1 /* $OpenBSD: s3_lib.c,v 1.252 2024/05/10 05:08:05 tb Exp $ */
2 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 * All rights reserved.
4 *
5 * This package is an SSL implementation written
6 * by Eric Young (eay@cryptsoft.com).
7 * The implementation was written so as to conform with Netscapes SSL.
8 *
9 * This library is free for commercial and non-commercial use as long as
10 * the following conditions are aheared to. The following conditions
11 * apply to all code found in this distribution, be it the RC4, RSA,
12 * lhash, DES, etc., code; not just the SSL code. The SSL documentation
13 * included with this distribution is covered by the same copyright terms
14 * except that the holder is Tim Hudson (tjh@cryptsoft.com).
15 *
16 * Copyright remains Eric Young's, and as such any Copyright notices in
17 * the code are not to be removed.
18 * If this package is used in a product, Eric Young should be given attribution
19 * as the author of the parts of the library used.
20 * This can be in the form of a textual message at program startup or
21 * in documentation (online or textual) provided with the package.
22 *
23 * Redistribution and use in source and binary forms, with or without
24 * modification, are permitted provided that the following conditions
25 * are met:
26 * 1. Redistributions of source code must retain the copyright
27 * notice, this list of conditions and the following disclaimer.
28 * 2. Redistributions in binary form must reproduce the above copyright
29 * notice, this list of conditions and the following disclaimer in the
30 * documentation and/or other materials provided with the distribution.
31 * 3. All advertising materials mentioning features or use of this software
32 * must display the following acknowledgement:
33 * "This product includes cryptographic software written by
34 * Eric Young (eay@cryptsoft.com)"
35 * The word 'cryptographic' can be left out if the rouines from the library
36 * being used are not cryptographic related :-).
37 * 4. If you include any Windows specific code (or a derivative thereof) from
38 * the apps directory (application code) you must include an acknowledgement:
39 * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
40 *
41 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
42 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
43 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
44 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
45 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
46 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
47 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
48 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
49 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
50 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
51 * SUCH DAMAGE.
52 *
53 * The licence and distribution terms for any publically available version or
54 * derivative of this code cannot be changed. i.e. this code cannot simply be
55 * copied and put under another distribution licence
56 * [including the GNU Public Licence.]
57 */
58 /* ====================================================================
59 * Copyright (c) 1998-2007 The OpenSSL Project. All rights reserved.
60 *
61 * Redistribution and use in source and binary forms, with or without
62 * modification, are permitted provided that the following conditions
63 * are met:
64 *
65 * 1. Redistributions of source code must retain the above copyright
66 * notice, this list of conditions and the following disclaimer.
67 *
68 * 2. Redistributions in binary form must reproduce the above copyright
69 * notice, this list of conditions and the following disclaimer in
70 * the documentation and/or other materials provided with the
71 * distribution.
72 *
73 * 3. All advertising materials mentioning features or use of this
74 * software must display the following acknowledgment:
75 * "This product includes software developed by the OpenSSL Project
76 * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
77 *
78 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
79 * endorse or promote products derived from this software without
80 * prior written permission. For written permission, please contact
81 * openssl-core@openssl.org.
82 *
83 * 5. Products derived from this software may not be called "OpenSSL"
84 * nor may "OpenSSL" appear in their names without prior written
85 * permission of the OpenSSL Project.
86 *
87 * 6. Redistributions of any form whatsoever must retain the following
88 * acknowledgment:
89 * "This product includes software developed by the OpenSSL Project
90 * for use in the OpenSSL Toolkit (http://www.openssl.org/)"
91 *
92 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
93 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
94 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
95 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
96 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
97 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
98 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
99 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
100 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
101 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
102 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
103 * OF THE POSSIBILITY OF SUCH DAMAGE.
104 * ====================================================================
105 *
106 * This product includes cryptographic software written by Eric Young
107 * (eay@cryptsoft.com). This product includes software written by Tim
108 * Hudson (tjh@cryptsoft.com).
109 *
110 */
111 /* ====================================================================
112 * Copyright 2002 Sun Microsystems, Inc. ALL RIGHTS RESERVED.
113 *
114 * Portions of the attached software ("Contribution") are developed by
115 * SUN MICROSYSTEMS, INC., and are contributed to the OpenSSL project.
116 *
117 * The Contribution is licensed pursuant to the OpenSSL open source
118 * license provided above.
119 *
120 * ECC cipher suite support in OpenSSL originally written by
121 * Vipul Gupta and Sumit Gupta of Sun Microsystems Laboratories.
122 *
123 */
124 /* ====================================================================
125 * Copyright 2005 Nokia. All rights reserved.
126 *
127 * The portions of the attached software ("Contribution") is developed by
128 * Nokia Corporation and is licensed pursuant to the OpenSSL open source
129 * license.
130 *
131 * The Contribution, originally written by Mika Kousa and Pasi Eronen of
132 * Nokia Corporation, consists of the "PSK" (Pre-Shared Key) ciphersuites
133 * support (see RFC 4279) to OpenSSL.
134 *
135 * No patent licenses or other rights except those expressly stated in
136 * the OpenSSL open source license shall be deemed granted or received
137 * expressly, by implication, estoppel, or otherwise.
138 *
139 * No assurances are provided by Nokia that the Contribution does not
140 * infringe the patent or other intellectual property rights of any third
141 * party or that the license provides you with all the necessary rights
142 * to make use of the Contribution.
143 *
144 * THE SOFTWARE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. IN
145 * ADDITION TO THE DISCLAIMERS INCLUDED IN THE LICENSE, NOKIA
146 * SPECIFICALLY DISCLAIMS ANY LIABILITY FOR CLAIMS BROUGHT BY YOU OR ANY
147 * OTHER ENTITY BASED ON INFRINGEMENT OF INTELLECTUAL PROPERTY RIGHTS OR
148 * OTHERWISE.
149 */
150
151 #include <limits.h>
152 #include <stdio.h>
153 #include <stdlib.h>
154
155 #include <openssl/bn.h>
156 #include <openssl/curve25519.h>
157 #include <openssl/dh.h>
158 #include <openssl/md5.h>
159 #include <openssl/objects.h>
160 #include <openssl/opensslconf.h>
161
162 #include "bytestring.h"
163 #include "dtls_local.h"
164 #include "ssl_local.h"
165 #include "ssl_sigalgs.h"
166 #include "ssl_tlsext.h"
167 #include "tls_content.h"
168
169 #define SSL3_NUM_CIPHERS (sizeof(ssl3_ciphers) / sizeof(SSL_CIPHER))
170
171 /* list of available SSLv3 ciphers (sorted by id) */
172 const SSL_CIPHER ssl3_ciphers[] = {
173
174 /* The RSA ciphers */
175 /* Cipher 01 */
176 {
177 .valid = 1,
178 .name = SSL3_TXT_RSA_NULL_MD5,
179 .id = SSL3_CK_RSA_NULL_MD5,
180 .algorithm_mkey = SSL_kRSA,
181 .algorithm_auth = SSL_aRSA,
182 .algorithm_enc = SSL_eNULL,
183 .algorithm_mac = SSL_MD5,
184 .algorithm_ssl = SSL_SSLV3,
185 .algo_strength = SSL_STRONG_NONE,
186 .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
187 .strength_bits = 0,
188 .alg_bits = 0,
189 },
190
191 /* Cipher 02 */
192 {
193 .valid = 1,
194 .name = SSL3_TXT_RSA_NULL_SHA,
195 .id = SSL3_CK_RSA_NULL_SHA,
196 .algorithm_mkey = SSL_kRSA,
197 .algorithm_auth = SSL_aRSA,
198 .algorithm_enc = SSL_eNULL,
199 .algorithm_mac = SSL_SHA1,
200 .algorithm_ssl = SSL_SSLV3,
201 .algo_strength = SSL_STRONG_NONE,
202 .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
203 .strength_bits = 0,
204 .alg_bits = 0,
205 },
206
207 /* Cipher 04 */
208 {
209 .valid = 1,
210 .name = SSL3_TXT_RSA_RC4_128_MD5,
211 .id = SSL3_CK_RSA_RC4_128_MD5,
212 .algorithm_mkey = SSL_kRSA,
213 .algorithm_auth = SSL_aRSA,
214 .algorithm_enc = SSL_RC4,
215 .algorithm_mac = SSL_MD5,
216 .algorithm_ssl = SSL_SSLV3,
217 .algo_strength = SSL_LOW,
218 .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
219 .strength_bits = 128,
220 .alg_bits = 128,
221 },
222
223 /* Cipher 05 */
224 {
225 .valid = 1,
226 .name = SSL3_TXT_RSA_RC4_128_SHA,
227 .id = SSL3_CK_RSA_RC4_128_SHA,
228 .algorithm_mkey = SSL_kRSA,
229 .algorithm_auth = SSL_aRSA,
230 .algorithm_enc = SSL_RC4,
231 .algorithm_mac = SSL_SHA1,
232 .algorithm_ssl = SSL_SSLV3,
233 .algo_strength = SSL_LOW,
234 .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
235 .strength_bits = 128,
236 .alg_bits = 128,
237 },
238
239 /* Cipher 0A */
240 {
241 .valid = 1,
242 .name = SSL3_TXT_RSA_DES_192_CBC3_SHA,
243 .id = SSL3_CK_RSA_DES_192_CBC3_SHA,
244 .algorithm_mkey = SSL_kRSA,
245 .algorithm_auth = SSL_aRSA,
246 .algorithm_enc = SSL_3DES,
247 .algorithm_mac = SSL_SHA1,
248 .algorithm_ssl = SSL_SSLV3,
249 .algo_strength = SSL_MEDIUM,
250 .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
251 .strength_bits = 112,
252 .alg_bits = 168,
253 },
254
255 /*
256 * Ephemeral DH (DHE) ciphers.
257 */
258
259 /* Cipher 16 */
260 {
261 .valid = 1,
262 .name = SSL3_TXT_EDH_RSA_DES_192_CBC3_SHA,
263 .id = SSL3_CK_EDH_RSA_DES_192_CBC3_SHA,
264 .algorithm_mkey = SSL_kDHE,
265 .algorithm_auth = SSL_aRSA,
266 .algorithm_enc = SSL_3DES,
267 .algorithm_mac = SSL_SHA1,
268 .algorithm_ssl = SSL_SSLV3,
269 .algo_strength = SSL_MEDIUM,
270 .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
271 .strength_bits = 112,
272 .alg_bits = 168,
273 },
274
275 /* Cipher 18 */
276 {
277 .valid = 1,
278 .name = SSL3_TXT_ADH_RC4_128_MD5,
279 .id = SSL3_CK_ADH_RC4_128_MD5,
280 .algorithm_mkey = SSL_kDHE,
281 .algorithm_auth = SSL_aNULL,
282 .algorithm_enc = SSL_RC4,
283 .algorithm_mac = SSL_MD5,
284 .algorithm_ssl = SSL_SSLV3,
285 .algo_strength = SSL_LOW,
286 .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
287 .strength_bits = 128,
288 .alg_bits = 128,
289 },
290
291 /* Cipher 1B */
292 {
293 .valid = 1,
294 .name = SSL3_TXT_ADH_DES_192_CBC_SHA,
295 .id = SSL3_CK_ADH_DES_192_CBC_SHA,
296 .algorithm_mkey = SSL_kDHE,
297 .algorithm_auth = SSL_aNULL,
298 .algorithm_enc = SSL_3DES,
299 .algorithm_mac = SSL_SHA1,
300 .algorithm_ssl = SSL_SSLV3,
301 .algo_strength = SSL_MEDIUM,
302 .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
303 .strength_bits = 112,
304 .alg_bits = 168,
305 },
306
307 /*
308 * AES ciphersuites.
