1 /* $OpenBSD: s3_lib.c,v 1.257 2024/07/23 14:40:53 jsing Exp $ */
2 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 * All rights reserved.
4 *
5 * This package is an SSL implementation written
6 * by Eric Young (eay@cryptsoft.com).
7 * The implementation was written so as to conform with Netscapes SSL.
8 *
9 * This library is free for commercial and non-commercial use as long as
10 * the following conditions are aheared to. The following conditions
11 * apply to all code found in this distribution, be it the RC4, RSA,
12 * lhash, DES, etc., code; not just the SSL code. The SSL documentation
13 * included with this distribution is covered by the same copyright terms
14 * except that the holder is Tim Hudson (tjh@cryptsoft.com).
15 *
16 * Copyright remains Eric Young's, and as such any Copyright notices in
17 * the code are not to be removed.
18 * If this package is used in a product, Eric Young should be given attribution
19 * as the author of the parts of the library used.
20 * This can be in the form of a textual message at program startup or
21 * in documentation (online or textual) provided with the package.
22 *
23 * Redistribution and use in source and binary forms, with or without
24 * modification, are permitted provided that the following conditions
25 * are met:
26 * 1. Redistributions of source code must retain the copyright
27 * notice, this list of conditions and the following disclaimer.
28 * 2. Redistributions in binary form must reproduce the above copyright
29 * notice, this list of conditions and the following disclaimer in the
30 * documentation and/or other materials provided with the distribution.
31 * 3. All advertising materials mentioning features or use of this software
32 * must display the following acknowledgement:
33 * "This product includes cryptographic software written by
34 * Eric Young (eay@cryptsoft.com)"
35 * The word 'cryptographic' can be left out if the rouines from the library
36 * being used are not cryptographic related :-).
37 * 4. If you include any Windows specific code (or a derivative thereof) from
38 * the apps directory (application code) you must include an acknowledgement:
39 * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
40 *
41 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
42 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
43 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
44 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
45 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
46 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
47 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
48 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
49 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
50 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
51 * SUCH DAMAGE.
52 *
53 * The licence and distribution terms for any publically available version or
54 * derivative of this code cannot be changed. i.e. this code cannot simply be
55 * copied and put under another distribution licence
56 * [including the GNU Public Licence.]
57 */
58 /* ====================================================================
59 * Copyright (c) 1998-2007 The OpenSSL Project. All rights reserved.
60 *
61 * Redistribution and use in source and binary forms, with or without
62 * modification, are permitted provided that the following conditions
63 * are met:
64 *
65 * 1. Redistributions of source code must retain the above copyright
66 * notice, this list of conditions and the following disclaimer.
67 *
68 * 2. Redistributions in binary form must reproduce the above copyright
69 * notice, this list of conditions and the following disclaimer in
70 * the documentation and/or other materials provided with the
71 * distribution.
72 *
73 * 3. All advertising materials mentioning features or use of this
74 * software must display the following acknowledgment:
75 * "This product includes software developed by the OpenSSL Project
76 * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
77 *
78 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
79 * endorse or promote products derived from this software without
80 * prior written permission. For written permission, please contact
81 * openssl-core@openssl.org.
82 *
83 * 5. Products derived from this software may not be called "OpenSSL"
84 * nor may "OpenSSL" appear in their names without prior written
85 * permission of the OpenSSL Project.
86 *
87 * 6. Redistributions of any form whatsoever must retain the following
88 * acknowledgment:
89 * "This product includes software developed by the OpenSSL Project
90 * for use in the OpenSSL Toolkit (http://www.openssl.org/)"
91 *
92 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
93 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
94 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
95 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
96 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
97 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
98 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
99 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
100 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
101 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
102 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
103 * OF THE POSSIBILITY OF SUCH DAMAGE.
104 * ====================================================================
105 *
106 * This product includes cryptographic software written by Eric Young
107 * (eay@cryptsoft.com). This product includes software written by Tim
108 * Hudson (tjh@cryptsoft.com).
109 *
110 */
111 /* ====================================================================
112 * Copyright 2002 Sun Microsystems, Inc. ALL RIGHTS RESERVED.
113 *
114 * Portions of the attached software ("Contribution") are developed by
115 * SUN MICROSYSTEMS, INC., and are contributed to the OpenSSL project.
116 *
117 * The Contribution is licensed pursuant to the OpenSSL open source
118 * license provided above.
119 *
120 * ECC cipher suite support in OpenSSL originally written by
121 * Vipul Gupta and Sumit Gupta of Sun Microsystems Laboratories.
122 *
123 */
124 /* ====================================================================
125 * Copyright 2005 Nokia. All rights reserved.
126 *
127 * The portions of the attached software ("Contribution") is developed by
128 * Nokia Corporation and is licensed pursuant to the OpenSSL open source
129 * license.
130 *
131 * The Contribution, originally written by Mika Kousa and Pasi Eronen of
132 * Nokia Corporation, consists of the "PSK" (Pre-Shared Key) ciphersuites
133 * support (see RFC 4279) to OpenSSL.
134 *
135 * No patent licenses or other rights except those expressly stated in
136 * the OpenSSL open source license shall be deemed granted or received
137 * expressly, by implication, estoppel, or otherwise.
138 *
139 * No assurances are provided by Nokia that the Contribution does not
140 * infringe the patent or other intellectual property rights of any third
141 * party or that the license provides you with all the necessary rights
142 * to make use of the Contribution.
143 *
144 * THE SOFTWARE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. IN
145 * ADDITION TO THE DISCLAIMERS INCLUDED IN THE LICENSE, NOKIA
146 * SPECIFICALLY DISCLAIMS ANY LIABILITY FOR CLAIMS BROUGHT BY YOU OR ANY
147 * OTHER ENTITY BASED ON INFRINGEMENT OF INTELLECTUAL PROPERTY RIGHTS OR
148 * OTHERWISE.
149 */
150
151 #include <limits.h>
152 #include <stdio.h>
153 #include <stdlib.h>
154
155 #include <openssl/bn.h>
156 #include <openssl/curve25519.h>
157 #include <openssl/dh.h>
158 #include <openssl/md5.h>
159 #include <openssl/objects.h>
160 #include <openssl/opensslconf.h>
161
162 #include "bytestring.h"
163 #include "dtls_local.h"
164 #include "ssl_local.h"
165 #include "ssl_sigalgs.h"
166 #include "ssl_tlsext.h"
167 #include "tls_content.h"
168
169 #define SSL3_NUM_CIPHERS (sizeof(ssl3_ciphers) / sizeof(SSL_CIPHER))
170
171 /* list of available SSLv3 ciphers (sorted by id) */
172 const SSL_CIPHER ssl3_ciphers[] = {
173
174 /*
175 * SSLv3 RSA cipher suites (RFC 6101, appendix A.6).
