP_RSA:
2182 return 0;
2183
2184 case SSL_CTRL_SET_TMP_RSA:
2185 case SSL_CTRL_SET_TMP_RSA_CB:
2186 SSLerror(s, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
2187 return 0;
2188 }
2189
2190 return 0;
2191}
2192
2193long
2194ssl3_callback_ctrl(SSL *s, int cmd, void (*fp)(void))
2195{
2196 switch (cmd) {
2197 case SSL_CTRL_SET_TMP_RSA_CB:
2198 SSLerror(s, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
2199 return 0;
2200
2201 case SSL_CTRL_SET_TMP_DH_CB:
2202 s->cert->dhe_params_cb = (DH *(*)(SSL *, int, int))fp;
2203 return 1;
2204
2205 case SSL_CTRL_SET_TMP_ECDH_CB:
2206 return 1;
2207
2208 case SSL_CTRL_SET_TLSEXT_DEBUG_CB:
2209 s->tlsext_debug_cb = (void (*)(SSL *, int , int,
2210 unsigned char *, int, void *))fp;
2211 return 1;
2212 }
2213
2214 return 0;
2215}
2216
2217static int
2218_SSL_CTX_set_tmp_dh(SSL_CTX *ctx, DH *dh)
2219{
2220 DH *dhe_params;
2221
2222 if (dh == NULL) {
2223 SSLerrorx(ERR_R_PASSED_NULL_PARAMETER);
2224 return 0;
2225 }
2226
2227 if (!ssl_ctx_security_dh(ctx, dh)) {
2228 SSLerrorx(SSL_R_DH_KEY_TOO_SMALL);
2229 return 0;
2230 }
2231
2232 if ((dhe_params = DHparams_dup(dh)) == NULL) {
2233 SSLerrorx(ERR_R_DH_LIB);
2234 return 0;
2235 }
2236
2237 DH_free(ctx->cert->dhe_params);
2238 ctx->cert->dhe_params = dhe_params;
2239
2240 return 1;
2241}
2242
2243static int
2244_SSL_CTX_set_dh_auto(SSL_CTX *ctx, int state)
2245{
2246 ctx->cert->dhe_params_auto = state;
2247 return 1;
2248}
2249
2250static int
2251_SSL_CTX_set_tmp_ecdh(SSL_CTX *ctx, EC_KEY *ecdh)
2252{
2253 const EC_GROUP *group;
2254 int nid;
2255
2256 if (ecdh == NULL)
2257 return 0;
2258 if ((group = EC_KEY_get0_group(ecdh)) == NULL)
2259 return 0;
2260
2261 nid = EC_GROUP_get_curve_name(group);
2262 return SSL_CTX_set1_groups(ctx, &nid, 1);
2263}
2264
2265static int
2266_SSL_CTX_set_ecdh_auto(SSL_CTX *ctx, int state)
2267{
2268 return 1;
2269}
2270
2271static int
2272_SSL_CTX_set_tlsext_servername_arg(SSL_CTX *ctx, void *arg)
2273{
2274 ctx->tlsext_servername_arg = arg;
2275 return 1;
2276}
2277
2278static int
2279_SSL_CTX_get_tlsext_ticket_keys(SSL_CTX *ctx, unsigned char *keys, int keys_len)
2280{
2281 if (keys == NULL)
2282 return 48;
2283
2284 if (keys_len != 48) {
2285 SSLerrorx(SSL_R_INVALID_TICKET_KEYS_LENGTH);
2286 return 0;
2287 }
2288
2289 memcpy(keys, ctx->tlsext_tick_key_name, 16);
2290 memcpy(keys + 16, ctx->tlsext_tick_hmac_key, 16);
2291 memcpy(keys + 32, ctx->tlsext_tick_aes_key, 16);
2292
2293 return 1;
2294}
2295
2296static int
2297_SSL_CTX_set_tlsext_ticket_keys(SSL_CTX *ctx, unsigned char *keys, int keys_len)
2298{
2299 if (keys == NULL)
2300 return 48;
2301
2302 if (keys_len != 48) {
2303 SSLerrorx(SSL_R_INVALID_TICKET_KEYS_LENGTH);
2304 return 0;
2305 }
2306
2307 memcpy(ctx->tlsext_tick_key_name, keys, 16);
2308 memcpy(ctx->tlsext_tick_hmac_key, keys + 16, 16);