309 */
310
311 /* Cipher 2F */
312 {
313 .valid = 1,
314 .name = TLS1_TXT_RSA_WITH_AES_128_SHA,
315 .id = TLS1_CK_RSA_WITH_AES_128_SHA,
316 .algorithm_mkey = SSL_kRSA,
317 .algorithm_auth = SSL_aRSA,
318 .algorithm_enc = SSL_AES128,
319 .algorithm_mac = SSL_SHA1,
320 .algorithm_ssl = SSL_TLSV1,
321 .algo_strength = SSL_HIGH,
322 .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
323 .strength_bits = 128,
324 .alg_bits = 128,
325 },
326
327 /* Cipher 33 */
328 {
329 .valid = 1,
330 .name = TLS1_TXT_DHE_RSA_WITH_AES_128_SHA,
331 .id = TLS1_CK_DHE_RSA_WITH_AES_128_SHA,
332 .algorithm_mkey = SSL_kDHE,
333 .algorithm_auth = SSL_aRSA,
334 .algorithm_enc = SSL_AES128,
335 .algorithm_mac = SSL_SHA1,
336 .algorithm_ssl = SSL_TLSV1,
337 .algo_strength = SSL_HIGH,
338 .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
339 .strength_bits = 128,
340 .alg_bits = 128,
341 },
342
343 /* Cipher 34 */
344 {
345 .valid = 1,
346 .name = TLS1_TXT_ADH_WITH_AES_128_SHA,
347 .id = TLS1_CK_ADH_WITH_AES_128_SHA,
348 .algorithm_mkey = SSL_kDHE,
349 .algorithm_auth = SSL_aNULL,
350 .algorithm_enc = SSL_AES128,
351 .algorithm_mac = SSL_SHA1,
352 .algorithm_ssl = SSL_TLSV1,
353 .algo_strength = SSL_HIGH,
354 .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
355 .strength_bits = 128,
356 .alg_bits = 128,
357 },
358
359 /* Cipher 35 */
360 {
361 .valid = 1,
362 .name = TLS1_TXT_RSA_WITH_AES_256_SHA,
363 .id = TLS1_CK_RSA_WITH_AES_256_SHA,
364 .algorithm_mkey = SSL_kRSA,
365 .algorithm_auth = SSL_aRSA,
366 .algorithm_enc = SSL_AES256,
367 .algorithm_mac = SSL_SHA1,
368 .algorithm_ssl = SSL_TLSV1,
369 .algo_strength = SSL_HIGH,
370 .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
371 .strength_bits = 256,
372 .alg_bits = 256,
373 },
374
375 /* Cipher 39 */
376 {
377 .valid = 1,
378 .name = TLS1_TXT_DHE_RSA_WITH_AES_256_SHA,
379 .id = TLS1_CK_DHE_RSA_WITH_AES_256_SHA,
380 .algorithm_mkey = SSL_kDHE,
381 .algorithm_auth = SSL_aRSA,
382 .algorithm_enc = SSL_AES256,
383 .algorithm_mac = SSL_SHA1,
384 .algorithm_ssl = SSL_TLSV1,
385 .algo_strength = SSL_HIGH,
386 .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
387 .strength_bits = 256,
388 .alg_bits = 256,
389 },
390
391 /* Cipher 3A */
392 {
393 .valid = 1,
394 .name = TLS1_TXT_ADH_WITH_AES_256_SHA,
395 .id = TLS1_CK_ADH_WITH_AES_256_SHA,
396 .algorithm_mkey = SSL_kDHE,
397 .algorithm_auth = SSL_aNULL,
398 .algorithm_enc = SSL_AES256,
399 .algorithm_mac = SSL_SHA1,
400 .algorithm_ssl = SSL_TLSV1,
401 .algo_strength = SSL_HIGH,
402 .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
403 .strength_bits = 256,
404 .alg_bits = 256,
405 },
406
407 /* TLS v1.2 ciphersuites */
408 /* Cipher 3B */
409 {
410 .valid = 1,
411 .name = TLS1_TXT_RSA_WITH_NULL_SHA256,
412 .id = TLS1_CK_RSA_WITH_NULL_SHA256,
413 .algorithm_mkey = SSL_kRSA,
414 .algorithm_auth = SSL_aRSA,
415 .algorithm_enc = SSL_eNULL,
416 .algorithm_mac = SSL_SHA256,
417 .algorithm_ssl = SSL_TLSV1_2,
418 .algo_strength = SSL_STRONG_NONE,
419 .algorithm2 = SSL_HANDSHAKE_MAC_SHA256|TLS1_PRF_SHA256,
420 .strength_bits = 0,
421 .alg_bits = 0,
422 },
423
424 /* Cipher 3C */
425 {
426 .valid = 1,
427 .name = TLS1_TXT_RSA_WITH_AES_128_SHA256,
428 .id = TLS1_CK_RSA_WITH_AES_128_SHA256,
429 .algorithm_mkey = SSL_kRSA,
430 .algorithm_auth = SSL_aRSA,
431 .algorithm_enc = SSL_AES128,
432 .algorithm_mac = SSL_SHA256,
433 .algorithm_ssl = SSL_TLSV1_2,
434 .algo_strength = SSL_HIGH,
435 .algorithm2 = SSL_HANDSHAKE_MAC_SHA256|TLS1_PRF_SHA256,
436 .strength_bits = 128,
437 .alg_bits = 128,
438 },
439
440 /* Cipher 3D */
441 {
442 .valid = 1,
443 .name = TLS1_TXT_RSA_WITH_AES_256_SHA256,
444 .id = TLS1_CK_RSA_WITH_AES_256_SHA256,
445 .algorithm_mkey = SSL_kRSA,
446 .algorithm_auth = SSL_aRSA,
447 .algorithm_enc = SSL_AES256,
448 .algorithm_mac = SSL_SHA256,
449 .algorithm_ssl = SSL_TLSV1_2,
450 .algo_strength = SSL_HIGH,
451 .algorithm2 = SSL_HANDSHAKE_MAC_SHA256|TLS1_PRF_SHA256,
452 .strength_bits = 256,
453 .alg_bits = 256,
454 },
455
456 #ifndef OPENSSL_NO_CAMELLIA
457 /* Camellia ciphersuites from RFC4132 (128-bit portion) */
458
459 /* Cipher 41 */
460 {
461 .valid = 1,
462 .name = TLS1_TXT_RSA_WITH_CAMELLIA_128_CBC_SHA,
463 .id = TLS1_CK_RSA_WITH_CAMELLIA_128_CBC_SHA,
464 .algorithm_mkey = SSL_kRSA,
465 .algorithm_auth = SSL_aRSA,
466 .algorithm_enc = SSL_CAMELLIA128,
467 .algorithm_mac = SSL_SHA1,
468 .algorithm_ssl = SSL_TLSV1,
469 .algo_strength = SSL_HIGH,
470 .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
471 .strength_bits = 128,
472 .alg_bits = 128,
473 },
474
475 /* Cipher 45 */
476 {
477 .valid = 1,
478 .name = TLS1_TXT_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA,
479 .id = TLS1_CK_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA,
480 .algorithm_mkey = SSL_kDHE,
481 .algorithm_auth = SSL_aRSA,
482 .algorithm_enc = SSL_CAMELLIA128,
483 .algorithm_mac = SSL_SHA1,
484 .algorithm_ssl = SSL_TLSV1,
485 .algo_strength = SSL_HIGH,
486 .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
487 .strength_bits = 128,
488 .alg_bits = 128,
489 },
490
491 /* Cipher 46 */
492 {
493 .valid = 1,
494 .name = TLS1_TXT_ADH_WITH_CAMELLIA_128_CBC_SHA,
495 .id = TLS1_CK_ADH_WITH_CAMELLIA_128_CBC_SHA,
496 .algorithm_mkey = SSL_kDHE,
497 .algorithm_auth = SSL_aNULL,
498 .algorithm_enc = SSL_CAMELLIA128,
499 .algorithm_mac = SSL_SHA1,
500 .algorithm_ssl = SSL_TLSV1,
501 .algo_strength = SSL_HIGH,
502 .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
503 .strength_bits = 128,
504 .alg_bits = 128,
505 },
506 #endif /* OPENSSL_NO_CAMELLIA */
507
508 /* TLS v1.2 ciphersuites */
509 /* Cipher 67 */
510 {
511 .valid = 1,
512 .name = TLS1_TXT_DHE_RSA_WITH_AES_128_SHA256,
513 .id = TLS1_CK_DHE_RSA_WITH_AES_128_SHA256,
514 .algorithm_mkey = SSL_kDHE,
515 .algorithm_auth = SSL_aRSA,
516 .algorithm_enc = SSL_AES128,
517 .algorithm_mac = SSL_SHA256,
518 .algorithm_ssl = SSL_TLSV1_2,
519 .algo_strength = SSL_HIGH,
520 .algorithm2 = SSL_HANDSHAKE_MAC_SHA256|TLS1_PRF_SHA256,
521 .strength_bits = 128,
522 .alg_bits = 128,
523 },
524
525 /* Cipher 6B */
526 {
527 .valid = 1,
528 .name = TLS1_TXT_DHE_RSA_WITH_AES_256_SHA256,
529 .id = TLS1_CK_DHE_RSA_WITH_AES_256_SHA256,
530 .algorithm_mkey = SSL_kDHE,
531 .algorithm_auth = SSL_aRSA,
532 .algorithm_enc = SSL_AES256,
533 .algorithm_mac = SSL_SHA256,
534 .algorithm_ssl = SSL_TLSV1_2,
535 .algo_strength = SSL_HIGH,
536 .algorithm2 = SSL_HANDSHAKE_MAC_SHA256|TLS1_PRF_SHA256,
537 .strength_bits = 256,
538 .alg_bits = 256,
539 },
540
541 /* Cipher 6C */
542 {
543 .valid = 1,
544 .name = TLS1_TXT_ADH_WITH_AES_128_SHA256,
545 .id = TLS1_CK_ADH_WITH_AES_128_SHA256,
546 .algorithm_mkey = SSL_kDHE,
547 .algorithm_auth = SSL_aNULL,
548 .algorithm_enc = SSL_AES128,
549 .algorithm_mac = SSL_SHA256,
550 .algorithm_ssl = SSL_TLSV1_2,
551 .algo_strength = SSL_HIGH,
552 .algorithm2 = SSL_HANDSHAKE_MAC_SHA256|TLS1_PRF_SHA256,
553 .strength_bits = 128,
554 .alg_bits = 128,
555 },
556
557 /* Cipher 6D */
558 {
559 .valid = 1,
560 .name = TLS1_TXT_ADH_WITH_AES_256_SHA256,
561 .id = TLS1_CK_ADH_WITH_AES_256_SHA256,
562 .algorithm_mkey = SSL_kDHE,
563 .algorithm_auth = SSL_aNULL,
564 .algorithm_enc = SSL_AES256,
565 .algorithm_mac = SSL_SHA256,
566 .algorithm_ssl = SSL_TLSV1_2,
567 .algo_strength = SSL_HIGH,
568 .algorithm2 = SSL_HANDSHAKE_MAC_SHA256|TLS1_PRF_SHA256,
569 .strength_bits = 256,
570 .alg_bits = 256,
571 },
572
573 #ifndef OPENSSL_NO_CAMELLIA
574 /* Camellia ciphersuites from RFC4132 (256-bit portion) */
575
576 /* Cipher 84 */
577 {
578 .valid = 1,
579 .name = TLS1_TXT_RSA_WITH_CAMELLIA_256_CBC_SHA,
580 .id = TLS1_CK_RSA_WITH_CAMELLIA_256_CBC_SHA,
581 .algorithm_mkey = SSL_kRSA,
582 .algorithm_auth = SSL_aRSA,
583 .algorithm_enc = SSL_CAMELLIA256,
584 .algorithm_mac = SSL_SHA1,
585 .algorithm_ssl = SSL_TLSV1,
586 .algo_strength = SSL_HIGH,
587 .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
588 .strength_bits = 256,
589 .alg_bits = 256,
590 },
591
592 /* Cipher 88 */
593 {
594 .valid = 1,
595 .name = TLS1_TXT_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA,
596 .id = TLS1_CK_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA,
597 .algorithm_mkey = SSL_kDHE,
598 .algorithm_auth = SSL_aRSA,
599 .algorithm_enc = SSL_CAMELLIA256,
600 .algorithm_mac = SSL_SHA1,
601 .algorithm_ssl = SSL_TLSV1,
602 .algo_strength = SSL_HIGH,
603 .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
604 .strength_bits = 256,
605 .alg_bits = 256,
606 },
607
608 /* Cipher 89 */
609 {
610 .valid = 1,
611 .name = TLS1_TXT_ADH_WITH_CAMELLIA_256_CBC_SHA,
612 .id = TLS1_CK_ADH_WITH_CAMELLIA_256_CBC_SHA,
613 .algorithm_mkey = SSL_kDHE,
614 .algorithm_auth = SSL_aNULL,
615 .algorithm_enc = SSL_CAMELLIA256,
616 .algorithm_mac = SSL_SHA1,
617 .algorithm_ssl = SSL_TLSV1,
618 .algo_strength = SSL_HIGH,
619 .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
620 .strength_bits = 256,
621 .alg_bits = 256,
622 },
623 #endif /* OPENSSL_NO_CAMELLIA */
624
625 /*
626 * GCM ciphersuites from RFC5288.