176 */
177 {
178 .value = 0x0001,
179 .name = SSL3_TXT_RSA_NULL_MD5,
180 .algorithm_mkey = SSL_kRSA,
181 .algorithm_auth = SSL_aRSA,
182 .algorithm_enc = SSL_eNULL,
183 .algorithm_mac = SSL_MD5,
184 .algorithm_ssl = SSL_SSLV3,
185 .algo_strength = SSL_STRONG_NONE,
186 .algorithm2 = SSL_HANDSHAKE_MAC_SHA256,
187 .strength_bits = 0,
188 .alg_bits = 0,
189 },
190 {
191 .value = 0x0002,
192 .name = SSL3_TXT_RSA_NULL_SHA,
193 .algorithm_mkey = SSL_kRSA,
194 .algorithm_auth = SSL_aRSA,
195 .algorithm_enc = SSL_eNULL,
196 .algorithm_mac = SSL_SHA1,
197 .algorithm_ssl = SSL_SSLV3,
198 .algo_strength = SSL_STRONG_NONE,
199 .algorithm2 = SSL_HANDSHAKE_MAC_SHA256,
200 .strength_bits = 0,
201 .alg_bits = 0,
202 },
203 {
204 .value = 0x0004,
205 .name = SSL3_TXT_RSA_RC4_128_MD5,
206 .algorithm_mkey = SSL_kRSA,
207 .algorithm_auth = SSL_aRSA,
208 .algorithm_enc = SSL_RC4,
209 .algorithm_mac = SSL_MD5,
210 .algorithm_ssl = SSL_SSLV3,
211 .algo_strength = SSL_LOW,
212 .algorithm2 = SSL_HANDSHAKE_MAC_SHA256,
213 .strength_bits = 128,
214 .alg_bits = 128,
215 },
216 {
217 .value = 0x0005,
218 .name = SSL3_TXT_RSA_RC4_128_SHA,
219 .algorithm_mkey = SSL_kRSA,
220 .algorithm_auth = SSL_aRSA,
221 .algorithm_enc = SSL_RC4,
222 .algorithm_mac = SSL_SHA1,
223 .algorithm_ssl = SSL_SSLV3,
224 .algo_strength = SSL_LOW,
225 .algorithm2 = SSL_HANDSHAKE_MAC_SHA256,
226 .strength_bits = 128,
227 .alg_bits = 128,
228 },
229 {
230 .value = 0x000a,
231 .name = SSL3_TXT_RSA_DES_192_CBC3_SHA,
232 .algorithm_mkey = SSL_kRSA,
233 .algorithm_auth = SSL_aRSA,
234 .algorithm_enc = SSL_3DES,
235 .algorithm_mac = SSL_SHA1,
236 .algorithm_ssl = SSL_SSLV3,
237 .algo_strength = SSL_MEDIUM,
238 .algorithm2 = SSL_HANDSHAKE_MAC_SHA256,
239 .strength_bits = 112,
240 .alg_bits = 168,
241 },
242
243 /*
244 * SSLv3 DHE cipher suites (RFC 6101, appendix A.6).
245 */
246 {
247 .value = 0x0016,
248 .name = SSL3_TXT_EDH_RSA_DES_192_CBC3_SHA,
249 .algorithm_mkey = SSL_kDHE,
250 .algorithm_auth = SSL_aRSA,
251 .algorithm_enc = SSL_3DES,
252 .algorithm_mac = SSL_SHA1,
253 .algorithm_ssl = SSL_SSLV3,
254 .algo_strength = SSL_MEDIUM,
255 .algorithm2 = SSL_HANDSHAKE_MAC_SHA256,
256 .strength_bits = 112,
257 .alg_bits = 168,
258 },
259 {
260 .value = 0x0018,
261 .name = SSL3_TXT_ADH_RC4_128_MD5,
262 .algorithm_mkey = SSL_kDHE,
263 .algorithm_auth = SSL_aNULL,
264 .algorithm_enc = SSL_RC4,
265 .algorithm_mac = SSL_MD5,
266 .algorithm_ssl = SSL_SSLV3,
267 .algo_strength = SSL_LOW,
268 .algorithm2 = SSL_HANDSHAKE_MAC_SHA256,
269 .strength_bits = 128,
270 .alg_bits = 128,
271 },
272 {
273 .value = 0x001b,
274 .name = SSL3_TXT_ADH_DES_192_CBC_SHA,
275 .algorithm_mkey = SSL_kDHE,
276 .algorithm_auth = SSL_aNULL,
277 .algorithm_enc = SSL_3DES,
278 .algorithm_mac = SSL_SHA1,
279 .algorithm_ssl = SSL_SSLV3,
280 .algo_strength = SSL_MEDIUM,
281 .algorithm2 = SSL_HANDSHAKE_MAC_SHA256,
282 .strength_bits = 112,
283 .alg_bits = 168,
284 },
285
286 /*
287 * TLSv1.0 AES cipher suites (RFC 3268).