2309 memcpy(ctx->tlsext_tick_aes_key, keys + 32, 16);
2310
2311 return 1;
2312}
2313
2314static int
2315_SSL_CTX_get_tlsext_status_arg(SSL_CTX *ctx, void **arg)
2316{
2317 *arg = ctx->tlsext_status_arg;
2318 return 1;
2319}
2320
2321static int
2322_SSL_CTX_set_tlsext_status_arg(SSL_CTX *ctx, void *arg)
2323{
2324 ctx->tlsext_status_arg = arg;
2325 return 1;
2326}
2327
2328int
2329SSL_CTX_set0_chain(SSL_CTX *ctx, STACK_OF(X509) *chain)
2330{
2331 return ssl_cert_set0_chain(ctx, NULL, chain);
2332}
2333LSSL_ALIAS(SSL_CTX_set0_chain);
2334
2335int
2336SSL_CTX_set1_chain(SSL_CTX *ctx, STACK_OF(X509) *chain)
2337{
2338 return ssl_cert_set1_chain(ctx, NULL, chain);
2339}
2340LSSL_ALIAS(SSL_CTX_set1_chain);
2341
2342int
2343SSL_CTX_add0_chain_cert(SSL_CTX *ctx, X509 *x509)
2344{
2345 return ssl_cert_add0_chain_cert(ctx, NULL, x509);
2346}
2347LSSL_ALIAS(SSL_CTX_add0_chain_cert);
2348
2349int
2350SSL_CTX_add1_chain_cert(SSL_CTX *ctx, X509 *x509)
2351{
2352 return ssl_cert_add1_chain_cert(ctx, NULL, x509);
2353}
2354LSSL_ALIAS(SSL_CTX_add1_chain_cert);
2355
2356int
2357SSL_CTX_get0_chain_certs(const SSL_CTX *ctx, STACK_OF(X509) **out_chain)
2358{
2359 *out_chain = NULL;
2360
2361 if (ctx->cert->key != NULL)
2362 *out_chain = ctx->cert->key->chain;
2363
2364 return 1;
2365}
2366LSSL_ALIAS(SSL_CTX_get0_chain_certs);
2367
2368int
2369SSL_CTX_clear_chain_certs(SSL_CTX *ctx)
2370{
2371 return ssl_cert_set0_chain(ctx, NULL, NULL);
2372}
2373LSSL_ALIAS(SSL_CTX_clear_chain_certs);
2374
2375static int
2376_SSL_CTX_add_extra_chain_cert(SSL_CTX *ctx, X509 *cert)
2377{
2378 if (ctx->extra_certs == NULL) {
2379 if ((ctx->extra_certs = sk_X509_new_null()) == NULL)
2380 return 0;
2381 }
2382 if (sk_X509_push(ctx->extra_certs, cert) == 0)
2383 return 0;
2384
2385 return 1;
2386}
2387
2388static int
2389_SSL_CTX_get_extra_chain_certs(SSL_CTX *ctx, STACK_OF(X509) **certs)
2390{
2391 *certs = ctx->extra_certs;
2392 if (*certs == NULL)
2393 *certs = ctx->cert->key->chain;
2394
2395 return 1;
2396}
2397
2398static int
2399_SSL_CTX_get_extra_chain_certs_only(SSL_CTX *ctx, STACK_OF(X509) **certs)
2400{
2401 *certs = ctx->extra_certs;
2402 return 1;
2403}
2404
2405static int
2406_SSL_CTX_clear_extra_chain_certs(SSL_CTX *ctx)
2407{
2408 sk_X509_pop_free(ctx->extra_certs, X509_free);
2409 ctx->extra_certs = NULL;
2410 return 1;
2411}
2412
2413int
2414SSL_CTX_set1_groups(SSL_CTX *ctx, const int *groups, size_t groups_len)
2415{
2416 return tls1_set_groups(&ctx->tlsext_supportedgroups,
2417 &ctx->tlsext_supportedgroups_length, groups, groups_len);
2418}
2419LSSL_ALIAS(SSL_CTX_set1_groups);
2420
2421int
2422SSL_CTX_set1_groups_list(SSL_CTX *ctx, const char *groups)
2423{
2424 return tls1_set_group_list(&ctx->tlsext_supportedgroups,
2425 &ctx->tlsext_supportedgroups_length, groups);
2426}
2427LSSL_ALIAS(SSL_CTX_set1_groups_list);