627 */
628
629 /* Cipher 9C */
630 {
631 .valid = 1,
632 .name = TLS1_TXT_RSA_WITH_AES_128_GCM_SHA256,
633 .id = TLS1_CK_RSA_WITH_AES_128_GCM_SHA256,
634 .algorithm_mkey = SSL_kRSA,
635 .algorithm_auth = SSL_aRSA,
636 .algorithm_enc = SSL_AES128GCM,
637 .algorithm_mac = SSL_AEAD,
638 .algorithm_ssl = SSL_TLSV1_2,
639 .algo_strength = SSL_HIGH,
640 .algorithm2 = SSL_HANDSHAKE_MAC_SHA256|TLS1_PRF_SHA256,
641 .strength_bits = 128,
642 .alg_bits = 128,
643 },
644
645 /* Cipher 9D */
646 {
647 .valid = 1,
648 .name = TLS1_TXT_RSA_WITH_AES_256_GCM_SHA384,
649 .id = TLS1_CK_RSA_WITH_AES_256_GCM_SHA384,
650 .algorithm_mkey = SSL_kRSA,
651 .algorithm_auth = SSL_aRSA,
652 .algorithm_enc = SSL_AES256GCM,
653 .algorithm_mac = SSL_AEAD,
654 .algorithm_ssl = SSL_TLSV1_2,
655 .algo_strength = SSL_HIGH,
656 .algorithm2 = SSL_HANDSHAKE_MAC_SHA384|TLS1_PRF_SHA384,
657 .strength_bits = 256,
658 .alg_bits = 256,
659 },
660
661 /* Cipher 9E */
662 {
663 .valid = 1,
664 .name = TLS1_TXT_DHE_RSA_WITH_AES_128_GCM_SHA256,
665 .id = TLS1_CK_DHE_RSA_WITH_AES_128_GCM_SHA256,
666 .algorithm_mkey = SSL_kDHE,
667 .algorithm_auth = SSL_aRSA,
668 .algorithm_enc = SSL_AES128GCM,
669 .algorithm_mac = SSL_AEAD,
670 .algorithm_ssl = SSL_TLSV1_2,
671 .algo_strength = SSL_HIGH,
672 .algorithm2 = SSL_HANDSHAKE_MAC_SHA256|TLS1_PRF_SHA256,
673 .strength_bits = 128,
674 .alg_bits = 128,
675 },
676
677 /* Cipher 9F */
678 {
679 .valid = 1,
680 .name = TLS1_TXT_DHE_RSA_WITH_AES_256_GCM_SHA384,
681 .id = TLS1_CK_DHE_RSA_WITH_AES_256_GCM_SHA384,
682 .algorithm_mkey = SSL_kDHE,
683 .algorithm_auth = SSL_aRSA,
684 .algorithm_enc = SSL_AES256GCM,
685 .algorithm_mac = SSL_AEAD,
686 .algorithm_ssl = SSL_TLSV1_2,
687 .algo_strength = SSL_HIGH,
688 .algorithm2 = SSL_HANDSHAKE_MAC_SHA384|TLS1_PRF_SHA384,
689 .strength_bits = 256,
690 .alg_bits = 256,
691 },
692
693 /* Cipher A6 */
694 {
695 .valid = 1,
696 .name = TLS1_TXT_ADH_WITH_AES_128_GCM_SHA256,
697 .id = TLS1_CK_ADH_WITH_AES_128_GCM_SHA256,
698 .algorithm_mkey = SSL_kDHE,
699 .algorithm_auth = SSL_aNULL,
700 .algorithm_enc = SSL_AES128GCM,
701 .algorithm_mac = SSL_AEAD,
702 .algorithm_ssl = SSL_TLSV1_2,
703 .algo_strength = SSL_HIGH,
704 .algorithm2 = SSL_HANDSHAKE_MAC_SHA256|TLS1_PRF_SHA256,
705 .strength_bits = 128,
706 .alg_bits = 128,
707 },
708
709 /* Cipher A7 */
710 {
711 .valid = 1,
712 .name = TLS1_TXT_ADH_WITH_AES_256_GCM_SHA384,
713 .id = TLS1_CK_ADH_WITH_AES_256_GCM_SHA384,
714 .algorithm_mkey = SSL_kDHE,
715 .algorithm_auth = SSL_aNULL,
716 .algorithm_enc = SSL_AES256GCM,
717 .algorithm_mac = SSL_AEAD,
718 .algorithm_ssl = SSL_TLSV1_2,
719 .algo_strength = SSL_HIGH,
720 .algorithm2 = SSL_HANDSHAKE_MAC_SHA384|TLS1_PRF_SHA384,
721 .strength_bits = 256,
722 .alg_bits = 256,
723 },
724
725 #ifndef OPENSSL_NO_CAMELLIA
726 /* TLS 1.2 Camellia SHA-256 ciphersuites from RFC5932 */
727
728 /* Cipher BA */
729 {
730 .valid = 1,
731 .name = TLS1_TXT_RSA_WITH_CAMELLIA_128_CBC_SHA256,
732 .id = TLS1_CK_RSA_WITH_CAMELLIA_128_CBC_SHA256,
733 .algorithm_mkey = SSL_kRSA,
734 .algorithm_auth = SSL_aRSA,
735 .algorithm_enc = SSL_CAMELLIA128,
736 .algorithm_mac = SSL_SHA256,
737 .algorithm_ssl = SSL_TLSV1_2,
738 .algo_strength = SSL_HIGH,
739 .algorithm2 = SSL_HANDSHAKE_MAC_SHA256|TLS1_PRF_SHA256,
740 .strength_bits = 128,
741 .alg_bits = 128,
742 },
743
744 /* Cipher BE */
745 {
746 .valid = 1,
747 .name = TLS1_TXT_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA256,
748 .id = TLS1_CK_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA256,
749 .algorithm_mkey = SSL_kDHE,
750 .algorithm_auth = SSL_aRSA,
751 .algorithm_enc = SSL_CAMELLIA128,
752 .algorithm_mac = SSL_SHA256,
753 .algorithm_ssl = SSL_TLSV1_2,
754 .algo_strength = SSL_HIGH,
755 .algorithm2 = SSL_HANDSHAKE_MAC_SHA256|TLS1_PRF_SHA256,
756 .strength_bits = 128,
757 .alg_bits = 128,
758 },
759
760 /* Cipher BF */
761 {
762 .valid = 1,
763 .name = TLS1_TXT_ADH_WITH_CAMELLIA_128_CBC_SHA256,
764 .id = TLS1_CK_ADH_WITH_CAMELLIA_128_CBC_SHA256,
765 .algorithm_mkey = SSL_kDHE,
766 .algorithm_auth = SSL_aNULL,
767 .algorithm_enc = SSL_CAMELLIA128,
768 .algorithm_mac = SSL_SHA256,
769 .algorithm_ssl = SSL_TLSV1_2,
770 .algo_strength = SSL_HIGH,
771 .algorithm2 = SSL_HANDSHAKE_MAC_SHA256|TLS1_PRF_SHA256,
772 .strength_bits = 128,
773 .alg_bits = 128,
774 },
775
776 /* Cipher C0 */
777 {
778 .valid = 1,
779 .name = TLS1_TXT_RSA_WITH_CAMELLIA_256_CBC_SHA256,
780 .id = TLS1_CK_RSA_WITH_CAMELLIA_256_CBC_SHA256,
781 .algorithm_mkey = SSL_kRSA,
782 .algorithm_auth = SSL_aRSA,
783 .algorithm_enc = SSL_CAMELLIA256,
784 .algorithm_mac = SSL_SHA256,
785 .algorithm_ssl = SSL_TLSV1_2,
786 .algo_strength = SSL_HIGH,
787 .algorithm2 = SSL_HANDSHAKE_MAC_SHA256|TLS1_PRF_SHA256,
788 .strength_bits = 256,
789 .alg_bits = 256,
790 },
791
792 /* Cipher C4 */
793 {
794 .valid = 1,
795 .name = TLS1_TXT_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA256,
796 .id = TLS1_CK_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA256,
797 .algorithm_mkey = SSL_kDHE,
798 .algorithm_auth = SSL_aRSA,
799 .algorithm_enc = SSL_CAMELLIA256,
800 .algorithm_mac = SSL_SHA256,
801 .algorithm_ssl = SSL_TLSV1_2,
802 .algo_strength = SSL_HIGH,
803 .algorithm2 = SSL_HANDSHAKE_MAC_SHA256|TLS1_PRF_SHA256,
804 .strength_bits = 256,
805 .alg_bits = 256,
806 },
807
808 /* Cipher C5 */
809 {
810 .valid = 1,
811 .name = TLS1_TXT_ADH_WITH_CAMELLIA_256_CBC_SHA256,
812 .id = TLS1_CK_ADH_WITH_CAMELLIA_256_CBC_SHA256,
813 .algorithm_mkey = SSL_kDHE,
814 .algorithm_auth = SSL_aNULL,
815 .algorithm_enc = SSL_CAMELLIA256,
816 .algorithm_mac = SSL_SHA256,
817 .algorithm_ssl = SSL_TLSV1_2,
818 .algo_strength = SSL_HIGH,
819 .algorithm2 = SSL_HANDSHAKE_MAC_SHA256|TLS1_PRF_SHA256,
820 .strength_bits = 256,
821 .alg_bits = 256,
822 },
823 #endif /* OPENSSL_NO_CAMELLIA */
824
825 /*
826 * TLSv1.3 cipher suites.
827 */
828
829 #ifdef LIBRESSL_HAS_TLS1_3
830 /* Cipher 1301 */
831 {
832 .valid = 1,
833 .name = TLS1_3_RFC_AES_128_GCM_SHA256,
834 .id = TLS1_3_CK_AES_128_GCM_SHA256,
835 .algorithm_mkey = SSL_kTLS1_3,
836 .algorithm_auth = SSL_aTLS1_3,
837 .algorithm_enc = SSL_AES128GCM,
838 .algorithm_mac = SSL_AEAD,
839 .algorithm_ssl = SSL_TLSV1_3,
840 .algo_strength = SSL_HIGH,
841 .algorithm2 = SSL_HANDSHAKE_MAC_SHA256, /* XXX */
842 .strength_bits = 128,
843 .alg_bits = 128,
844 },
845
846 /* Cipher 1302 */
847 {
848 .valid = 1,
849 .name = TLS1_3_RFC_AES_256_GCM_SHA384,
850 .id = TLS1_3_CK_AES_256_GCM_SHA384,
851 .algorithm_mkey = SSL_kTLS1_3,
852 .algorithm_auth = SSL_aTLS1_3,
853 .algorithm_enc = SSL_AES256GCM,
854 .algorithm_mac = SSL_AEAD,
855 .algorithm_ssl = SSL_TLSV1_3,
856 .algo_strength = SSL_HIGH,
857 .algorithm2 = SSL_HANDSHAKE_MAC_SHA384, /* XXX */
858 .strength_bits = 256,
859 .alg_bits = 256,
860 },
861
862 /* Cipher 1303 */
863 {
864 .valid = 1,
865 .name = TLS1_3_RFC_CHACHA20_POLY1305_SHA256,
866 .id = TLS1_3_CK_CHACHA20_POLY1305_SHA256,
867 .algorithm_mkey = SSL_kTLS1_3,
868 .algorithm_auth = SSL_aTLS1_3,
869 .algorithm_enc = SSL_CHACHA20POLY1305,
870 .algorithm_mac = SSL_AEAD,
871 .algorithm_ssl = SSL_TLSV1_3,
872 .algo_strength = SSL_HIGH,
873 .algorithm2 = SSL_HANDSHAKE_MAC_SHA256, /* XXX */
874 .strength_bits = 256,
875 .alg_bits = 256,
876 },
877 #endif
878
879 /* Cipher C006 */
880 {
881 .valid = 1,
882 .name = TLS1_TXT_ECDHE_ECDSA_WITH_NULL_SHA,
883 .id = TLS1_CK_ECDHE_ECDSA_WITH_NULL_SHA,
884 .algorithm_mkey = SSL_kECDHE,
885 .algorithm_auth = SSL_aECDSA,
886 .algorithm_enc = SSL_eNULL,
887 .algorithm_mac = SSL_SHA1,
888 .algorithm_ssl = SSL_TLSV1,
889 .algo_strength = SSL_STRONG_NONE,
890 .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
891 .strength_bits = 0,
892 .alg_bits = 0,
893 },
894
895 /* Cipher C007 */
896 {
897 .valid = 1,
898 .name = TLS1_TXT_ECDHE_ECDSA_WITH_RC4_128_SHA,
899 .id = TLS1_CK_ECDHE_ECDSA_WITH_RC4_128_SHA,
900 .algorithm_mkey = SSL_kECDHE,
901 .algorithm_auth = SSL_aECDSA,
902 .algorithm_enc = SSL_RC4,
903 .algorithm_mac = SSL_SHA1,
904 .algorithm_ssl = SSL_TLSV1,
905 .algo_strength = SSL_LOW,
906 .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
907 .strength_bits = 128,
908 .alg_bits = 128,
909 },
910
911 /* Cipher C008 */
912 {
913 .valid = 1,
914 .name = TLS1_TXT_ECDHE_ECDSA_WITH_DES_192_CBC3_SHA,
915 .id = TLS1_CK_ECDHE_ECDSA_WITH_DES_192_CBC3_SHA,
916 .algorithm_mkey = SSL_kECDHE,
917 .algorithm_auth = SSL_aECDSA,
918 .algorithm_enc = SSL_3DES,
919 .algorithm_mac = SSL_SHA1,
920 .algorithm_ssl = SSL_TLSV1,
921 .algo_strength = SSL_MEDIUM,
922 .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
923 .strength_bits = 112,
924 .alg_bits = 168,
925 },
926
927 /* Cipher C009 */
928 {
929 .valid = 1,
930 .name = TLS1_TXT_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,
931 .id = TLS1_CK_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,
932 .algorithm_mkey = SSL_kECDHE,
933 .algorithm_auth = SSL_aECDSA,
934 .algorithm_enc = SSL_AES128,
935 .algorithm_mac = SSL_SHA1,
936 .algorithm_ssl = SSL_TLSV1,
937 .algo_strength = SSL_HIGH,
938 .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
939 .strength_bits = 128,
940 .alg_bits = 128,
941 },
942
943 /* Cipher C00A */
944 {
945 .valid = 1,
946 .name = TLS1_TXT_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,
947 .id = TLS1_CK_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,
948 .algorithm_mkey = SSL_kECDHE,
949 .algorithm_auth = SSL_aECDSA,
950 .algorithm_enc = SSL_AES256,
951 .algorithm_mac = SSL_SHA1,
952 .algorithm_ssl = SSL_TLSV1,
953 .algo_strength = SSL_HIGH,
954 .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
955 .strength_bits = 256,
956 .alg_bits = 256,
957 },
958
959 /* Cipher C010 */
960 {
961 .valid = 1,
962 .name = TLS1_TXT_ECDHE_RSA_WITH_NULL_SHA,
963 .id = TLS1_CK_ECDHE_RSA_WITH_NULL_SHA,
964 .algorithm_mkey = SSL_kECDHE,
965 .algorithm_auth = SSL_aRSA,
966 .algorithm_enc = SSL_eNULL,
967 .algorithm_mac = SSL_SHA1,
968 .algorithm_ssl = SSL_TLSV1,
969 .algo_strength = SSL_STRONG_NONE,
970 .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
971 .strength_bits = 0,
972 .alg_bits = 0,
973 },
974
975 /* Cipher C011 */
976 {
977 .valid = 1,
978 .name = TLS1_TXT_ECDHE_RSA_WITH_RC4_128_SHA,
979 .id = TLS1_CK_ECDHE_RSA_WITH_RC4_128_SHA,
980 .algorithm_mkey = SSL_kECDHE,