288 */
289 {
290 .value = 0x002f,
291 .name = TLS1_TXT_RSA_WITH_AES_128_SHA,
292 .algorithm_mkey = SSL_kRSA,
293 .algorithm_auth = SSL_aRSA,
294 .algorithm_enc = SSL_AES128,
295 .algorithm_mac = SSL_SHA1,
296 .algorithm_ssl = SSL_TLSV1,
297 .algo_strength = SSL_HIGH,
298 .algorithm2 = SSL_HANDSHAKE_MAC_SHA256,
299 .strength_bits = 128,
300 .alg_bits = 128,
301 },
302 {
303 .value = 0x0033,
304 .name = TLS1_TXT_DHE_RSA_WITH_AES_128_SHA,
305 .algorithm_mkey = SSL_kDHE,
306 .algorithm_auth = SSL_aRSA,
307 .algorithm_enc = SSL_AES128,
308 .algorithm_mac = SSL_SHA1,
309 .algorithm_ssl = SSL_TLSV1,
310 .algo_strength = SSL_HIGH,
311 .algorithm2 = SSL_HANDSHAKE_MAC_SHA256,
312 .strength_bits = 128,
313 .alg_bits = 128,
314 },
315 {
316 .value = 0x0034,
317 .name = TLS1_TXT_ADH_WITH_AES_128_SHA,
318 .algorithm_mkey = SSL_kDHE,
319 .algorithm_auth = SSL_aNULL,
320 .algorithm_enc = SSL_AES128,
321 .algorithm_mac = SSL_SHA1,
322 .algorithm_ssl = SSL_TLSV1,
323 .algo_strength = SSL_HIGH,
324 .algorithm2 = SSL_HANDSHAKE_MAC_SHA256,
325 .strength_bits = 128,
326 .alg_bits = 128,
327 },
328 {
329 .value = 0x0035,
330 .name = TLS1_TXT_RSA_WITH_AES_256_SHA,
331 .algorithm_mkey = SSL_kRSA,
332 .algorithm_auth = SSL_aRSA,
333 .algorithm_enc = SSL_AES256,
334 .algorithm_mac = SSL_SHA1,
335 .algorithm_ssl = SSL_TLSV1,
336 .algo_strength = SSL_HIGH,
337 .algorithm2 = SSL_HANDSHAKE_MAC_SHA256,
338 .strength_bits = 256,
339 .alg_bits = 256,
340 },
341 {
342 .value = 0x0039,
343 .name = TLS1_TXT_DHE_RSA_WITH_AES_256_SHA,
344 .algorithm_mkey = SSL_kDHE,
345 .algorithm_auth = SSL_aRSA,
346 .algorithm_enc = SSL_AES256,
347 .algorithm_mac = SSL_SHA1,
348 .algorithm_ssl = SSL_TLSV1,
349 .algo_strength = SSL_HIGH,
350 .algorithm2 = SSL_HANDSHAKE_MAC_SHA256,
351 .strength_bits = 256,
352 .alg_bits = 256,
353 },
354 {
355 .value = 0x003a,
356 .name = TLS1_TXT_ADH_WITH_AES_256_SHA,
357 .algorithm_mkey = SSL_kDHE,
358 .algorithm_auth = SSL_aNULL,
359 .algorithm_enc = SSL_AES256,
360 .algorithm_mac = SSL_SHA1,
361 .algorithm_ssl = SSL_TLSV1,
362 .algo_strength = SSL_HIGH,
363 .algorithm2 = SSL_HANDSHAKE_MAC_SHA256,
364 .strength_bits = 256,
365 .alg_bits = 256,
366 },
367
368 /*
369 * TLSv1.2 RSA cipher suites (RFC 5246, appendix A.5).
370 */
371 {
372 .value = 0x003b,
373 .name = TLS1_TXT_RSA_WITH_NULL_SHA256,
374 .algorithm_mkey = SSL_kRSA,
375 .algorithm_auth = SSL_aRSA,
376 .algorithm_enc = SSL_eNULL,
377 .algorithm_mac = SSL_SHA256,
378 .algorithm_ssl = SSL_TLSV1_2,
379 .algo_strength = SSL_STRONG_NONE,
380 .algorithm2 = SSL_HANDSHAKE_MAC_SHA256,
381 .strength_bits = 0,
382 .alg_bits = 0,
383 },
384 {
385 .value = 0x003c,
386 .name = TLS1_TXT_RSA_WITH_AES_128_SHA256,
387 .algorithm_mkey = SSL_kRSA,
388 .algorithm_auth = SSL_aRSA,
389 .algorithm_enc = SSL_AES128,
390 .algorithm_mac = SSL_SHA256,
391 .algorithm_ssl = SSL_TLSV1_2,
392 .algo_strength = SSL_HIGH,
393 .algorithm2 = SSL_HANDSHAKE_MAC_SHA256,
394 .strength_bits = 128,
395 .alg_bits = 128,
396 },
397 {
398 .value = 0x003d,
399 .name = TLS1_TXT_RSA_WITH_AES_256_SHA256,
400 .algorithm_mkey = SSL_kRSA,
401 .algorithm_auth = SSL_aRSA,
402 .algorithm_enc = SSL_AES256,
403 .algorithm_mac = SSL_SHA256,
404 .algorithm_ssl = SSL_TLSV1_2,
405 .algo_strength = SSL_HIGH,
406 .algorithm2 = SSL_HANDSHAKE_MAC_SHA256,
407 .strength_bits = 256,
408 .alg_bits = 256,
409 },
410
411 #ifndef OPENSSL_NO_CAMELLIA
412 /*
413 * TLSv1.0 Camellia 128 bit cipher suites (RFC 4132).
414 */
415 {
416 .value = 0x0041,
417 .name = TLS1_TXT_RSA_WITH_CAMELLIA_128_CBC_SHA,
418 .algorithm_mkey = SSL_kRSA,
419 .algorithm_auth = SSL_aRSA,
420 .algorithm_enc = SSL_CAMELLIA128,
421 .algorithm_mac = SSL_SHA1,
422 .algorithm_ssl = SSL_TLSV1,
423 .algo_strength = SSL_HIGH,
424 .algorithm2 = SSL_HANDSHAKE_MAC_SHA256,
425 .strength_bits = 128,
426 .alg_bits = 128,
427 },
428 {
429 .value = 0x0045,
430 .name = TLS1_TXT_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA,
431 .algorithm_mkey = SSL_kDHE,
432 .algorithm_auth = SSL_aRSA,
433 .algorithm_enc = SSL_CAMELLIA128,
434 .algorithm_mac = SSL_SHA1,
435 .algorithm_ssl = SSL_TLSV1,
436 .algo_strength = SSL_HIGH,
437 .algorithm2 = SSL_HANDSHAKE_MAC_SHA256,
438 .strength_bits = 128,
439 .alg_bits = 128,
440 },
441 {
442 .value = 0x0046,
443 .name = TLS1_TXT_ADH_WITH_CAMELLIA_128_CBC_SHA,
444 .algorithm_mkey = SSL_kDHE,
445 .algorithm_auth = SSL_aNULL,
446 .algorithm_enc = SSL_CAMELLIA128,
447 .algorithm_mac = SSL_SHA1,
448 .algorithm_ssl = SSL_TLSV1,
449 .algo_strength = SSL_HIGH,
450 .algorithm2 = SSL_HANDSHAKE_MAC_SHA256,
451 .strength_bits = 128,
452 .alg_bits = 128,
453 },
454 #endif /* OPENSSL_NO_CAMELLIA */
455
456 /*
457 * TLSv1.2 DHE cipher suites (RFC 5246, appendix A.5).