2428
2429long
2430ssl3_ctx_ctrl(SSL_CTX *ctx, int cmd, long larg, void *parg)
2431{
2432 switch (cmd) {
2433 case SSL_CTRL_SET_TMP_DH:
2434 return _SSL_CTX_set_tmp_dh(ctx, parg);
2435
2436 case SSL_CTRL_SET_TMP_DH_CB:
2437 SSLerrorx(ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
2438 return 0;
2439
2440 case SSL_CTRL_SET_DH_AUTO:
2441 return _SSL_CTX_set_dh_auto(ctx, larg);
2442
2443 case SSL_CTRL_SET_TMP_ECDH:
2444 return _SSL_CTX_set_tmp_ecdh(ctx, parg);
2445
2446 case SSL_CTRL_SET_TMP_ECDH_CB:
2447 SSLerrorx(ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
2448 return 0;
2449
2450 case SSL_CTRL_SET_ECDH_AUTO:
2451 return _SSL_CTX_set_ecdh_auto(ctx, larg);
2452
2453 case SSL_CTRL_SET_TLSEXT_SERVERNAME_ARG:
2454 return _SSL_CTX_set_tlsext_servername_arg(ctx, parg);
2455
2456 case SSL_CTRL_GET_TLSEXT_TICKET_KEYS:
2457 return _SSL_CTX_get_tlsext_ticket_keys(ctx, parg, larg);
2458
2459 case SSL_CTRL_SET_TLSEXT_TICKET_KEYS:
2460 return _SSL_CTX_set_tlsext_ticket_keys(ctx, parg, larg);
2461
2462 case SSL_CTRL_GET_TLSEXT_STATUS_REQ_CB_ARG:
2463 return _SSL_CTX_get_tlsext_status_arg(ctx, parg);
2464
2465 case SSL_CTRL_SET_TLSEXT_STATUS_REQ_CB_ARG:
2466 return _SSL_CTX_set_tlsext_status_arg(ctx, parg);
2467
2468 case SSL_CTRL_CHAIN:
2469 if (larg == 0)
2470 return SSL_CTX_set0_chain(ctx, (STACK_OF(X509) *)parg);
2471 else
2472 return SSL_CTX_set1_chain(ctx, (STACK_OF(X509) *)parg);
2473
2474 case SSL_CTRL_CHAIN_CERT:
2475 if (larg == 0)
2476 return SSL_CTX_add0_chain_cert(ctx, (X509 *)parg);
2477 else
2478 return SSL_CTX_add1_chain_cert(ctx, (X509 *)parg);
2479
2480 case SSL_CTRL_GET_CHAIN_CERTS:
2481 return SSL_CTX_get0_chain_certs(ctx, (STACK_OF(X509) **)parg);
2482
2483 case SSL_CTRL_EXTRA_CHAIN_CERT:
2484 return _SSL_CTX_add_extra_chain_cert(ctx, parg);
2485
2486 case SSL_CTRL_GET_EXTRA_CHAIN_CERTS:
2487 if (larg == 0)
2488 return _SSL_CTX_get_extra_chain_certs(ctx, parg);
2489 else
2490 return _SSL_CTX_get_extra_chain_certs_only(ctx, parg);
2491
2492 case SSL_CTRL_CLEAR_EXTRA_CHAIN_CERTS:
2493 return _SSL_CTX_clear_extra_chain_certs(ctx);
2494
2495 case SSL_CTRL_SET_GROUPS:
2496 return SSL_CTX_set1_groups(ctx, parg, larg);
2497
2498 case SSL_CTRL_SET_GROUPS_LIST:
2499 return SSL_CTX_set1_groups_list(ctx, parg);
2500
2501 case SSL_CTRL_GET_MIN_PROTO_VERSION:
2502 return SSL_CTX_get_min_proto_version(ctx);
2503
2504 case SSL_CTRL_GET_MAX_PROTO_VERSION:
2505 return SSL_CTX_get_max_proto_version(ctx);
2506
2507 case SSL_CTRL_SET_MIN_PROTO_VERSION:
2508 if (larg < 0 || larg > UINT16_MAX)
2509 return 0;
2510 return SSL_CTX_set_min_proto_version(ctx, larg);
2511
2512 case SSL_CTRL_SET_MAX_PROTO_VERSION:
2513 if (larg < 0 || larg > UINT16_MAX)
2514 return 0;
2515 return SSL_CTX_set_max_proto_version(ctx, larg);
2516
2517 /*
2518 * Legacy controls that should eventually be removed.