981 .algorithm_auth = SSL_aRSA,
982 .algorithm_enc = SSL_RC4,
983 .algorithm_mac = SSL_SHA1,
984 .algorithm_ssl = SSL_TLSV1,
985 .algo_strength = SSL_LOW,
986 .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
987 .strength_bits = 128,
988 .alg_bits = 128,
989 },
990
991 /* Cipher C012 */
992 {
993 .valid = 1,
994 .name = TLS1_TXT_ECDHE_RSA_WITH_DES_192_CBC3_SHA,
995 .id = TLS1_CK_ECDHE_RSA_WITH_DES_192_CBC3_SHA,
996 .algorithm_mkey = SSL_kECDHE,
997 .algorithm_auth = SSL_aRSA,
998 .algorithm_enc = SSL_3DES,
999 .algorithm_mac = SSL_SHA1,
1000 .algorithm_ssl = SSL_TLSV1,
1001 .algo_strength = SSL_MEDIUM,
1002 .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
1003 .strength_bits = 112,
1004 .alg_bits = 168,
1005 },
1006
1007 /* Cipher C013 */
1008 {
1009 .valid = 1,
1010 .name = TLS1_TXT_ECDHE_RSA_WITH_AES_128_CBC_SHA,
1011 .id = TLS1_CK_ECDHE_RSA_WITH_AES_128_CBC_SHA,
1012 .algorithm_mkey = SSL_kECDHE,
1013 .algorithm_auth = SSL_aRSA,
1014 .algorithm_enc = SSL_AES128,
1015 .algorithm_mac = SSL_SHA1,
1016 .algorithm_ssl = SSL_TLSV1,
1017 .algo_strength = SSL_HIGH,
1018 .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
1019 .strength_bits = 128,
1020 .alg_bits = 128,
1021 },
1022
1023 /* Cipher C014 */
1024 {
1025 .valid = 1,
1026 .name = TLS1_TXT_ECDHE_RSA_WITH_AES_256_CBC_SHA,
1027 .id = TLS1_CK_ECDHE_RSA_WITH_AES_256_CBC_SHA,
1028 .algorithm_mkey = SSL_kECDHE,
1029 .algorithm_auth = SSL_aRSA,
1030 .algorithm_enc = SSL_AES256,
1031 .algorithm_mac = SSL_SHA1,
1032 .algorithm_ssl = SSL_TLSV1,
1033 .algo_strength = SSL_HIGH,
1034 .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
1035 .strength_bits = 256,
1036 .alg_bits = 256,
1037 },
1038
1039 /* Cipher C015 */
1040 {
1041 .valid = 1,
1042 .name = TLS1_TXT_ECDH_anon_WITH_NULL_SHA,
1043 .id = TLS1_CK_ECDH_anon_WITH_NULL_SHA,
1044 .algorithm_mkey = SSL_kECDHE,
1045 .algorithm_auth = SSL_aNULL,
1046 .algorithm_enc = SSL_eNULL,
1047 .algorithm_mac = SSL_SHA1,
1048 .algorithm_ssl = SSL_TLSV1,
1049 .algo_strength = SSL_STRONG_NONE,
1050 .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
1051 .strength_bits = 0,
1052 .alg_bits = 0,
1053 },
1054
1055 /* Cipher C016 */
1056 {
1057 .valid = 1,
1058 .name = TLS1_TXT_ECDH_anon_WITH_RC4_128_SHA,
1059 .id = TLS1_CK_ECDH_anon_WITH_RC4_128_SHA,
1060 .algorithm_mkey = SSL_kECDHE,
1061 .algorithm_auth = SSL_aNULL,
1062 .algorithm_enc = SSL_RC4,
1063 .algorithm_mac = SSL_SHA1,
1064 .algorithm_ssl = SSL_TLSV1,
1065 .algo_strength = SSL_LOW,
1066 .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
1067 .strength_bits = 128,
1068 .alg_bits = 128,
1069 },
1070
1071 /* Cipher C017 */
1072 {
1073 .valid = 1,
1074 .name = TLS1_TXT_ECDH_anon_WITH_DES_192_CBC3_SHA,
1075 .id = TLS1_CK_ECDH_anon_WITH_DES_192_CBC3_SHA,
1076 .algorithm_mkey = SSL_kECDHE,
1077 .algorithm_auth = SSL_aNULL,
1078 .algorithm_enc = SSL_3DES,
1079 .algorithm_mac = SSL_SHA1,
1080 .algorithm_ssl = SSL_TLSV1,
1081 .algo_strength = SSL_MEDIUM,
1082 .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
1083 .strength_bits = 112,
1084 .alg_bits = 168,
1085 },
1086
1087 /* Cipher C018 */
1088 {
1089 .valid = 1,
1090 .name = TLS1_TXT_ECDH_anon_WITH_AES_128_CBC_SHA,
1091 .id = TLS1_CK_ECDH_anon_WITH_AES_128_CBC_SHA,
1092 .algorithm_mkey = SSL_kECDHE,
1093 .algorithm_auth = SSL_aNULL,
1094 .algorithm_enc = SSL_AES128,
1095 .algorithm_mac = SSL_SHA1,
1096 .algorithm_ssl = SSL_TLSV1,
1097 .algo_strength = SSL_HIGH,
1098 .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
1099 .strength_bits = 128,
1100 .alg_bits = 128,
1101 },
1102
1103 /* Cipher C019 */
1104 {
1105 .valid = 1,
1106 .name = TLS1_TXT_ECDH_anon_WITH_AES_256_CBC_SHA,
1107 .id = TLS1_CK_ECDH_anon_WITH_AES_256_CBC_SHA,
1108 .algorithm_mkey = SSL_kECDHE,
1109 .algorithm_auth = SSL_aNULL,
1110 .algorithm_enc = SSL_AES256,
1111 .algorithm_mac = SSL_SHA1,
1112 .algorithm_ssl = SSL_TLSV1,
1113 .algo_strength = SSL_HIGH,
1114 .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
1115 .strength_bits = 256,
1116 .alg_bits = 256,
1117 },
1118
1119
1120 /* HMAC based TLS v1.2 ciphersuites from RFC5289 */
1121
1122 /* Cipher C023 */
1123 {
1124 .valid = 1,
1125 .name = TLS1_TXT_ECDHE_ECDSA_WITH_AES_128_SHA256,
1126 .id = TLS1_CK_ECDHE_ECDSA_WITH_AES_128_SHA256,
1127 .algorithm_mkey = SSL_kECDHE,
1128 .algorithm_auth = SSL_aECDSA,
1129 .algorithm_enc = SSL_AES128,
1130 .algorithm_mac = SSL_SHA256,
1131 .algorithm_ssl = SSL_TLSV1_2,
1132 .algo_strength = SSL_HIGH,
1133 .algorithm2 = SSL_HANDSHAKE_MAC_SHA256|TLS1_PRF_SHA256,
1134 .strength_bits = 128,
1135 .alg_bits = 128,
1136 },
1137
1138 /* Cipher C024 */
1139 {
1140 .valid = 1,
1141 .name = TLS1_TXT_ECDHE_ECDSA_WITH_AES_256_SHA384,
1142 .id = TLS1_CK_ECDHE_ECDSA_WITH_AES_256_SHA384,
1143 .algorithm_mkey = SSL_kECDHE,
1144 .algorithm_auth = SSL_aECDSA,
1145 .algorithm_enc = SSL_AES256,
1146 .algorithm_mac = SSL_SHA384,
1147 .algorithm_ssl = SSL_TLSV1_2,
1148 .algo_strength = SSL_HIGH,
1149 .algorithm2 = SSL_HANDSHAKE_MAC_SHA384|TLS1_PRF_SHA384,
1150 .strength_bits = 256,
1151 .alg_bits = 256,
1152 },
1153
1154 /* Cipher C027 */
1155 {
1156 .valid = 1,
1157 .name = TLS1_TXT_ECDHE_RSA_WITH_AES_128_SHA256,
1158 .id = TLS1_CK_ECDHE_RSA_WITH_AES_128_SHA256,
1159 .algorithm_mkey = SSL_kECDHE,
1160 .algorithm_auth = SSL_aRSA,
1161 .algorithm_enc = SSL_AES128,
1162 .algorithm_mac = SSL_SHA256,
1163 .algorithm_ssl = SSL_TLSV1_2,
1164 .algo_strength = SSL_HIGH,
1165 .algorithm2 = SSL_HANDSHAKE_MAC_SHA256|TLS1_PRF_SHA256,
1166 .strength_bits = 128,
1167 .alg_bits = 128,
1168 },
1169
1170 /* Cipher C028 */
1171 {
1172 .valid = 1,
1173 .name = TLS1_TXT_ECDHE_RSA_WITH_AES_256_SHA384,
1174 .id = TLS1_CK_ECDHE_RSA_WITH_AES_256_SHA384,
1175 .algorithm_mkey = SSL_kECDHE,
1176 .algorithm_auth = SSL_aRSA,
1177 .algorithm_enc = SSL_AES256,
1178 .algorithm_mac = SSL_SHA384,
1179 .algorithm_ssl = SSL_TLSV1_2,
1180 .algo_strength = SSL_HIGH,
1181 .algorithm2 = SSL_HANDSHAKE_MAC_SHA384|TLS1_PRF_SHA384,
1182 .strength_bits = 256,
1183 .alg_bits = 256,
1184 },
1185
1186 /* GCM based TLS v1.2 ciphersuites from RFC5289 */
1187
1188 /* Cipher C02B */
1189 {
1190 .valid = 1,
1191 .name = TLS1_TXT_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
1192 .id = TLS1_CK_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
1193 .algorithm_mkey = SSL_kECDHE,
1194 .algorithm_auth = SSL_aECDSA,
1195 .algorithm_enc = SSL_AES128GCM,
1196 .algorithm_mac = SSL_AEAD,
1197 .algorithm_ssl = SSL_TLSV1_2,
1198 .algo_strength = SSL_HIGH,
1199 .algorithm2 = SSL_HANDSHAKE_MAC_SHA256|TLS1_PRF_SHA256,
1200 .strength_bits = 128,
1201 .alg_bits = 128,
1202 },
1203
1204 /* Cipher C02C */
1205 {
1206 .valid = 1,
1207 .name = TLS1_TXT_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
1208 .id = TLS1_CK_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
1209 .algorithm_mkey = SSL_kECDHE,
1210 .algorithm_auth = SSL_aECDSA,
1211 .algorithm_enc = SSL_AES256GCM,
1212 .algorithm_mac = SSL_AEAD,
1213 .algorithm_ssl = SSL_TLSV1_2,
1214 .algo_strength = SSL_HIGH,
1215 .algorithm2 = SSL_HANDSHAKE_MAC_SHA384|TLS1_PRF_SHA384,
1216 .strength_bits = 256,
1217 .alg_bits = 256,
1218 },
1219
1220 /* Cipher C02F */
1221 {
1222 .valid = 1,
1223 .name = TLS1_TXT_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
1224 .id = TLS1_CK_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
1225 .algorithm_mkey = SSL_kECDHE,
1226 .algorithm_auth = SSL_aRSA,
1227 .algorithm_enc = SSL_AES128GCM,
1228 .algorithm_mac = SSL_AEAD,
1229 .algorithm_ssl = SSL_TLSV1_2,
1230 .algo_strength = SSL_HIGH,
1231 .algorithm2 = SSL_HANDSHAKE_MAC_SHA256|TLS1_PRF_SHA256,
1232 .strength_bits = 128,
1233 .alg_bits = 128,
1234 },
1235
1236 /* Cipher C030 */
1237 {
1238 .valid = 1,
1239 .name = TLS1_TXT_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
1240 .id = TLS1_CK_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
1241 .algorithm_mkey = SSL_kECDHE,
1242 .algorithm_auth = SSL_aRSA,
1243 .algorithm_enc = SSL_AES256GCM,
1244 .algorithm_mac = SSL_AEAD,
1245 .algorithm_ssl = SSL_TLSV1_2,
1246 .algo_strength = SSL_HIGH,
1247 .algorithm2 = SSL_HANDSHAKE_MAC_SHA384|TLS1_PRF_SHA384,
1248 .strength_bits = 256,
1249 .alg_bits = 256,
1250 },
1251
1252 /* Cipher CCA8 */
1253 {
1254 .valid = 1,
1255 .name = TLS1_TXT_ECDHE_RSA_WITH_CHACHA20_POLY1305,
1256 .id = TLS1_CK_ECDHE_RSA_CHACHA20_POLY1305,
1257 .algorithm_mkey = SSL_kECDHE,
1258 .algorithm_auth = SSL_aRSA,
1259 .algorithm_enc = SSL_CHACHA20POLY1305,
1260 .algorithm_mac = SSL_AEAD,
1261 .algorithm_ssl = SSL_TLSV1_2,
1262 .algo_strength = SSL_HIGH,
1263 .algorithm2 = SSL_HANDSHAKE_MAC_SHA256|TLS1_PRF_SHA256,
1264 .strength_bits = 256,
1265 .alg_bits = 256,
1266 },
1267
1268 /* Cipher CCA9 */
1269 {
1270 .valid = 1,
1271 .name = TLS1_TXT_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,
1272 .id = TLS1_CK_ECDHE_ECDSA_CHACHA20_POLY1305,
1273 .algorithm_mkey = SSL_kECDHE,
1274 .algorithm_auth = SSL_aECDSA,
1275 .algorithm_enc = SSL_CHACHA20POLY1305,
1276 .algorithm_mac = SSL_AEAD,
1277 .algorithm_ssl = SSL_TLSV1_2,
1278 .algo_strength = SSL_HIGH,
1279 .algorithm2 = SSL_HANDSHAKE_MAC_SHA256|TLS1_PRF_SHA256,
1280 .strength_bits = 256,
1281 .alg_bits = 256,
1282 },
1283
1284 /* Cipher CCAA */
1285 {
1286 .valid = 1,
1287 .name = TLS1_TXT_DHE_RSA_WITH_CHACHA20_POLY1305,
1288 .id = TLS1_CK_DHE_RSA_CHACHA20_POLY1305,
1289 .algorithm_mkey = SSL_kDHE,
1290 .algorithm_auth = SSL_aRSA,
1291 .algorithm_enc = SSL_CHACHA20POLY1305,
1292 .algorithm_mac = SSL_AEAD,
1293 .algorithm_ssl = SSL_TLSV1_2,
1294 .algo_strength = SSL_HIGH,
1295 .algorithm2 = SSL_HANDSHAKE_MAC_SHA256|TLS1_PRF_SHA256,
1296 .strength_bits = 256,
1297 .alg_bits = 256,
1298 },
1299
1300 /* end of list */
1301 };
1302
1303 int
ssl3_num_ciphers(void)1304 ssl3_num_ciphers(void)
1305 {
1306 return (SSL3_NUM_CIPHERS);
1307 }
1308
1309 const SSL_CIPHER *
ssl3_get_cipher(unsigned int u)1310 ssl3_get_cipher(unsigned int u)
1311 {
1312 if (u < SSL3_NUM_CIPHERS)
1313 return (&(ssl3_ciphers[SSL3_NUM_CIPHERS - 1 - u]));
1314 else
1315 return (NULL);
1316 }
1317
1318 static int
ssl3_cipher_id_cmp(const void * id,const void * cipher)1319 ssl3_cipher_id_cmp(const void *id, const void *cipher)
1320 {
1321 unsigned long a = *(const unsigned long *)id;