458 */
459 {
460 .value = 0x0067,
461 .name = TLS1_TXT_DHE_RSA_WITH_AES_128_SHA256,
462 .algorithm_mkey = SSL_kDHE,
463 .algorithm_auth = SSL_aRSA,
464 .algorithm_enc = SSL_AES128,
465 .algorithm_mac = SSL_SHA256,
466 .algorithm_ssl = SSL_TLSV1_2,
467 .algo_strength = SSL_HIGH,
468 .algorithm2 = SSL_HANDSHAKE_MAC_SHA256,
469 .strength_bits = 128,
470 .alg_bits = 128,
471 },
472 {
473 .value = 0x006b,
474 .name = TLS1_TXT_DHE_RSA_WITH_AES_256_SHA256,
475 .algorithm_mkey = SSL_kDHE,
476 .algorithm_auth = SSL_aRSA,
477 .algorithm_enc = SSL_AES256,
478 .algorithm_mac = SSL_SHA256,
479 .algorithm_ssl = SSL_TLSV1_2,
480 .algo_strength = SSL_HIGH,
481 .algorithm2 = SSL_HANDSHAKE_MAC_SHA256,
482 .strength_bits = 256,
483 .alg_bits = 256,
484 },
485 {
486 .value = 0x006c,
487 .name = TLS1_TXT_ADH_WITH_AES_128_SHA256,
488 .algorithm_mkey = SSL_kDHE,
489 .algorithm_auth = SSL_aNULL,
490 .algorithm_enc = SSL_AES128,
491 .algorithm_mac = SSL_SHA256,
492 .algorithm_ssl = SSL_TLSV1_2,
493 .algo_strength = SSL_HIGH,
494 .algorithm2 = SSL_HANDSHAKE_MAC_SHA256,
495 .strength_bits = 128,
496 .alg_bits = 128,
497 },
498 {
499 .value = 0x006d,
500 .name = TLS1_TXT_ADH_WITH_AES_256_SHA256,
501 .algorithm_mkey = SSL_kDHE,
502 .algorithm_auth = SSL_aNULL,
503 .algorithm_enc = SSL_AES256,
504 .algorithm_mac = SSL_SHA256,
505 .algorithm_ssl = SSL_TLSV1_2,
506 .algo_strength = SSL_HIGH,
507 .algorithm2 = SSL_HANDSHAKE_MAC_SHA256,
508 .strength_bits = 256,
509 .alg_bits = 256,
510 },
511
512 #ifndef OPENSSL_NO_CAMELLIA
513 /*
514 * TLSv1.0 Camellia 256 bit cipher suites (RFC 4132).
515 */
516 {
517 .value = 0x0084,
518 .name = TLS1_TXT_RSA_WITH_CAMELLIA_256_CBC_SHA,
519 .algorithm_mkey = SSL_kRSA,
520 .algorithm_auth = SSL_aRSA,
521 .algorithm_enc = SSL_CAMELLIA256,
522 .algorithm_mac = SSL_SHA1,
523 .algorithm_ssl = SSL_TLSV1,
524 .algo_strength = SSL_HIGH,
525 .algorithm2 = SSL_HANDSHAKE_MAC_SHA256,
526 .strength_bits = 256,
527 .alg_bits = 256,
528 },
529 {
530 .value = 0x0088,
531 .name = TLS1_TXT_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA,
532 .algorithm_mkey = SSL_kDHE,
533 .algorithm_auth = SSL_aRSA,
534 .algorithm_enc = SSL_CAMELLIA256,
535 .algorithm_mac = SSL_SHA1,
536 .algorithm_ssl = SSL_TLSV1,
537 .algo_strength = SSL_HIGH,
538 .algorithm2 = SSL_HANDSHAKE_MAC_SHA256,
539 .strength_bits = 256,
540 .alg_bits = 256,
541 },
542 {
543 .value = 0x0089,
544 .name = TLS1_TXT_ADH_WITH_CAMELLIA_256_CBC_SHA,
545 .algorithm_mkey = SSL_kDHE,
546 .algorithm_auth = SSL_aNULL,
547 .algorithm_enc = SSL_CAMELLIA256,
548 .algorithm_mac = SSL_SHA1,
549 .algorithm_ssl = SSL_TLSV1,
550 .algo_strength = SSL_HIGH,
551 .algorithm2 = SSL_HANDSHAKE_MAC_SHA256,
552 .strength_bits = 256,
553 .alg_bits = 256,
554 },
555 #endif /* OPENSSL_NO_CAMELLIA */
556
557 /*
558 * TLSv1.2 AES GCM cipher suites (RFC 5288).