2519 */
2520 case SSL_CTRL_NEED_TMP_RSA:
2521 return 0;
2522
2523 case SSL_CTRL_SET_TMP_RSA:
2524 case SSL_CTRL_SET_TMP_RSA_CB:
2525 SSLerrorx(ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
2526 return 0;
2527 }
2528
2529 return 0;
2530}
2531
2532long
2533ssl3_ctx_callback_ctrl(SSL_CTX *ctx, int cmd, void (*fp)(void))
2534{
2535 switch (cmd) {
2536 case SSL_CTRL_SET_TMP_RSA_CB:
2537 SSLerrorx(ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
2538 return 0;
2539
2540 case SSL_CTRL_SET_TMP_DH_CB:
2541 ctx->cert->dhe_params_cb =
2542 (DH *(*)(SSL *, int, int))fp;
2543 return 1;
2544
2545 case SSL_CTRL_SET_TMP_ECDH_CB:
2546 return 1;
2547
2548 case SSL_CTRL_SET_TLSEXT_SERVERNAME_CB:
2549 ctx->tlsext_servername_callback =
2550 (int (*)(SSL *, int *, void *))fp;
2551 return 1;
2552
2553 case SSL_CTRL_GET_TLSEXT_STATUS_REQ_CB:
2554 *(int (**)(SSL *, void *))fp = ctx->tlsext_status_cb;
2555 return 1;
2556
2557 case SSL_CTRL_SET_TLSEXT_STATUS_REQ_CB:
2558 ctx->tlsext_status_cb = (int (*)(SSL *, void *))fp;
2559 return 1;
2560
2561 case SSL_CTRL_SET_TLSEXT_TICKET_KEY_CB:
2562 ctx->tlsext_ticket_key_cb = (int (*)(SSL *, unsigned char *,
2563 unsigned char *, EVP_CIPHER_CTX *, HMAC_CTX *, int))fp;
2564 return 1;
2565 }
2566
2567 return 0;
2568}
2569
2570SSL_CIPHER *
2571ssl3_choose_cipher(SSL *s, STACK_OF(SSL_CIPHER) *clnt,
2572 STACK_OF(SSL_CIPHER) *srvr)
2573{
2574 unsigned long alg_k, alg_a, mask_k, mask_a;
2575 STACK_OF(SSL_CIPHER) *prio, *allow;
2576 SSL_CIPHER *c, *ret = NULL;
2577 int can_use_ecc;
2578 int i, ii, nid, ok;
2579 SSL_CERT *cert;
2580
2581 /* Let's see which ciphers we can support */
2582 cert = s->cert;
2583
2584 can_use_ecc = tls1_get_supported_group(s, &nid);
2585
2586 /*
2587 * Do not set the compare functions, because this may lead to a
2588 * reordering by "id". We want to keep the original ordering.
2589 * We may pay a price in performance during sk_SSL_CIPHER_find(),
2590 * but would have to pay with the price of sk_SSL_CIPHER_dup().