1322 unsigned long b = ((const SSL_CIPHER *)cipher)->id;
1323
1324 return a < b ? -1 : a > b;
1325 }
1326
1327 const SSL_CIPHER *
ssl3_get_cipher_by_id(unsigned long id)1328 ssl3_get_cipher_by_id(unsigned long id)
1329 {
1330 const SSL_CIPHER *cipher;
1331
1332 cipher = bsearch(&id, ssl3_ciphers, SSL3_NUM_CIPHERS, sizeof(*cipher),
1333 ssl3_cipher_id_cmp);
1334 if (cipher != NULL && cipher->valid == 1)
1335 return cipher;
1336
1337 return NULL;
1338 }
1339
1340 const SSL_CIPHER *
ssl3_get_cipher_by_value(uint16_t value)1341 ssl3_get_cipher_by_value(uint16_t value)
1342 {
1343 return ssl3_get_cipher_by_id(SSL3_CK_ID | value);
1344 }
1345
1346 uint16_t
ssl3_cipher_get_value(const SSL_CIPHER * c)1347 ssl3_cipher_get_value(const SSL_CIPHER *c)
1348 {
1349 return (c->id & SSL3_CK_VALUE_MASK);
1350 }
1351
1352 int
ssl3_pending(const SSL * s)1353 ssl3_pending(const SSL *s)
1354 {
1355 if (s->s3->rcontent == NULL)
1356 return 0;
1357 if (tls_content_type(s->s3->rcontent) != SSL3_RT_APPLICATION_DATA)
1358 return 0;
1359
1360 return tls_content_remaining(s->s3->rcontent);
1361 }
1362
1363 int
ssl3_handshake_msg_hdr_len(SSL * s)1364 ssl3_handshake_msg_hdr_len(SSL *s)
1365 {
1366 return (SSL_is_dtls(s) ? DTLS1_HM_HEADER_LENGTH :
1367 SSL3_HM_HEADER_LENGTH);
1368 }
1369
1370 int
ssl3_handshake_msg_start(SSL * s,CBB * handshake,CBB * body,uint8_t msg_type)1371 ssl3_handshake_msg_start(SSL *s, CBB *handshake, CBB *body, uint8_t msg_type)
1372 {
1373 int ret = 0;
1374
1375 if (!CBB_init(handshake, SSL3_RT_MAX_PLAIN_LENGTH))
1376 goto err;
1377 if (!CBB_add_u8(handshake, msg_type))
1378 goto err;
1379 if (SSL_is_dtls(s)) {
1380 unsigned char *data;
1381
1382 if (!CBB_add_space(handshake, &data, DTLS1_HM_HEADER_LENGTH -
1383 SSL3_HM_HEADER_LENGTH))
1384 goto err;
1385 }
1386 if (!CBB_add_u24_length_prefixed(handshake, body))
1387 goto err;
1388
1389 ret = 1;
1390
1391 err:
1392 return (ret);
1393 }
1394
1395 int
ssl3_handshake_msg_finish(SSL * s,CBB * handshake)1396 ssl3_handshake_msg_finish(SSL *s, CBB *handshake)
1397 {
1398 unsigned char *data = NULL;
1399 size_t outlen;
1400 int ret = 0;
1401
1402 if (!CBB_finish(handshake, &data, &outlen))
1403 goto err;
1404
1405 if (outlen > INT_MAX)
1406 goto err;
1407
1408 if (!BUF_MEM_grow_clean(s->init_buf, outlen))
1409 goto err;
1410
1411 memcpy(s->init_buf->data, data, outlen);
1412
1413 s->init_num = (int)outlen;
1414 s->init_off = 0;
1415
1416 if (SSL_is_dtls(s)) {
1417 unsigned long len;
1418 uint8_t msg_type;
1419 CBS cbs;
1420
1421 CBS_init(&cbs, data, outlen);
1422 if (!CBS_get_u8(&cbs, &msg_type))
1423 goto err;
1424
1425 len = outlen - ssl3_handshake_msg_hdr_len(s);
1426
1427 dtls1_set_message_header(s, msg_type, len, 0, len);
1428 dtls1_buffer_message(s, 0);
1429 }
1430
1431 ret = 1;
1432
1433 err:
1434 free(data);
1435
1436 return (ret);
1437 }
1438
1439 int
ssl3_handshake_write(SSL * s)1440 ssl3_handshake_write(SSL *s)
1441 {
1442 return ssl3_record_write(s, SSL3_RT_HANDSHAKE);
1443 }
1444
1445 int
ssl3_record_write(SSL * s,int type)1446 ssl3_record_write(SSL *s, int type)
1447 {
1448 if (SSL_is_dtls(s))
1449 return dtls1_do_write(s, type);
1450
1451 return ssl3_do_write(s, type);
1452 }
1453
1454 int
ssl3_new(SSL * s)1455 ssl3_new(SSL *s)
1456 {
1457 if ((s->s3 = calloc(1, sizeof(*s->s3))) == NULL)
1458 return (0);
1459
1460 s->method->ssl_clear(s);
1461
1462 return (1);
1463 }
1464
1465 void
ssl3_free(SSL * s)1466 ssl3_free(SSL *s)
1467 {
1468 if (s == NULL)
1469 return;
1470
1471 tls1_cleanup_key_block(s);
1472 ssl3_release_read_buffer(s);
1473 ssl3_release_write_buffer(s);
1474
1475 tls_content_free(s->s3->rcontent);
1476
1477 tls_buffer_free(s->s3->alert_fragment);
1478 tls_buffer_free(s->s3->handshake_fragment);
1479
1480 freezero(s->s3->hs.sigalgs, s->s3->hs.sigalgs_len);
1481 sk_X509_pop_free(s->s3->hs.peer_certs, X509_free);
1482 sk_X509_pop_free(s->s3->hs.peer_certs_no_leaf, X509_free);
1483 sk_X509_pop_free(s->s3->hs.verified_chain, X509_free);
1484 tls_key_share_free(s->s3->hs.key_share);
1485
1486 tls13_secrets_destroy(s->s3->hs.tls13.secrets);
1487 freezero(s->s3->hs.tls13.cookie, s->s3->hs.tls13.cookie_len);
1488 tls13_clienthello_hash_clear(&s->s3->hs.tls13);
1489
1490 tls_buffer_free(s->s3->hs.tls13.quic_read_buffer);
1491
1492 sk_X509_NAME_pop_free(s->s3->hs.tls12.ca_names, X509_NAME_free);
1493
1494 tls1_transcript_free(s);
1495 tls1_transcript_hash_free(s);
1496
1497 free(s->s3->alpn_selected);
1498
1499 freezero(s->s3->peer_quic_transport_params,
1500 s->s3->peer_quic_transport_params_len);
1501
1502 freezero(s->s3, sizeof(*s->s3));
1503
1504 s->s3 = NULL;
1505 }
1506
1507 void
ssl3_clear(SSL * s)1508 ssl3_clear(SSL *s)
1509 {
1510 unsigned char *rp, *wp;
1511 size_t rlen, wlen;
1512
1513 tls1_cleanup_key_block(s);
1514 sk_X509_NAME_pop_free(s->s3->hs.tls12.ca_names, X509_NAME_free);
1515
1516 tls_buffer_free(s->s3->alert_fragment);
1517 s->s3->alert_fragment = NULL;
1518 tls_buffer_free(s->s3->handshake_fragment);
1519 s->s3->handshake_fragment = NULL;
1520
1521 freezero(s->s3->hs.sigalgs, s->s3->hs.sigalgs_len);
1522 s->s3->hs.sigalgs = NULL;
1523 s->s3->hs.sigalgs_len = 0;
1524
1525 sk_X509_pop_free(s->s3->hs.peer_certs, X509_free);
1526 s->s3->hs.peer_certs = NULL;
1527 sk_X509_pop_free(s->s3->hs.peer_certs_no_leaf, X509_free);
1528 s->s3->hs.peer_certs_no_leaf = NULL;
1529 sk_X509_pop_free(s->s3->hs.verified_chain, X509_free);
1530 s->s3->hs.verified_chain = NULL;
1531
1532 tls_key_share_free(s->s3->hs.key_share);
1533 s->s3->hs.key_share = NULL;
1534
1535 tls13_secrets_destroy(s->s3->hs.tls13.secrets);
1536 s->s3->hs.tls13.secrets = NULL;
1537 freezero(s->s3->hs.tls13.cookie, s->s3->hs.tls13.cookie_len);
1538 s->s3->hs.tls13.cookie = NULL;
1539 s->s3->hs.tls13.cookie_len = 0;
1540 tls13_clienthello_hash_clear(&s->s3->hs.tls13);
1541
1542 tls_buffer_free(s->s3->hs.tls13.quic_read_buffer);
1543 s->s3->hs.tls13.quic_read_buffer = NULL;
1544 s->s3->hs.tls13.quic_read_level = ssl_encryption_initial;
1545 s->s3->hs.tls13.quic_write_level = ssl_encryption_initial;
1546
1547 s->s3->hs.extensions_seen = 0;
1548
1549 rp = s->s3->rbuf.buf;
1550 wp = s->s3->wbuf.buf;
1551 rlen = s->s3->rbuf.len;
1552 wlen = s->s3->wbuf.len;
1553
1554 tls_content_free(s->s3->rcontent);
1555 s->s3->rcontent = NULL;
1556
1557 tls1_transcript_free(s);
1558 tls1_transcript_hash_free(s);
1559
1560 free(s->s3->alpn_selected);
1561 s->s3->alpn_selected = NULL;
1562 s->s3->alpn_selected_len = 0;
1563
1564 freezero(s->s3->peer_quic_transport_params,
1565 s->s3->peer_quic_transport_params_len);
1566 s->s3->peer_quic_transport_params = NULL;
1567 s->s3->peer_quic_transport_params_len = 0;
1568
1569 memset(s->s3, 0, sizeof(*s->s3));
1570
1571 s->s3->rbuf.buf = rp;
1572 s->s3->wbuf.buf = wp;
1573 s->s3->rbuf.len = rlen;
1574 s->s3->wbuf.len = wlen;
1575
1576 ssl_free_wbio_buffer(s);
1577
1578 /* Not needed... */
1579 s->s3->renegotiate = 0;
1580 s->s3->total_renegotiations = 0;
1581 s->s3->num_renegotiations = 0;
1582 s->s3->in_read_app_data = 0;
1583
1584 s->packet_length = 0;
1585 s->version = TLS1_2_VERSION;
1586
1587 s->s3->hs.state = SSL_ST_BEFORE|((s->server) ? SSL_ST_ACCEPT : SSL_ST_CONNECT);
1588 }
1589
1590 long
_SSL_get_shared_group(SSL * s,long n)1591 _SSL_get_shared_group(SSL *s, long n)
1592 {
1593 size_t count;
1594 int nid;
1595
1596 /* OpenSSL document that they return -1 for clients. They return 0. */
1597 if (!s->server)
1598 return 0;
1599
1600 if (n == -1) {
1601 if (!tls1_count_shared_groups(s, &count))
1602 return 0;
1603
1604 if (count > LONG_MAX)
1605 count = LONG_MAX;
1606
1607 return count;
1608 }
1609
1610 /* Undocumented special case added for Suite B profile support. */
1611 if (n == -2)
1612 n = 0;
1613
1614 if (n < 0)
1615 return 0;
1616
1617 if (!tls1_get_shared_group_by_index(s, n, &nid))
1618 return NID_undef;
1619
1620 return nid;
1621 }
1622
1623 long
_SSL_get_peer_tmp_key(SSL * s,EVP_PKEY ** key)1624 _SSL_get_peer_tmp_key(SSL *s, EVP_PKEY **key)
1625 {
1626 EVP_PKEY *pkey = NULL;
1627 int ret = 0;
1628
1629 *key = NULL;
1630
1631 if (s->s3->hs.key_share == NULL)
1632 goto err;
1633
1634 if ((pkey = EVP_PKEY_new()) == NULL)
1635 goto err;
1636 if (!tls_key_share_peer_pkey(s->s3->hs.key_share, pkey))
1637 goto err;
1638
1639 *key = pkey;
1640 pkey = NULL;
1641
1642 ret = 1;
1643
1644 err:
1645 EVP_PKEY_free(pkey);
1646
1647 return (ret);
1648 }
1649
1650 static int
_SSL_session_reused(SSL * s)1651 _SSL_session_reused(SSL *s)
1652 {
1653 return s->hit;
1654 }
1655
1656 static int
_SSL_num_renegotiations(SSL * s)1657 _SSL_num_renegotiations(SSL *s)
1658 {
1659 return s->s3->num_renegotiations;
1660 }
1661
1662 static int
_SSL_clear_num_renegotiations(SSL * s)1663 _SSL_clear_num_renegotiations(SSL *s)
1664 {
1665 int renegs;
1666
1667 renegs = s->s3->num_renegotiations;
1668 s->s3->num_renegotiations = 0;
1669
1670 return renegs;
1671 }
1672
1673 static int
_SSL_total_renegotiations(SSL * s)1674 _SSL_total_renegotiations(SSL *s)
1675 {
1676 return s->s3->total_renegotiations;
1677 }
1678
1679 static int
_SSL_set_tmp_dh(SSL * s,DH * dh)1680 _SSL_set_tmp_dh(SSL *s, DH *dh)
1681 {
1682 DH *dhe_params;
1683
1684 if (dh == NULL) {
1685 SSLerror(s, ERR_R_PASSED_NULL_PARAMETER);
1686 return 0;
1687 }
1688
1689 if (!ssl_security_dh(s, dh)) {
1690 SSLerror(s, SSL_R_DH_KEY_TOO_SMALL);
1691 return 0;
1692 }
1693
1694 if ((dhe_params = DHparams_dup(dh)) == NULL) {
1695 SSLerror(s, ERR_R_DH_LIB);
1696 return 0;
1697 }
1698
1699 DH_free(s->cert->dhe_params);
1700 s->cert->dhe_params = dhe_params;
1701
1702 return 1;
1703 }
1704
1705 static int
_SSL_set_dh_auto(SSL * s,int state)1706 _SSL_set_dh_auto(SSL *s, int state)
1707 {
1708 s->cert->dhe_params_auto = state;
1709 return 1;
1710 }
1711
1712 static int
_SSL_set_tmp_ecdh(SSL * s,EC_KEY * ecdh)1713 _SSL_set_tmp_ecdh(SSL *s, EC_KEY *ecdh)
1714 {
1715 const EC_GROUP *group;
1716 int nid;
1717
1718 if (ecdh == NULL)
1719 return 0;
1720 if ((group = EC_KEY_get0_group(ecdh)) == NULL)
1721 return 0;
1722
1723 nid = EC_GROUP_get_curve_name(group);
1724 return SSL_set1_groups(s, &nid, 1);
1725 }
1726
1727 static int
_SSL_set_ecdh_auto(SSL * s,int state)1728 _SSL_set_ecdh_auto(SSL *s, int state)