559 */
560 {
561 .value = 0x009c,
562 .name = TLS1_TXT_RSA_WITH_AES_128_GCM_SHA256,
563 .algorithm_mkey = SSL_kRSA,
564 .algorithm_auth = SSL_aRSA,
565 .algorithm_enc = SSL_AES128GCM,
566 .algorithm_mac = SSL_AEAD,
567 .algorithm_ssl = SSL_TLSV1_2,
568 .algo_strength = SSL_HIGH,
569 .algorithm2 = SSL_HANDSHAKE_MAC_SHA256,
570 .strength_bits = 128,
571 .alg_bits = 128,
572 },
573 {
574 .value = 0x009d,
575 .name = TLS1_TXT_RSA_WITH_AES_256_GCM_SHA384,
576 .algorithm_mkey = SSL_kRSA,
577 .algorithm_auth = SSL_aRSA,
578 .algorithm_enc = SSL_AES256GCM,
579 .algorithm_mac = SSL_AEAD,
580 .algorithm_ssl = SSL_TLSV1_2,
581 .algo_strength = SSL_HIGH,
582 .algorithm2 = SSL_HANDSHAKE_MAC_SHA384,
583 .strength_bits = 256,
584 .alg_bits = 256,
585 },
586 {
587 .value = 0x009e,
588 .name = TLS1_TXT_DHE_RSA_WITH_AES_128_GCM_SHA256,
589 .algorithm_mkey = SSL_kDHE,
590 .algorithm_auth = SSL_aRSA,
591 .algorithm_enc = SSL_AES128GCM,
592 .algorithm_mac = SSL_AEAD,
593 .algorithm_ssl = SSL_TLSV1_2,
594 .algo_strength = SSL_HIGH,
595 .algorithm2 = SSL_HANDSHAKE_MAC_SHA256,
596 .strength_bits = 128,
597 .alg_bits = 128,
598 },
599 {
600 .value = 0x009f,
601 .name = TLS1_TXT_DHE_RSA_WITH_AES_256_GCM_SHA384,
602 .algorithm_mkey = SSL_kDHE,
603 .algorithm_auth = SSL_aRSA,
604 .algorithm_enc = SSL_AES256GCM,
605 .algorithm_mac = SSL_AEAD,
606 .algorithm_ssl = SSL_TLSV1_2,
607 .algo_strength = SSL_HIGH,
608 .algorithm2 = SSL_HANDSHAKE_MAC_SHA384,
609 .strength_bits = 256,
610 .alg_bits = 256,
611 },
612 {
613 .value = 0x00a6,
614 .name = TLS1_TXT_ADH_WITH_AES_128_GCM_SHA256,
615 .algorithm_mkey = SSL_kDHE,
616 .algorithm_auth = SSL_aNULL,
617 .algorithm_enc = SSL_AES128GCM,
618 .algorithm_mac = SSL_AEAD,
619 .algorithm_ssl = SSL_TLSV1_2,
620 .algo_strength = SSL_HIGH,
621 .algorithm2 = SSL_HANDSHAKE_MAC_SHA256,
622 .strength_bits = 128,
623 .alg_bits = 128,
624 },
625 {
626 .value = 0x00a7,
627 .name = TLS1_TXT_ADH_WITH_AES_256_GCM_SHA384,
628 .algorithm_mkey = SSL_kDHE,
629 .algorithm_auth = SSL_aNULL,
630 .algorithm_enc = SSL_AES256GCM,
631 .algorithm_mac = SSL_AEAD,
632 .algorithm_ssl = SSL_TLSV1_2,
633 .algo_strength = SSL_HIGH,
634 .algorithm2 = SSL_HANDSHAKE_MAC_SHA384,
635 .strength_bits = 256,
636 .alg_bits = 256,
637 },
638
639 #ifndef OPENSSL_NO_CAMELLIA
640 /*
641 * TLSv1.2 Camellia SHA-256 cipher suites (RFC 5932).
642 */
643 {
644 .value = 0x00ba,
645 .name = TLS1_TXT_RSA_WITH_CAMELLIA_128_CBC_SHA256,
646 .algorithm_mkey = SSL_kRSA,
647 .algorithm_auth = SSL_aRSA,
648 .algorithm_enc = SSL_CAMELLIA128,
649 .algorithm_mac = SSL_SHA256,
650 .algorithm_ssl = SSL_TLSV1_2,
651 .algo_strength = SSL_HIGH,
652 .algorithm2 = SSL_HANDSHAKE_MAC_SHA256,
653 .strength_bits = 128,
654 .alg_bits = 128,
655 },
656 {
657 .value = 0x000be,
658 .name = TLS1_TXT_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA256,
659 .algorithm_mkey = SSL_kDHE,
660 .algorithm_auth = SSL_aRSA,
661 .algorithm_enc = SSL_CAMELLIA128,
662 .algorithm_mac = SSL_SHA256,
663 .algorithm_ssl = SSL_TLSV1_2,
664 .algo_strength = SSL_HIGH,
665 .algorithm2 = SSL_HANDSHAKE_MAC_SHA256,
666 .strength_bits = 128,
667 .alg_bits = 128,
668 },
669 {
670 .value = 0x00bf,
671 .name = TLS1_TXT_ADH_WITH_CAMELLIA_128_CBC_SHA256,
672 .algorithm_mkey = SSL_kDHE,
673 .algorithm_auth = SSL_aNULL,
674 .algorithm_enc = SSL_CAMELLIA128,
675 .algorithm_mac = SSL_SHA256,
676 .algorithm_ssl = SSL_TLSV1_2,
677 .algo_strength = SSL_HIGH,
678 .algorithm2 = SSL_HANDSHAKE_MAC_SHA256,
679 .strength_bits = 128,
680 .alg_bits = 128,
681 },
682 {
683 .value = 0x00c0,
684 .name = TLS1_TXT_RSA_WITH_CAMELLIA_256_CBC_SHA256,
685 .algorithm_mkey = SSL_kRSA,
686 .algorithm_auth = SSL_aRSA,
687 .algorithm_enc = SSL_CAMELLIA256,
688 .algorithm_mac = SSL_SHA256,
689 .algorithm_ssl = SSL_TLSV1_2,
690 .algo_strength = SSL_HIGH,
691 .algorithm2 = SSL_HANDSHAKE_MAC_SHA256,
692 .strength_bits = 256,
693 .alg_bits = 256,
694 },
695 {
696 .value = 0x00c4,
697 .name = TLS1_TXT_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA256,
698 .algorithm_mkey = SSL_kDHE,
699 .algorithm_auth = SSL_aRSA,
700 .algorithm_enc = SSL_CAMELLIA256,
701 .algorithm_mac = SSL_SHA256,
702 .algorithm_ssl = SSL_TLSV1_2,
703 .algo_strength = SSL_HIGH,
704 .algorithm2 = SSL_HANDSHAKE_MAC_SHA256,
705 .strength_bits = 256,
706 .alg_bits = 256,
707 },
708 {
709 .value = 0x00c5,
710 .name = TLS1_TXT_ADH_WITH_CAMELLIA_256_CBC_SHA256,
711 .algorithm_mkey = SSL_kDHE,
712 .algorithm_auth = SSL_aNULL,
713 .algorithm_enc = SSL_CAMELLIA256,
714 .algorithm_mac = SSL_SHA256,
715 .algorithm_ssl = SSL_TLSV1_2,
716 .algo_strength = SSL_HIGH,
717 .algorithm2 = SSL_HANDSHAKE_MAC_SHA256,
718 .strength_bits = 256,
719 .alg_bits = 256,
720 },
721 #endif /* OPENSSL_NO_CAMELLIA */
722
723 #ifdef LIBRESSL_HAS_TLS1_3
724 /*
725 * TLSv1.3 cipher suites (RFC 8446).