2591 */
2592
2593 if (s->options & SSL_OP_CIPHER_SERVER_PREFERENCE) {
2594 prio = srvr;
2595 allow = clnt;
2596 } else {
2597 prio = clnt;
2598 allow = srvr;
2599 }
2600
2601 for (i = 0; i < sk_SSL_CIPHER_num(prio); i++) {
2602 c = sk_SSL_CIPHER_value(prio, i);
2603
2604 /* Skip TLS v1.2 only ciphersuites if not supported. */
2605 if ((c->algorithm_ssl & SSL_TLSV1_2) &&
2606 !SSL_USE_TLS1_2_CIPHERS(s))
2607 continue;
2608
2609 /* Skip TLS v1.3 only ciphersuites if not supported. */
2610 if ((c->algorithm_ssl & SSL_TLSV1_3) &&
2611 !SSL_USE_TLS1_3_CIPHERS(s))
2612 continue;
2613
2614 /* If TLS v1.3, only allow TLS v1.3 ciphersuites. */
2615 if (SSL_USE_TLS1_3_CIPHERS(s) &&
2616 !(c->algorithm_ssl & SSL_TLSV1_3))
2617 continue;
2618
2619 if (!ssl_security_shared_cipher(s, c))
2620 continue;
2621
2622 ssl_set_cert_masks(cert, c);
2623 mask_k = cert->mask_k;
2624 mask_a = cert->mask_a;
2625
2626 alg_k = c->algorithm_mkey;
2627 alg_a = c->algorithm_auth;
2628
2629 ok = (alg_k & mask_k) && (alg_a & mask_a);
2630
2631 /*
2632 * If we are considering an ECC cipher suite that uses our
2633 * certificate check it.
2634 */
2635 if (alg_a & SSL_aECDSA)
2636 ok = ok && tls1_check_ec_server_key(s);
2637 /*
2638 * If we are considering an ECC cipher suite that uses
2639 * an ephemeral EC key check it.
2640 */
2641 if (alg_k & SSL_kECDHE)
2642 ok = ok && can_use_ecc;
2643
2644 if (!ok)
2645 continue;
2646 ii = sk_SSL_CIPHER_find(allow, c);
2647 if (ii >= 0) {
2648 ret = sk_SSL_CIPHER_value(allow, ii);
2649 break;
2650 }
2651 }
2652 return (ret);
2653}
2654
2655int
2656ssl3_get_req_cert_types(SSL *s, CBB *cbb)
2657{
2658 unsigned long alg_k;
2659
2660 alg_k = s->s3->hs.cipher->algorithm_mkey;
2661
2662#ifndef OPENSSL_NO_GOST
2663 if ((alg_k & SSL_kGOST) != 0) {
2664 if (!CBB_add_u8(cbb, TLS_CT_GOST01_SIGN))
2665 return 0;
2666 if (!CBB_add_u8(cbb, TLS_CT_GOST12_256_SIGN))
2667 return 0;
2668 if (!CBB_add_u8(cbb, TLS_CT_GOST12_512_SIGN))
2669 return 0;
2670 if (!CBB_add_u8(cbb, TLS_CT_GOST12_256_SIGN_COMPAT))
2671 return 0;
2672 if (!CBB_add_u8(cbb, TLS_CT_GOST12_512_SIGN_COMPAT))
2673 return 0;
2674 }
2675#endif
2676
2677 if ((alg_k & SSL_kDHE) != 0) {
2678 if (!CBB_add_u8(cbb, SSL3_CT_RSA_FIXED_DH))
2679 return 0;
2680 }
2681
2682 if (!CBB_add_u8(cbb, SSL3_CT_RSA_SIGN))
2683 return 0;
2684
2685 /*
2686 * ECDSA certs can be used with RSA cipher suites as well
2687 * so we don't need to check for SSL_kECDH or SSL_kECDHE.