1729 {
1730 return 1;
1731 }
1732
1733 static int
_SSL_set_tlsext_host_name(SSL * s,const char * name)1734 _SSL_set_tlsext_host_name(SSL *s, const char *name)
1735 {
1736 int is_ip;
1737 CBS cbs;
1738
1739 free(s->tlsext_hostname);
1740 s->tlsext_hostname = NULL;
1741
1742 if (name == NULL)
1743 return 1;
1744
1745 CBS_init(&cbs, name, strlen(name));
1746
1747 if (!tlsext_sni_is_valid_hostname(&cbs, &is_ip)) {
1748 SSLerror(s, SSL_R_SSL3_EXT_INVALID_SERVERNAME);
1749 return 0;
1750 }
1751 if ((s->tlsext_hostname = strdup(name)) == NULL) {
1752 SSLerror(s, ERR_R_INTERNAL_ERROR);
1753 return 0;
1754 }
1755
1756 return 1;
1757 }
1758
1759 static int
_SSL_set_tlsext_debug_arg(SSL * s,void * arg)1760 _SSL_set_tlsext_debug_arg(SSL *s, void *arg)
1761 {
1762 s->tlsext_debug_arg = arg;
1763 return 1;
1764 }
1765
1766 static int
_SSL_get_tlsext_status_type(SSL * s)1767 _SSL_get_tlsext_status_type(SSL *s)
1768 {
1769 return s->tlsext_status_type;
1770 }
1771
1772 static int
_SSL_set_tlsext_status_type(SSL * s,int type)1773 _SSL_set_tlsext_status_type(SSL *s, int type)
1774 {
1775 s->tlsext_status_type = type;
1776 return 1;
1777 }
1778
1779 static int
_SSL_get_tlsext_status_exts(SSL * s,STACK_OF (X509_EXTENSION)** exts)1780 _SSL_get_tlsext_status_exts(SSL *s, STACK_OF(X509_EXTENSION) **exts)
1781 {
1782 *exts = s->tlsext_ocsp_exts;
1783 return 1;
1784 }
1785
1786 static int
_SSL_set_tlsext_status_exts(SSL * s,STACK_OF (X509_EXTENSION)* exts)1787 _SSL_set_tlsext_status_exts(SSL *s, STACK_OF(X509_EXTENSION) *exts)
1788 {
1789 /* XXX - leak... */
1790 s->tlsext_ocsp_exts = exts;
1791 return 1;
1792 }
1793
1794 static int
_SSL_get_tlsext_status_ids(SSL * s,STACK_OF (OCSP_RESPID)** ids)1795 _SSL_get_tlsext_status_ids(SSL *s, STACK_OF(OCSP_RESPID) **ids)
1796 {
1797 *ids = s->tlsext_ocsp_ids;
1798 return 1;
1799 }
1800
1801 static int
_SSL_set_tlsext_status_ids(SSL * s,STACK_OF (OCSP_RESPID)* ids)1802 _SSL_set_tlsext_status_ids(SSL *s, STACK_OF(OCSP_RESPID) *ids)
1803 {
1804 /* XXX - leak... */
1805 s->tlsext_ocsp_ids = ids;
1806 return 1;
1807 }
1808
1809 static int
_SSL_get_tlsext_status_ocsp_resp(SSL * s,unsigned char ** resp)1810 _SSL_get_tlsext_status_ocsp_resp(SSL *s, unsigned char **resp)
1811 {
1812 if (s->tlsext_ocsp_resp != NULL &&
1813 s->tlsext_ocsp_resp_len < INT_MAX) {
1814 *resp = s->tlsext_ocsp_resp;
1815 return (int)s->tlsext_ocsp_resp_len;
1816 }
1817
1818 *resp = NULL;
1819
1820 return -1;
1821 }
1822
1823 static int
_SSL_set_tlsext_status_ocsp_resp(SSL * s,unsigned char * resp,int resp_len)1824 _SSL_set_tlsext_status_ocsp_resp(SSL *s, unsigned char *resp, int resp_len)
1825 {
1826 free(s->tlsext_ocsp_resp);
1827 s->tlsext_ocsp_resp = NULL;
1828 s->tlsext_ocsp_resp_len = 0;
1829
1830 if (resp_len < 0)
1831 return 0;
1832
1833 s->tlsext_ocsp_resp = resp;
1834 s->tlsext_ocsp_resp_len = (size_t)resp_len;
1835
1836 return 1;
1837 }
1838
1839 int
SSL_set0_chain(SSL * ssl,STACK_OF (X509)* chain)1840 SSL_set0_chain(SSL *ssl, STACK_OF(X509) *chain)
1841 {
1842 return ssl_cert_set0_chain(NULL, ssl, chain);
1843 }
1844 LSSL_ALIAS(SSL_set0_chain);
1845
1846 int
SSL_set1_chain(SSL * ssl,STACK_OF (X509)* chain)1847 SSL_set1_chain(SSL *ssl, STACK_OF(X509) *chain)
1848 {
1849 return ssl_cert_set1_chain(NULL, ssl, chain);
1850 }
1851 LSSL_ALIAS(SSL_set1_chain);
1852
1853 int
SSL_add0_chain_cert(SSL * ssl,X509 * x509)1854 SSL_add0_chain_cert(SSL *ssl, X509 *x509)
1855 {
1856 return ssl_cert_add0_chain_cert(NULL, ssl, x509);
1857 }
1858 LSSL_ALIAS(SSL_add0_chain_cert);
1859
1860 int
SSL_add1_chain_cert(SSL * ssl,X509 * x509)1861 SSL_add1_chain_cert(SSL *ssl, X509 *x509)
1862 {
1863 return ssl_cert_add1_chain_cert(NULL, ssl, x509);
1864 }
1865 LSSL_ALIAS(SSL_add1_chain_cert);
1866
1867 int
SSL_get0_chain_certs(const SSL * ssl,STACK_OF (X509)** out_chain)1868 SSL_get0_chain_certs(const SSL *ssl, STACK_OF(X509) **out_chain)
1869 {
1870 *out_chain = NULL;
1871
1872 if (ssl->cert->key != NULL)
1873 *out_chain = ssl->cert->key->chain;
1874
1875 return 1;
1876 }
1877 LSSL_ALIAS(SSL_get0_chain_certs);
1878
1879 int
SSL_clear_chain_certs(SSL * ssl)1880 SSL_clear_chain_certs(SSL *ssl)
1881 {
1882 return ssl_cert_set0_chain(NULL, ssl, NULL);
1883 }
1884 LSSL_ALIAS(SSL_clear_chain_certs);
1885
1886 int
SSL_set1_groups(SSL * s,const int * groups,size_t groups_len)1887 SSL_set1_groups(SSL *s, const int *groups, size_t groups_len)
1888 {
1889 return tls1_set_groups(&s->tlsext_supportedgroups,
1890 &s->tlsext_supportedgroups_length, groups, groups_len);
1891 }
1892 LSSL_ALIAS(SSL_set1_groups);
1893
1894 int
SSL_set1_groups_list(SSL * s,const char * groups)1895 SSL_set1_groups_list(SSL *s, const char *groups)
1896 {
1897 return tls1_set_group_list(&s->tlsext_supportedgroups,
1898 &s->tlsext_supportedgroups_length, groups);
1899 }
1900 LSSL_ALIAS(SSL_set1_groups_list);
1901
1902 static int
_SSL_get_signature_nid(SSL * s,int * nid)1903 _SSL_get_signature_nid(SSL *s, int *nid)
1904 {
1905 const struct ssl_sigalg *sigalg;
1906
1907 if ((sigalg = s->s3->hs.our_sigalg) == NULL)
1908 return 0;
1909
1910 *nid = EVP_MD_type(sigalg->md());
1911
1912 return 1;
1913 }
1914
1915 static int
_SSL_get_peer_signature_nid(SSL * s,int * nid)1916 _SSL_get_peer_signature_nid(SSL *s, int *nid)
1917 {
1918 const struct ssl_sigalg *sigalg;
1919
1920 if ((sigalg = s->s3->hs.peer_sigalg) == NULL)
1921 return 0;
1922
1923 *nid = EVP_MD_type(sigalg->md());
1924
1925 return 1;
1926 }
1927
1928 int
SSL_get_signature_type_nid(const SSL * s,int * nid)1929 SSL_get_signature_type_nid(const SSL *s, int *nid)
1930 {
1931 const struct ssl_sigalg *sigalg;
1932
1933 if ((sigalg = s->s3->hs.our_sigalg) == NULL)
1934 return 0;
1935
1936 *nid = sigalg->key_type;
1937 if (sigalg->key_type == EVP_PKEY_RSA &&
1938 (sigalg->flags & SIGALG_FLAG_RSA_PSS))
1939 *nid = EVP_PKEY_RSA_PSS;
1940
1941 return 1;
1942 }
1943 LSSL_ALIAS(SSL_get_signature_type_nid);
1944
1945 int
SSL_get_peer_signature_type_nid(const SSL * s,int * nid)1946 SSL_get_peer_signature_type_nid(const SSL *s, int *nid)
1947 {
1948 const struct ssl_sigalg *sigalg;
1949
1950 if ((sigalg = s->s3->hs.peer_sigalg) == NULL)
1951 return 0;
1952
1953 *nid = sigalg->key_type;
1954 if (sigalg->key_type == EVP_PKEY_RSA &&
1955 (sigalg->flags & SIGALG_FLAG_RSA_PSS))
1956 *nid = EVP_PKEY_RSA_PSS;
1957
1958 return 1;
1959 }
1960 LSSL_ALIAS(SSL_get_peer_signature_type_nid);
1961
1962 long
ssl3_ctrl(SSL * s,int cmd,long larg,void * parg)1963 ssl3_ctrl(SSL *s, int cmd, long larg, void *parg)
1964 {
1965 switch (cmd) {
1966 case SSL_CTRL_GET_SESSION_REUSED:
1967 return _SSL_session_reused(s);
1968
1969 case SSL_CTRL_GET_NUM_RENEGOTIATIONS:
1970 return _SSL_num_renegotiations(s);
1971
1972 case SSL_CTRL_CLEAR_NUM_RENEGOTIATIONS:
1973 return _SSL_clear_num_renegotiations(s);
1974
1975 case SSL_CTRL_GET_TOTAL_RENEGOTIATIONS:
1976 return _SSL_total_renegotiations(s);
1977
1978 case SSL_CTRL_SET_TMP_DH:
1979 return _SSL_set_tmp_dh(s, parg);
1980
1981 case SSL_CTRL_SET_TMP_DH_CB:
1982 SSLerror(s, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
1983 return 0;
1984
1985 case SSL_CTRL_SET_DH_AUTO:
1986 return _SSL_set_dh_auto(s, larg);
1987
1988 case SSL_CTRL_SET_TMP_ECDH:
1989 return _SSL_set_tmp_ecdh(s, parg);
1990
1991 case SSL_CTRL_SET_TMP_ECDH_CB:
1992 SSLerror(s, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
1993 return 0;
1994
1995 case SSL_CTRL_SET_ECDH_AUTO:
1996 return _SSL_set_ecdh_auto(s, larg);
1997
1998 case SSL_CTRL_SET_TLSEXT_HOSTNAME:
1999 if (larg != TLSEXT_NAMETYPE_host_name) {
2000 SSLerror(s, SSL_R_SSL3_EXT_INVALID_SERVERNAME_TYPE);
2001 return 0;
2002 }
2003 return _SSL_set_tlsext_host_name(s, parg);
2004
2005 case SSL_CTRL_SET_TLSEXT_DEBUG_ARG:
2006 return _SSL_set_tlsext_debug_arg(s, parg);
2007
2008 case SSL_CTRL_GET_TLSEXT_STATUS_REQ_TYPE:
2009 return _SSL_get_tlsext_status_type(s);
2010
2011 case SSL_CTRL_SET_TLSEXT_STATUS_REQ_TYPE:
2012 return _SSL_set_tlsext_status_type(s, larg);
2013
2014 case SSL_CTRL_GET_TLSEXT_STATUS_REQ_EXTS:
2015 return _SSL_get_tlsext_status_exts(s, parg);
2016
2017 case SSL_CTRL_SET_TLSEXT_STATUS_REQ_EXTS:
2018 return _SSL_set_tlsext_status_exts(s, parg);
2019
2020 case SSL_CTRL_GET_TLSEXT_STATUS_REQ_IDS:
2021 return _SSL_get_tlsext_status_ids(s, parg);
2022
2023 case SSL_CTRL_SET_TLSEXT_STATUS_REQ_IDS:
2024 return _SSL_set_tlsext_status_ids(s, parg);
2025
2026 case SSL_CTRL_GET_TLSEXT_STATUS_REQ_OCSP_RESP:
2027 return _SSL_get_tlsext_status_ocsp_resp(s, parg);
2028
2029 case SSL_CTRL_SET_TLSEXT_STATUS_REQ_OCSP_RESP:
2030 return _SSL_set_tlsext_status_ocsp_resp(s, parg, larg);
2031
2032 case SSL_CTRL_CHAIN:
2033 if (larg == 0)
2034 return SSL_set0_chain(s, (STACK_OF(X509) *)parg);
2035 else
2036 return SSL_set1_chain(s, (STACK_OF(X509) *)parg);
2037
2038 case SSL_CTRL_CHAIN_CERT:
2039 if (larg == 0)
2040 return SSL_add0_chain_cert(s, (X509 *)parg);
2041 else
2042 return SSL_add1_chain_cert(s, (X509 *)parg);
2043
2044 case SSL_CTRL_GET_CHAIN_CERTS:
2045 return SSL_get0_chain_certs(s, (STACK_OF(X509) **)parg);
2046
2047 case SSL_CTRL_SET_GROUPS:
2048 return SSL_set1_groups(s, parg, larg);
2049
2050 case SSL_CTRL_SET_GROUPS_LIST:
2051 return SSL_set1_groups_list(s, parg);
2052
2053 case SSL_CTRL_GET_SHARED_GROUP:
2054 return _SSL_get_shared_group(s, larg);
2055
2056 /* XXX - rename to SSL_CTRL_GET_PEER_TMP_KEY and remove server check. */
2057 case SSL_CTRL_GET_SERVER_TMP_KEY:
2058 if (s->server != 0)
2059 return 0;
2060 return _SSL_get_peer_tmp_key(s, parg);
2061
2062 case SSL_CTRL_GET_MIN_PROTO_VERSION:
2063 return SSL_get_min_proto_version(s);
2064
2065 case SSL_CTRL_GET_MAX_PROTO_VERSION:
2066 return SSL_get_max_proto_version(s);
2067
2068 case SSL_CTRL_SET_MIN_PROTO_VERSION:
2069 if (larg < 0 || larg > UINT16_MAX)
2070 return 0;
2071 return SSL_set_min_proto_version(s, larg);
2072
2073 case SSL_CTRL_SET_MAX_PROTO_VERSION:
2074 if (larg < 0 || larg > UINT16_MAX)
2075 return 0;
2076 return SSL_set_max_proto_version(s, larg);
2077
2078 case SSL_CTRL_GET_SIGNATURE_NID:
2079 return _SSL_get_signature_nid(s, parg);
2080
2081 case SSL_CTRL_GET_PEER_SIGNATURE_NID:
2082 return _SSL_get_peer_signature_nid(s, parg);
2083
2084 /*
2085 * Legacy controls that should eventually be removed.