726 */
727 {
728 .value = 0x1301,
729 .name = TLS1_3_RFC_AES_128_GCM_SHA256,
730 .algorithm_mkey = SSL_kTLS1_3,
731 .algorithm_auth = SSL_aTLS1_3,
732 .algorithm_enc = SSL_AES128GCM,
733 .algorithm_mac = SSL_AEAD,
734 .algorithm_ssl = SSL_TLSV1_3,
735 .algo_strength = SSL_HIGH,
736 .algorithm2 = SSL_HANDSHAKE_MAC_SHA256, /* XXX */
737 .strength_bits = 128,
738 .alg_bits = 128,
739 },
740 {
741 .value = 0x1302,
742 .name = TLS1_3_RFC_AES_256_GCM_SHA384,
743 .algorithm_mkey = SSL_kTLS1_3,
744 .algorithm_auth = SSL_aTLS1_3,
745 .algorithm_enc = SSL_AES256GCM,
746 .algorithm_mac = SSL_AEAD,
747 .algorithm_ssl = SSL_TLSV1_3,
748 .algo_strength = SSL_HIGH,
749 .algorithm2 = SSL_HANDSHAKE_MAC_SHA384, /* XXX */
750 .strength_bits = 256,
751 .alg_bits = 256,
752 },
753 {
754 .value = 0x1303,
755 .name = TLS1_3_RFC_CHACHA20_POLY1305_SHA256,
756 .algorithm_mkey = SSL_kTLS1_3,
757 .algorithm_auth = SSL_aTLS1_3,
758 .algorithm_enc = SSL_CHACHA20POLY1305,
759 .algorithm_mac = SSL_AEAD,
760 .algorithm_ssl = SSL_TLSV1_3,
761 .algo_strength = SSL_HIGH,
762 .algorithm2 = SSL_HANDSHAKE_MAC_SHA256, /* XXX */
763 .strength_bits = 256,
764 .alg_bits = 256,
765 },
766 #endif
767
768 /*
769 * TLSv1.0 Elliptic Curve cipher suites (RFC 4492, section 6).
770 */
771 {
772 .value = 0xc006,
773 .name = TLS1_TXT_ECDHE_ECDSA_WITH_NULL_SHA,
774 .algorithm_mkey = SSL_kECDHE,
775 .algorithm_auth = SSL_aECDSA,
776 .algorithm_enc = SSL_eNULL,
777 .algorithm_mac = SSL_SHA1,
778 .algorithm_ssl = SSL_TLSV1,
779 .algo_strength = SSL_STRONG_NONE,
780 .algorithm2 = SSL_HANDSHAKE_MAC_SHA256,
781 .strength_bits = 0,
782 .alg_bits = 0,
783 },
784 {
785 .value = 0xc007,
786 .name = TLS1_TXT_ECDHE_ECDSA_WITH_RC4_128_SHA,
787 .algorithm_mkey = SSL_kECDHE,
788 .algorithm_auth = SSL_aECDSA,
789 .algorithm_enc = SSL_RC4,
790 .algorithm_mac = SSL_SHA1,
791 .algorithm_ssl = SSL_TLSV1,
792 .algo_strength = SSL_LOW,
793 .algorithm2 = SSL_HANDSHAKE_MAC_SHA256,
794 .strength_bits = 128,
795 .alg_bits = 128,
796 },
797 {
798 .value = 0xc008,
799 .name = TLS1_TXT_ECDHE_ECDSA_WITH_DES_192_CBC3_SHA,
800 .algorithm_mkey = SSL_kECDHE,
801 .algorithm_auth = SSL_aECDSA,
802 .algorithm_enc = SSL_3DES,
803 .algorithm_mac = SSL_SHA1,
804 .algorithm_ssl = SSL_TLSV1,
805 .algo_strength = SSL_MEDIUM,
806 .algorithm2 = SSL_HANDSHAKE_MAC_SHA256,
807 .strength_bits = 112,
808 .alg_bits = 168,
809 },
810 {
811 .value = 0xc009,
812 .name = TLS1_TXT_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,
813 .algorithm_mkey = SSL_kECDHE,
814 .algorithm_auth = SSL_aECDSA,
815 .algorithm_enc = SSL_AES128,
816 .algorithm_mac = SSL_SHA1,
817 .algorithm_ssl = SSL_TLSV1,
818 .algo_strength = SSL_HIGH,
819 .algorithm2 = SSL_HANDSHAKE_MAC_SHA256,
820 .strength_bits = 128,
821 .alg_bits = 128,
822 },
823 {
824 .value = 0xc00a,
825 .name = TLS1_TXT_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,
826 .algorithm_mkey = SSL_kECDHE,
827 .algorithm_auth = SSL_aECDSA,
828 .algorithm_enc = SSL_AES256,
829 .algorithm_mac = SSL_SHA1,
830 .algorithm_ssl = SSL_TLSV1,
831 .algo_strength = SSL_HIGH,
832 .algorithm2 = SSL_HANDSHAKE_MAC_SHA256,
833 .strength_bits = 256,
834 .alg_bits = 256,
835 },
836 {
837 .value = 0xc010,
838 .name = TLS1_TXT_ECDHE_RSA_WITH_NULL_SHA,
839 .algorithm_mkey = SSL_kECDHE,
840 .algorithm_auth = SSL_aRSA,
841 .algorithm_enc = SSL_eNULL,
842 .algorithm_mac = SSL_SHA1,
843 .algorithm_ssl = SSL_TLSV1,
844 .algo_strength = SSL_STRONG_NONE,
845 .algorithm2 = SSL_HANDSHAKE_MAC_SHA256,