2688 */
2689 if (!CBB_add_u8(cbb, TLS_CT_ECDSA_SIGN))
2690 return 0;
2691
2692 return 1;
2693}
2694
2695int
2696ssl3_shutdown(SSL *s)
2697{
2698 int ret;
2699
2700 /*
2701 * Don't do anything much if we have not done the handshake or
2702 * we don't want to send messages :-)
2703 */
2704 if ((s->quiet_shutdown) || (s->s3->hs.state == SSL_ST_BEFORE)) {
2705 s->shutdown = (SSL_SENT_SHUTDOWN|SSL_RECEIVED_SHUTDOWN);
2706 return (1);
2707 }
2708
2709 if (!(s->shutdown & SSL_SENT_SHUTDOWN)) {
2710 s->shutdown|=SSL_SENT_SHUTDOWN;
2711 ssl3_send_alert(s, SSL3_AL_WARNING, SSL_AD_CLOSE_NOTIFY);
2712 /*
2713 * Our shutdown alert has been sent now, and if it still needs
2714 * to be written, s->s3->alert_dispatch will be true
2715 */
2716 if (s->s3->alert_dispatch)
2717 return (-1); /* return WANT_WRITE */
2718 } else if (s->s3->alert_dispatch) {
2719 /* resend it if not sent */
2720 ret = ssl3_dispatch_alert(s);
2721 if (ret == -1) {
2722 /*
2723 * We only get to return -1 here the 2nd/Nth
2724 * invocation, we must have already signalled
2725 * return 0 upon a previous invoation,
2726 * return WANT_WRITE
2727 */
2728 return (ret);
2729 }
2730 } else if (!(s->shutdown & SSL_RECEIVED_SHUTDOWN)) {
2731 /* If we are waiting for a close from our peer, we are closed */
2732 s->method->ssl_read_bytes(s, 0, NULL, 0, 0);
2733 if (!(s->shutdown & SSL_RECEIVED_SHUTDOWN)) {
2734 return (-1); /* return WANT_READ */
2735 }
2736 }
2737
2738 if ((s->shutdown == (SSL_SENT_SHUTDOWN|SSL_RECEIVED_SHUTDOWN)) &&
2739 !s->s3->alert_dispatch)
2740 return (1);
2741 else
2742 return (0);
2743}
2744
2745int
2746ssl3_write(SSL *s, const void *buf, int len)
2747{
2748 errno = 0;
2749
2750 if (s->s3->renegotiate)
2751 ssl3_renegotiate_check(s);
2752
2753 return s->method->ssl_write_bytes(s, SSL3_RT_APPLICATION_DATA,
2754 buf, len);
2755}
2756
2757static int
2758ssl3_read_internal(SSL *s, void *buf, int len, int peek)
2759{
2760 int ret;
2761
2762 errno = 0;
2763 if (s->s3->renegotiate)
2764 ssl3_renegotiate_check(s);
2765 s->s3->in_read_app_data = 1;
2766
2767 ret = s->method->ssl_read_bytes(s, SSL3_RT_APPLICATION_DATA, buf, len,
2768 peek);
2769 if ((ret == -1) && (s->s3->in_read_app_data == 2)) {
2770 /*
2771 * ssl3_read_bytes decided to call s->handshake_func,
2772 * which called ssl3_read_bytes to read handshake data.
2773 * However, ssl3_read_bytes actually found application data
2774 * and thinks that application data makes sense here; so disable
2775 * handshake processing and try to read application data again.
2776 */
2777 s->in_handshake++;
2778 ret = s->method->ssl_read_bytes(s, SSL3_RT_APPLICATION_DATA,
2779 buf, len, peek);
2780 s->in_handshake--;
2781 } else
2782 s->s3->in_read_app_data = 0;
2783
2784 return (ret);
2785}
2786
2787int
2788ssl3_read(SSL *s, void *buf, int len)
2789{
2790 return ssl3_read_internal(s, buf, len, 0);
2791}
2792
2793int
2794ssl3_peek(SSL *s, void *buf, int len)
2795{
2796 return ssl3_read_internal(s, buf, len, 1);
2797}
2798
2799int
2800ssl3_renegotiate(SSL *s)
2801{
2802 if (s->handshake_func == NULL)
2803 return 1;
2804
2805 if (s->s3->flags & SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS)
2806 return 0;
2807
2808 s->s3->renegotiate = 1;
2809
2810 return 1;
2811}
2812
2813int
2814ssl3_renegotiate_check(SSL *s)
2815{
2816 if (!s->s3->renegotiate)
2817 return 0;
2818 if (SSL_in_init(s) || s->s3->rbuf.left != 0 || s->s3->wbuf.left != 0)
2819 return 0;
2820
2821 s->s3->hs.state = SSL_ST_RENEGOTIATE;
2822 s->s3->renegotiate = 0;
2823 s->s3->num_renegotiations++;
2824 s->s3->total_renegotiations++;
2825
2826 return 1;
2827}
generated by cgit v1.2.3-55-g6feb (git 2.39.1) at 2026-02-12 22:31:32 +0000