2086 */
2087 case SSL_CTRL_GET_CLIENT_CERT_REQUEST:
2088 return 0;
2089
2090 case SSL_CTRL_GET_FLAGS:
2091 return (int)(s->s3->flags);
2092
2093 case SSL_CTRL_NEED_TMP_RSA:
2094 return 0;
2095
2096 case SSL_CTRL_SET_TMP_RSA:
2097 case SSL_CTRL_SET_TMP_RSA_CB:
2098 SSLerror(s, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
2099 return 0;
2100 }
2101
2102 return 0;
2103 }
2104
2105 long
ssl3_callback_ctrl(SSL * s,int cmd,void (* fp)(void))2106 ssl3_callback_ctrl(SSL *s, int cmd, void (*fp)(void))
2107 {
2108 switch (cmd) {
2109 case SSL_CTRL_SET_TMP_RSA_CB:
2110 SSLerror(s, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
2111 return 0;
2112
2113 case SSL_CTRL_SET_TMP_DH_CB:
2114 s->cert->dhe_params_cb = (DH *(*)(SSL *, int, int))fp;
2115 return 1;
2116
2117 case SSL_CTRL_SET_TMP_ECDH_CB:
2118 return 1;
2119
2120 case SSL_CTRL_SET_TLSEXT_DEBUG_CB:
2121 s->tlsext_debug_cb = (void (*)(SSL *, int , int,
2122 unsigned char *, int, void *))fp;
2123 return 1;
2124 }
2125
2126 return 0;
2127 }
2128
2129 static int
_SSL_CTX_set_tmp_dh(SSL_CTX * ctx,DH * dh)2130 _SSL_CTX_set_tmp_dh(SSL_CTX *ctx, DH *dh)
2131 {
2132 DH *dhe_params;
2133
2134 if (dh == NULL) {
2135 SSLerrorx(ERR_R_PASSED_NULL_PARAMETER);
2136 return 0;
2137 }
2138
2139 if (!ssl_ctx_security_dh(ctx, dh)) {
2140 SSLerrorx(SSL_R_DH_KEY_TOO_SMALL);
2141 return 0;
2142 }
2143
2144 if ((dhe_params = DHparams_dup(dh)) == NULL) {
2145 SSLerrorx(ERR_R_DH_LIB);
2146 return 0;
2147 }
2148
2149 DH_free(ctx->cert->dhe_params);
2150 ctx->cert->dhe_params = dhe_params;
2151
2152 return 1;
2153 }
2154
2155 static int
_SSL_CTX_set_dh_auto(SSL_CTX * ctx,int state)2156 _SSL_CTX_set_dh_auto(SSL_CTX *ctx, int state)
2157 {
2158 ctx->cert->dhe_params_auto = state;
2159 return 1;
2160 }
2161
2162 static int
_SSL_CTX_set_tmp_ecdh(SSL_CTX * ctx,EC_KEY * ecdh)2163 _SSL_CTX_set_tmp_ecdh(SSL_CTX *ctx, EC_KEY *ecdh)
2164 {
2165 const EC_GROUP *group;
2166 int nid;
2167
2168 if (ecdh == NULL)
2169 return 0;
2170 if ((group = EC_KEY_get0_group(ecdh)) == NULL)
2171 return 0;
2172
2173 nid = EC_GROUP_get_curve_name(group);
2174 return SSL_CTX_set1_groups(ctx, &nid, 1);
2175 }
2176
2177 static int
_SSL_CTX_set_ecdh_auto(SSL_CTX * ctx,int state)2178 _SSL_CTX_set_ecdh_auto(SSL_CTX *ctx, int state)
2179 {
2180 return 1;
2181 }
2182
2183 static int
_SSL_CTX_set_tlsext_servername_arg(SSL_CTX * ctx,void * arg)2184 _SSL_CTX_set_tlsext_servername_arg(SSL_CTX *ctx, void *arg)
2185 {
2186 ctx->tlsext_servername_arg = arg;
2187 return 1;
2188 }
2189
2190 static int
_SSL_CTX_get_tlsext_ticket_keys(SSL_CTX * ctx,unsigned char * keys,int keys_len)2191 _SSL_CTX_get_tlsext_ticket_keys(SSL_CTX *ctx, unsigned char *keys, int keys_len)
2192 {
2193 if (keys == NULL)
2194 return 48;
2195
2196 if (keys_len != 48) {
2197 SSLerrorx(SSL_R_INVALID_TICKET_KEYS_LENGTH);
2198 return 0;
2199 }
2200
2201 memcpy(keys, ctx->tlsext_tick_key_name, 16);
2202 memcpy(keys + 16, ctx->tlsext_tick_hmac_key, 16);
2203 memcpy(keys + 32, ctx->tlsext_tick_aes_key, 16);
2204
2205 return 1;
2206 }
2207
2208 static int
_SSL_CTX_set_tlsext_ticket_keys(SSL_CTX * ctx,unsigned char * keys,int keys_len)2209 _SSL_CTX_set_tlsext_ticket_keys(SSL_CTX *ctx, unsigned char *keys, int keys_len)
2210 {
2211 if (keys == NULL)
2212 return 48;
2213
2214 if (keys_len != 48) {
2215 SSLerrorx(SSL_R_INVALID_TICKET_KEYS_LENGTH);
2216 return 0;
2217 }
2218
2219 memcpy(ctx->tlsext_tick_key_name, keys, 16);
2220 memcpy(ctx->tlsext_tick_hmac_key, keys + 16, 16);
2221 memcpy(ctx->tlsext_tick_aes_key, keys + 32, 16);
2222
2223 return 1;
2224 }
2225
2226 static int
_SSL_CTX_get_tlsext_status_arg(SSL_CTX * ctx,void ** arg)2227 _SSL_CTX_get_tlsext_status_arg(SSL_CTX *ctx, void **arg)
2228 {
2229 *arg = ctx->tlsext_status_arg;
2230 return 1;
2231 }
2232
2233 static int
_SSL_CTX_set_tlsext_status_arg(SSL_CTX * ctx,void * arg)2234 _SSL_CTX_set_tlsext_status_arg(SSL_CTX *ctx, void *arg)
2235 {
2236 ctx->tlsext_status_arg = arg;
2237 return 1;
2238 }
2239
2240 int
SSL_CTX_set0_chain(SSL_CTX * ctx,STACK_OF (X509)* chain)2241 SSL_CTX_set0_chain(SSL_CTX *ctx, STACK_OF(X509) *chain)
2242 {
2243 return ssl_cert_set0_chain(ctx, NULL, chain);
2244 }
2245 LSSL_ALIAS(SSL_CTX_set0_chain);
2246
2247 int
SSL_CTX_set1_chain(SSL_CTX * ctx,STACK_OF (X509)* chain)2248 SSL_CTX_set1_chain(SSL_CTX *ctx, STACK_OF(X509) *chain)
2249 {
2250 return ssl_cert_set1_chain(ctx, NULL, chain);
2251 }
2252 LSSL_ALIAS(SSL_CTX_set1_chain);
2253
2254 int
SSL_CTX_add0_chain_cert(SSL_CTX * ctx,X509 * x509)2255 SSL_CTX_add0_chain_cert(SSL_CTX *ctx, X509 *x509)
2256 {
2257 return ssl_cert_add0_chain_cert(ctx, NULL, x509);
2258 }
2259 LSSL_ALIAS(SSL_CTX_add0_chain_cert);
2260
2261 int
SSL_CTX_add1_chain_cert(SSL_CTX * ctx,X509 * x509)2262 SSL_CTX_add1_chain_cert(SSL_CTX *ctx, X509 *x509)
2263 {
2264 return ssl_cert_add1_chain_cert(ctx, NULL, x509);
2265 }
2266 LSSL_ALIAS(SSL_CTX_add1_chain_cert);
2267
2268 int
SSL_CTX_get0_chain_certs(const SSL_CTX * ctx,STACK_OF (X509)** out_chain)2269 SSL_CTX_get0_chain_certs(const SSL_CTX *ctx, STACK_OF(X509) **out_chain)
2270 {
2271 *out_chain = NULL;
2272
2273 if (ctx->cert->key != NULL)
2274 *out_chain = ctx->cert->key->chain;
2275
2276 return 1;
2277 }
2278 LSSL_ALIAS(SSL_CTX_get0_chain_certs);
2279
2280 int
SSL_CTX_clear_chain_certs(SSL_CTX * ctx)2281 SSL_CTX_clear_chain_certs(SSL_CTX *ctx)
2282 {
2283 return ssl_cert_set0_chain(ctx, NULL, NULL);
2284 }
2285 LSSL_ALIAS(SSL_CTX_clear_chain_certs);
2286
2287 static int
_SSL_CTX_add_extra_chain_cert(SSL_CTX * ctx,X509 * cert)2288 _SSL_CTX_add_extra_chain_cert(SSL_CTX *ctx, X509 *cert)
2289 {
2290 if (ctx->extra_certs == NULL) {
2291 if ((ctx->extra_certs = sk_X509_new_null()) == NULL)
2292 return 0;
2293 }
2294 if (sk_X509_push(ctx->extra_certs, cert) == 0)
2295 return 0;
2296
2297 return 1;
2298 }
2299
2300 static int
_SSL_CTX_get_extra_chain_certs(SSL_CTX * ctx,STACK_OF (X509)** certs)2301 _SSL_CTX_get_extra_chain_certs(SSL_CTX *ctx, STACK_OF(X509) **certs)
2302 {
2303 *certs = ctx->extra_certs;
2304 if (*certs == NULL)
2305 *certs = ctx->cert->key->chain;
2306
2307 return 1;
2308 }
2309
2310 static int
_SSL_CTX_get_extra_chain_certs_only(SSL_CTX * ctx,STACK_OF (X509)** certs)2311 _SSL_CTX_get_extra_chain_certs_only(SSL_CTX *ctx, STACK_OF(X509) **certs)
2312 {
2313 *certs = ctx->extra_certs;
2314 return 1;
2315 }
2316
2317 static int
_SSL_CTX_clear_extra_chain_certs(SSL_CTX * ctx)2318 _SSL_CTX_clear_extra_chain_certs(SSL_CTX *ctx)
2319 {
2320 sk_X509_pop_free(ctx->extra_certs, X509_free);
2321 ctx->extra_certs = NULL;
2322 return 1;
2323 }
2324
2325 int
SSL_CTX_set1_groups(SSL_CTX * ctx,const int * groups,size_t groups_len)2326 SSL_CTX_set1_groups(SSL_CTX *ctx, const int *groups, size_t groups_len)
2327 {
2328 return tls1_set_groups(&ctx->tlsext_supportedgroups,
2329 &ctx->tlsext_supportedgroups_length, groups, groups_len);
2330 }
2331 LSSL_ALIAS(SSL_CTX_set1_groups);
2332
2333 int
SSL_CTX_set1_groups_list(SSL_CTX * ctx,const char * groups)2334 SSL_CTX_set1_groups_list(SSL_CTX *ctx, const char *groups)
2335 {
2336 return tls1_set_group_list(&ctx->tlsext_supportedgroups,
2337 &ctx->tlsext_supportedgroups_length, groups);
2338 }
2339 LSSL_ALIAS(SSL_CTX_set1_groups_list);
2340
2341 long
ssl3_ctx_ctrl(SSL_CTX * ctx,int cmd,long larg,void * parg)2342 ssl3_ctx_ctrl(SSL_CTX *ctx, int cmd, long larg, void *parg)
2343 {
2344 switch (cmd) {
2345 case SSL_CTRL_SET_TMP_DH:
2346 return _SSL_CTX_set_tmp_dh(ctx, parg);
2347
2348 case SSL_CTRL_SET_TMP_DH_CB:
2349 SSLerrorx(ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
2350 return 0;
2351
2352 case SSL_CTRL_SET_DH_AUTO:
2353 return _SSL_CTX_set_dh_auto(ctx, larg);
2354
2355 case SSL_CTRL_SET_TMP_ECDH:
2356 return _SSL_CTX_set_tmp_ecdh(ctx, parg);
2357
2358 case SSL_CTRL_SET_TMP_ECDH_CB:
2359 SSLerrorx(ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
2360 return 0;
2361
2362 case SSL_CTRL_SET_ECDH_AUTO:
2363 return _SSL_CTX_set_ecdh_auto(ctx, larg);
2364
2365 case SSL_CTRL_SET_TLSEXT_SERVERNAME_ARG:
2366 return _SSL_CTX_set_tlsext_servername_arg(ctx, parg);
2367
2368 case SSL_CTRL_GET_TLSEXT_TICKET_KEYS:
2369 return _SSL_CTX_get_tlsext_ticket_keys(ctx, parg, larg);
2370
2371 case SSL_CTRL_SET_TLSEXT_TICKET_KEYS:
2372 return _SSL_CTX_set_tlsext_ticket_keys(ctx, parg, larg);
2373
2374 case SSL_CTRL_GET_TLSEXT_STATUS_REQ_CB_ARG:
2375 return _SSL_CTX_get_tlsext_status_arg(ctx, parg);
2376
2377 case SSL_CTRL_SET_TLSEXT_STATUS_REQ_CB_ARG:
2378 return _SSL_CTX_set_tlsext_status_arg(ctx, parg);
2379
2380 case SSL_CTRL_CHAIN:
2381 if (larg == 0)
2382 return SSL_CTX_set0_chain(ctx, (STACK_OF(X509) *)parg);
2383 else
2384 return SSL_CTX_set1_chain(ctx, (STACK_OF(X509) *)parg);
2385
2386 case SSL_CTRL_CHAIN_CERT:
2387 if (larg == 0)
2388 return SSL_CTX_add0_chain_cert(ctx, (X509 *)parg);
2389 else
2390 return SSL_CTX_add1_chain_cert(ctx, (X509 *)parg);
2391
2392 case SSL_CTRL_GET_CHAIN_CERTS:
2393 return SSL_CTX_get0_chain_certs(ctx, (STACK_OF(X509) **)parg);
2394
2395 case SSL_CTRL_EXTRA_CHAIN_CERT:
2396 return _SSL_CTX_add_extra_chain_cert(ctx, parg);
2397
2398 case SSL_CTRL_GET_EXTRA_CHAIN_CERTS:
2399 if (larg == 0)
2400 return _SSL_CTX_get_extra_chain_certs(ctx, parg);
2401 else
2402 return _SSL_CTX_get_extra_chain_certs_only(ctx, parg);
2403
2404 case SSL_CTRL_CLEAR_EXTRA_CHAIN_CERTS:
2405 return _SSL_CTX_clear_extra_chain_certs(ctx);
2406
2407 case SSL_CTRL_SET_GROUPS:
2408 return SSL_CTX_set1_groups(ctx, parg, larg);
2409
2410 case SSL_CTRL_SET_GROUPS_LIST:
2411 return SSL_CTX_set1_groups_list(ctx, parg);
2412
2413 case SSL_CTRL_GET_MIN_PROTO_VERSION:
2414 return SSL_CTX_get_min_proto_version(ctx);
2415
2416 case SSL_CTRL_GET_MAX_PROTO_VERSION:
2417 return SSL_CTX_get_max_proto_version(ctx);
2418
2419 case SSL_CTRL_SET_MIN_PROTO_VERSION:
2420 if (larg < 0 || larg > UINT16_MAX)
2421 return 0;
2422 return SSL_CTX_set_min_proto_version(ctx, larg);
2423
2424 case SSL_CTRL_SET_MAX_PROTO_VERSION:
2425 if (larg < 0 || larg > UINT16_MAX)
2426 return 0;
2427 return SSL_CTX_set_max_proto_version(ctx, larg);
2428
2429 /*
2430 * Legacy controls that should eventually be removed.