846 .strength_bits = 0,
847 .alg_bits = 0,
848 },
849 {
850 .value = 0xc011,
851 .name = TLS1_TXT_ECDHE_RSA_WITH_RC4_128_SHA,
852 .algorithm_mkey = SSL_kECDHE,
853 .algorithm_auth = SSL_aRSA,
854 .algorithm_enc = SSL_RC4,
855 .algorithm_mac = SSL_SHA1,
856 .algorithm_ssl = SSL_TLSV1,
857 .algo_strength = SSL_LOW,
858 .algorithm2 = SSL_HANDSHAKE_MAC_SHA256,
859 .strength_bits = 128,
860 .alg_bits = 128,
861 },
862 {
863 .value = 0xc012,
864 .name = TLS1_TXT_ECDHE_RSA_WITH_DES_192_CBC3_SHA,
865 .algorithm_mkey = SSL_kECDHE,
866 .algorithm_auth = SSL_aRSA,
867 .algorithm_enc = SSL_3DES,
868 .algorithm_mac = SSL_SHA1,
869 .algorithm_ssl = SSL_TLSV1,
870 .algo_strength = SSL_MEDIUM,
871 .algorithm2 = SSL_HANDSHAKE_MAC_SHA256,
872 .strength_bits = 112,
873 .alg_bits = 168,
874 },
875 {
876 .value = 0xc013,
877 .name = TLS1_TXT_ECDHE_RSA_WITH_AES_128_CBC_SHA,
878 .algorithm_mkey = SSL_kECDHE,
879 .algorithm_auth = SSL_aRSA,
880 .algorithm_enc = SSL_AES128,
881 .algorithm_mac = SSL_SHA1,
882 .algorithm_ssl = SSL_TLSV1,
883 .algo_strength = SSL_HIGH,
884 .algorithm2 = SSL_HANDSHAKE_MAC_SHA256,
885 .strength_bits = 128,
886 .alg_bits = 128,
887 },
888 {
889 .value = 0xc014,
890 .name = TLS1_TXT_ECDHE_RSA_WITH_AES_256_CBC_SHA,
891 .algorithm_mkey = SSL_kECDHE,
892 .algorithm_auth = SSL_aRSA,
893 .algorithm_enc = SSL_AES256,
894 .algorithm_mac = SSL_SHA1,
895 .algorithm_ssl = SSL_TLSV1,
896 .algo_strength = SSL_HIGH,
897 .algorithm2 = SSL_HANDSHAKE_MAC_SHA256,
898 .strength_bits = 256,
899 .alg_bits = 256,
900 },
901 {
902 .value = 0xc015,
903 .name = TLS1_TXT_ECDH_anon_WITH_NULL_SHA,
904 .algorithm_mkey = SSL_kECDHE,
905 .algorithm_auth = SSL_aNULL,
906 .algorithm_enc = SSL_eNULL,
907 .algorithm_mac = SSL_SHA1,
908 .algorithm_ssl = SSL_TLSV1,
909 .algo_strength = SSL_STRONG_NONE,
910 .algorithm2 = SSL_HANDSHAKE_MAC_SHA256,
911 .strength_bits = 0,
912 .alg_bits = 0,
913 },
914 {
915 .value = 0xc016,
916 .name = TLS1_TXT_ECDH_anon_WITH_RC4_128_SHA,
917 .algorithm_mkey = SSL_kECDHE,
918 .algorithm_auth = SSL_aNULL,
919 .algorithm_enc = SSL_RC4,
920 .algorithm_mac = SSL_SHA1,
921 .algorithm_ssl = SSL_TLSV1,
922 .algo_strength = SSL_LOW,
923 .algorithm2 = SSL_HANDSHAKE_MAC_SHA256,
924 .strength_bits = 128,
925 .alg_bits = 128,
926 },
927 {
928 .value = 0xc017,
929 .name = TLS1_TXT_ECDH_anon_WITH_DES_192_CBC3_SHA,
930 .algorithm_mkey = SSL_kECDHE,
931 .algorithm_auth = SSL_aNULL,
932 .algorithm_enc = SSL_3DES,
933 .algorithm_mac = SSL_SHA1,
934 .algorithm_ssl = SSL_TLSV1,
935 .algo_strength = SSL_MEDIUM,
936 .algorithm2 = SSL_HANDSHAKE_MAC_SHA256,
937 .strength_bits = 112,
938 .alg_bits = 168,
939 },
940 {
941 .value = 0xc018,
942 .name = TLS1_TXT_ECDH_anon_WITH_AES_128_CBC_SHA,
943 .algorithm_mkey = SSL_kECDHE,
944 .algorithm_auth = SSL_aNULL,
945 .algorithm_enc = SSL_AES128,
946 .algorithm_mac = SSL_SHA1,
947 .algorithm_ssl = SSL_TLSV1,
948 .algo_strength = SSL_HIGH,
949 .algorithm2 = SSL_HANDSHAKE_MAC_SHA256,
950 .strength_bits = 128,
951 .alg_bits = 128,
952 },
953 {
954 .value = 0xc019,
955 .name = TLS1_TXT_ECDH_anon_WITH_AES_256_CBC_SHA,
956 .algorithm_mkey = SSL_kECDHE,
957 .algorithm_auth = SSL_aNULL,
958 .algorithm_enc = SSL_AES256,
959 .algorithm_mac = SSL_SHA1,
960 .algorithm_ssl = SSL_TLSV1,
961 .algo_strength = SSL_HIGH,
962 .algorithm2 = SSL_HANDSHAKE_MAC_SHA256,
963 .strength_bits = 256,
964 .alg_bits = 256,
965 },
966
967 /*
968 * TLSv1.2 Elliptic Curve HMAC cipher suites (RFC 5289, section 3.1).