2431 */
2432 case SSL_CTRL_NEED_TMP_RSA:
2433 return 0;
2434
2435 case SSL_CTRL_SET_TMP_RSA:
2436 case SSL_CTRL_SET_TMP_RSA_CB:
2437 SSLerrorx(ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
2438 return 0;
2439 }
2440
2441 return 0;
2442 }
2443
2444 long
ssl3_ctx_callback_ctrl(SSL_CTX * ctx,int cmd,void (* fp)(void))2445 ssl3_ctx_callback_ctrl(SSL_CTX *ctx, int cmd, void (*fp)(void))
2446 {
2447 switch (cmd) {
2448 case SSL_CTRL_SET_TMP_RSA_CB:
2449 SSLerrorx(ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
2450 return 0;
2451
2452 case SSL_CTRL_SET_TMP_DH_CB:
2453 ctx->cert->dhe_params_cb =
2454 (DH *(*)(SSL *, int, int))fp;
2455 return 1;
2456
2457 case SSL_CTRL_SET_TMP_ECDH_CB:
2458 return 1;
2459
2460 case SSL_CTRL_SET_TLSEXT_SERVERNAME_CB:
2461 ctx->tlsext_servername_callback =
2462 (int (*)(SSL *, int *, void *))fp;
2463 return 1;
2464
2465 case SSL_CTRL_GET_TLSEXT_STATUS_REQ_CB:
2466 *(int (**)(SSL *, void *))fp = ctx->tlsext_status_cb;
2467 return 1;
2468
2469 case SSL_CTRL_SET_TLSEXT_STATUS_REQ_CB:
2470 ctx->tlsext_status_cb = (int (*)(SSL *, void *))fp;
2471 return 1;
2472
2473 case SSL_CTRL_SET_TLSEXT_TICKET_KEY_CB:
2474 ctx->tlsext_ticket_key_cb = (int (*)(SSL *, unsigned char *,
2475 unsigned char *, EVP_CIPHER_CTX *, HMAC_CTX *, int))fp;
2476 return 1;
2477 }
2478
2479 return 0;
2480 }
2481
2482 SSL_CIPHER *
ssl3_choose_cipher(SSL * s,STACK_OF (SSL_CIPHER)* clnt,STACK_OF (SSL_CIPHER)* srvr)2483 ssl3_choose_cipher(SSL *s, STACK_OF(SSL_CIPHER) *clnt,
2484 STACK_OF(SSL_CIPHER) *srvr)
2485 {
2486 unsigned long alg_k, alg_a, mask_k, mask_a;
2487 STACK_OF(SSL_CIPHER) *prio, *allow;
2488 SSL_CIPHER *c, *ret = NULL;
2489 int can_use_ecc;
2490 int i, ii, nid, ok;
2491 SSL_CERT *cert;
2492
2493 /* Let's see which ciphers we can support */
2494 cert = s->cert;
2495
2496 can_use_ecc = tls1_get_supported_group(s, &nid);
2497
2498 /*
2499 * Do not set the compare functions, because this may lead to a
2500 * reordering by "id". We want to keep the original ordering.
2501 * We may pay a price in performance during sk_SSL_CIPHER_find(),
2502 * but would have to pay with the price of sk_SSL_CIPHER_dup().
2503 */
2504
2505 if (s->options & SSL_OP_CIPHER_SERVER_PREFERENCE) {
2506 prio = srvr;
2507 allow = clnt;
2508 } else {
2509 prio = clnt;
2510 allow = srvr;
2511 }
2512
2513 for (i = 0; i < sk_SSL_CIPHER_num(prio); i++) {
2514 c = sk_SSL_CIPHER_value(prio, i);
2515
2516 /* Skip TLS v1.2 only ciphersuites if not supported. */
2517 if ((c->algorithm_ssl & SSL_TLSV1_2) &&
2518 !SSL_USE_TLS1_2_CIPHERS(s))
2519 continue;
2520
2521 /* Skip TLS v1.3 only ciphersuites if not supported. */
2522 if ((c->algorithm_ssl & SSL_TLSV1_3) &&
2523 !SSL_USE_TLS1_3_CIPHERS(s))
2524 continue;
2525
2526 /* If TLS v1.3, only allow TLS v1.3 ciphersuites. */
2527 if (SSL_USE_TLS1_3_CIPHERS(s) &&
2528 !(c->algorithm_ssl & SSL_TLSV1_3))
2529 continue;
2530
2531 if (!ssl_security_shared_cipher(s, c))
2532 continue;
2533
2534 ssl_set_cert_masks(cert, c);
2535 mask_k = cert->mask_k;
2536 mask_a = cert->mask_a;
2537
2538 alg_k = c->algorithm_mkey;
2539 alg_a = c->algorithm_auth;
2540
2541 ok = (alg_k & mask_k) && (alg_a & mask_a);
2542
2543 /*
2544 * If we are considering an ECC cipher suite that uses our
2545 * certificate check it.
2546 */
2547 if (alg_a & SSL_aECDSA)
2548 ok = ok && tls1_check_ec_server_key(s);
2549 /*
2550 * If we are considering an ECC cipher suite that uses
2551 * an ephemeral EC key check it.
2552 */
2553 if (alg_k & SSL_kECDHE)
2554 ok = ok && can_use_ecc;
2555
2556 if (!ok)
2557 continue;
2558 ii = sk_SSL_CIPHER_find(allow, c);
2559 if (ii >= 0) {
2560 ret = sk_SSL_CIPHER_value(allow, ii);
2561 break;
2562 }
2563 }
2564 return (ret);
2565 }
2566
2567 #define SSL3_CT_RSA_SIGN 1
2568 #define SSL3_CT_RSA_FIXED_DH 3
2569 #define SSL3_CT_ECDSA_SIGN 64
2570
2571 int
ssl3_get_req_cert_types(SSL * s,CBB * cbb)2572 ssl3_get_req_cert_types(SSL *s, CBB *cbb)
2573 {
2574 unsigned long alg_k;
2575
2576 alg_k = s->s3->hs.cipher->algorithm_mkey;
2577
2578 if ((alg_k & SSL_kDHE) != 0) {
2579 if (!CBB_add_u8(cbb, SSL3_CT_RSA_FIXED_DH))
2580 return 0;
2581 }
2582
2583 if (!CBB_add_u8(cbb, SSL3_CT_RSA_SIGN))
2584 return 0;
2585
2586 /*
2587 * ECDSA certs can be used with RSA cipher suites as well
2588 * so we don't need to check for SSL_kECDH or SSL_kECDHE.
2589 */
2590 if (!CBB_add_u8(cbb, SSL3_CT_ECDSA_SIGN))
2591 return 0;
2592
2593 return 1;
2594 }
2595
2596 int
ssl3_shutdown(SSL * s)2597 ssl3_shutdown(SSL *s)
2598 {
2599 int ret;
2600
2601 /*
2602 * Don't do anything much if we have not done the handshake or
2603 * we don't want to send messages :-)
2604 */
2605 if ((s->quiet_shutdown) || (s->s3->hs.state == SSL_ST_BEFORE)) {
2606 s->shutdown = (SSL_SENT_SHUTDOWN|SSL_RECEIVED_SHUTDOWN);
2607 return (1);
2608 }
2609
2610 if (!(s->shutdown & SSL_SENT_SHUTDOWN)) {
2611 s->shutdown|=SSL_SENT_SHUTDOWN;
2612 ssl3_send_alert(s, SSL3_AL_WARNING, SSL_AD_CLOSE_NOTIFY);
2613 /*
2614 * Our shutdown alert has been sent now, and if it still needs
2615 * to be written, s->s3->alert_dispatch will be true
2616 */
2617 if (s->s3->alert_dispatch)
2618 return (-1); /* return WANT_WRITE */
2619 } else if (s->s3->alert_dispatch) {
2620 /* resend it if not sent */
2621 ret = ssl3_dispatch_alert(s);
2622 if (ret == -1) {
2623 /*
2624 * We only get to return -1 here the 2nd/Nth
2625 * invocation, we must have already signalled
2626 * return 0 upon a previous invoation,
2627 * return WANT_WRITE
2628 */
2629 return (ret);
2630 }
2631 } else if (!(s->shutdown & SSL_RECEIVED_SHUTDOWN)) {
2632 /* If we are waiting for a close from our peer, we are closed */
2633 s->method->ssl_read_bytes(s, 0, NULL, 0, 0);
2634 if (!(s->shutdown & SSL_RECEIVED_SHUTDOWN)) {
2635 return (-1); /* return WANT_READ */
2636 }
2637 }
2638
2639 if ((s->shutdown == (SSL_SENT_SHUTDOWN|SSL_RECEIVED_SHUTDOWN)) &&
2640 !s->s3->alert_dispatch)
2641 return (1);
2642 else
2643 return (0);
2644 }
2645
2646 int
ssl3_write(SSL * s,const void * buf,int len)2647 ssl3_write(SSL *s, const void *buf, int len)
2648 {
2649 errno = 0;
2650
2651 if (s->s3->renegotiate)
2652 ssl3_renegotiate_check(s);
2653
2654 return s->method->ssl_write_bytes(s, SSL3_RT_APPLICATION_DATA,
2655 buf, len);
2656 }
2657
2658 static int
ssl3_read_internal(SSL * s,void * buf,int len,int peek)2659 ssl3_read_internal(SSL *s, void *buf, int len, int peek)
2660 {
2661 int ret;
2662
2663 errno = 0;
2664 if (s->s3->renegotiate)
2665 ssl3_renegotiate_check(s);
2666 s->s3->in_read_app_data = 1;
2667
2668 ret = s->method->ssl_read_bytes(s, SSL3_RT_APPLICATION_DATA, buf, len,
2669 peek);
2670 if ((ret == -1) && (s->s3->in_read_app_data == 2)) {
2671 /*
2672 * ssl3_read_bytes decided to call s->handshake_func,
2673 * which called ssl3_read_bytes to read handshake data.
2674 * However, ssl3_read_bytes actually found application data
2675 * and thinks that application data makes sense here; so disable
2676 * handshake processing and try to read application data again.
2677 */
2678 s->in_handshake++;
2679 ret = s->method->ssl_read_bytes(s, SSL3_RT_APPLICATION_DATA,
2680 buf, len, peek);
2681 s->in_handshake--;
2682 } else
2683 s->s3->in_read_app_data = 0;
2684
2685 return (ret);
2686 }
2687
2688 int
ssl3_read(SSL * s,void * buf,int len)2689 ssl3_read(SSL *s, void *buf, int len)
2690 {
2691 return ssl3_read_internal(s, buf, len, 0);
2692 }
2693
2694 int
ssl3_peek(SSL * s,void * buf,int len)2695 ssl3_peek(SSL *s, void *buf, int len)
2696 {
2697 return ssl3_read_internal(s, buf, len, 1);
2698 }
2699
2700 int
ssl3_renegotiate(SSL * s)2701 ssl3_renegotiate(SSL *s)
2702 {
2703 if (s->handshake_func == NULL)
2704 return 1;
2705
2706 if (s->s3->flags & SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS)
2707 return 0;
2708
2709 s->s3->renegotiate = 1;
2710
2711 return 1;
2712 }
2713
2714 int
ssl3_renegotiate_check(SSL * s)2715 ssl3_renegotiate_check(SSL *s)
2716 {
2717 if (!s->s3->renegotiate)
2718 return 0;
2719 if (SSL_in_init(s) || s->s3->rbuf.left != 0 || s->s3->wbuf.left != 0)
2720 return 0;
2721
2722 s->s3->hs.state = SSL_ST_RENEGOTIATE;
2723 s->s3->renegotiate = 0;
2724 s->s3->num_renegotiations++;
2725 s->s3->total_renegotiations++;
2726
2727 return 1;
2728 }
2729