969 */
970 {
971 .value = 0xc023,
972 .name = TLS1_TXT_ECDHE_ECDSA_WITH_AES_128_SHA256,
973 .algorithm_mkey = SSL_kECDHE,
974 .algorithm_auth = SSL_aECDSA,
975 .algorithm_enc = SSL_AES128,
976 .algorithm_mac = SSL_SHA256,
977 .algorithm_ssl = SSL_TLSV1_2,
978 .algo_strength = SSL_HIGH,
979 .algorithm2 = SSL_HANDSHAKE_MAC_SHA256,
980 .strength_bits = 128,
981 .alg_bits = 128,
982 },
983 {
984 .value = 0xc024,
985 .name = TLS1_TXT_ECDHE_ECDSA_WITH_AES_256_SHA384,
986 .algorithm_mkey = SSL_kECDHE,
987 .algorithm_auth = SSL_aECDSA,
988 .algorithm_enc = SSL_AES256,
989 .algorithm_mac = SSL_SHA384,
990 .algorithm_ssl = SSL_TLSV1_2,
991 .algo_strength = SSL_HIGH,
992 .algorithm2 = SSL_HANDSHAKE_MAC_SHA384,
993 .strength_bits = 256,
994 .alg_bits = 256,
995 },
996 {
997 .value = 0xc027,
998 .name = TLS1_TXT_ECDHE_RSA_WITH_AES_128_SHA256,
999 .algorithm_mkey = SSL_kECDHE,
1000 .algorithm_auth = SSL_aRSA,
1001 .algorithm_enc = SSL_AES128,
1002 .algorithm_mac = SSL_SHA256,
1003 .algorithm_ssl = SSL_TLSV1_2,
1004 .algo_strength = SSL_HIGH,
1005 .algorithm2 = SSL_HANDSHAKE_MAC_SHA256,
1006 .strength_bits = 128,
1007 .alg_bits = 128,
1008 },
1009 {
1010 .value = 0xc028,
1011 .name = TLS1_TXT_ECDHE_RSA_WITH_AES_256_SHA384,
1012 .algorithm_mkey = SSL_kECDHE,
1013 .algorithm_auth = SSL_aRSA,
1014 .algorithm_enc = SSL_AES256,
1015 .algorithm_mac = SSL_SHA384,
1016 .algorithm_ssl = SSL_TLSV1_2,
1017 .algo_strength = SSL_HIGH,
1018 .algorithm2 = SSL_HANDSHAKE_MAC_SHA384,
1019 .strength_bits = 256,
1020 .alg_bits = 256,
1021 },
1022
1023 /*
1024 * TLSv1.2 Elliptic Curve GCM cipher suites (RFC 5289, section 3.2).
1025 */
1026 {
1027 .value = 0xc02b,
1028 .name = TLS1_TXT_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
1029 .algorithm_mkey = SSL_kECDHE,
1030 .algorithm_auth = SSL_aECDSA,
1031 .algorithm_enc = SSL_AES128GCM,
1032 .algorithm_mac = SSL_AEAD,
1033 .algorithm_ssl = SSL_TLSV1_2,
1034 .algo_strength = SSL_HIGH,
1035 .algorithm2 = SSL_HANDSHAKE_MAC_SHA256,
1036 .strength_bits = 128,
1037 .alg_bits = 128,
1038 },
1039 {
1040 .value = 0xc02c,
1041 .name = TLS1_TXT_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
1042 .algorithm_mkey = SSL_kECDHE,
1043 .algorithm_auth = SSL_aECDSA,
1044 .algorithm_enc = SSL_AES256GCM,
1045 .algorithm_mac = SSL_AEAD,
1046 .algorithm_ssl = SSL_TLSV1_2,
1047 .algo_strength = SSL_HIGH,
1048 .algorithm2 = SSL_HANDSHAKE_MAC_SHA384,
1049 .strength_bits = 256,
1050 .alg_bits = 256,
1051 },
1052 {
1053 .value = 0xc02f,
1054 .name = TLS1_TXT_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
1055 .algorithm_mkey = SSL_kECDHE,
1056 .algorithm_auth = SSL_aRSA,
1057 .algorithm_enc = SSL_AES128GCM,
1058 .algorithm_mac = SSL_AEAD,
1059 .algorithm_ssl = SSL_TLSV1_2,
1060 .algo_strength = SSL_HIGH,
1061 .algorithm2 = SSL_HANDSHAKE_MAC_SHA256,
1062 .strength_bits = 128,
1063 .alg_bits = 128,
1064 },
1065 {
1066 .value = 0xc030,
1067 .name = TLS1_TXT_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
1068 .algorithm_mkey = SSL_kECDHE,
1069 .algorithm_auth = SSL_aRSA,
1070 .algorithm_enc = SSL_AES256GCM,
1071 .algorithm_mac = SSL_AEAD,
1072 .algorithm_ssl = SSL_TLSV1_2,
1073 .algo_strength = SSL_HIGH,
1074 .algorithm2 = SSL_HANDSHAKE_MAC_SHA384,
1075 .strength_bits = 256,
1076 .alg_bits = 256,
1077 },
1078
1079 /*
1080 * TLSv1.2 ChaCha20-Poly1305 cipher suites (RFC 7905).
1081 */
1082 {
1083 .value = 0xcca8,
1084 .name = TLS1_TXT_ECDHE_RSA_WITH_CHACHA20_POLY1305,
1085 .algorithm_mkey = SSL_kECDHE,
1086 .algorithm_auth = SSL_aRSA,
1087 .algorithm_enc = SSL_CHACHA20POLY1305,
1088 .algorithm_mac = SSL_AEAD,
1089 .algorithm_ssl = SSL_TLSV1_2,
1090 .algo_strength = SSL_HIGH,
1091 .algorithm2 = SSL_HANDSHAKE_MAC_SHA256,
1092 .strength_bits = 256,
1093 .alg_bits = 256,
1094 },
1095 {
1096 .value = 0xcca9,
1097 .name = TLS1_TXT_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,
1098 .algorithm_mkey = SSL_kECDHE,
1099 .algorithm_auth = SSL_aECDSA,
1100 .algorithm_enc = SSL_CHACHA20POLY1305,
1101 .algorithm_mac = SSL_AEAD,
1102 .algorithm_ssl = SSL_TLSV1_2,
1103 .algo_strength = SSL_HIGH,
1104 .algorithm2 = SSL_HANDSHAKE_MAC_SHA256,
1105 .strength_bits = 256,
1106 .alg_bits = 256,
1107 },
1108 {
1109 .value = 0xccaa,
1110 .name = TLS1_TXT_DHE_RSA_WITH_CHACHA20_POLY1305,
1111 .algorithm_mkey = SSL_kDHE,
1112 .algorithm_auth = SSL_aRSA,
1113 .algorithm_enc = SSL_CHACHA20POLY1305,
1114 .algorithm_mac = SSL_AEAD,
1115 .algorithm_ssl = SSL_TLSV1_2,
1116 .algo_strength = SSL_HIGH,
1117 .algorithm2 = SSL_HANDSHAKE_MAC_SHA256,
1118 .strength_bits = 256,
1119 .alg_bits = 256,
1120 },
1121 };
1122
1123 int
ssl3_num_ciphers(void)1124 ssl3_num_ciphers(void)
1125 {
1126 return (SSL3_NUM_CIPHERS);
1127 }
1128
1129 const SSL_CIPHER *
ssl3_get_cipher_by_index(int idx)1130 ssl3_get_cipher_by_index(int idx)
1131 {
1132 if (idx < 0 || idx >= SSL3_NUM_CIPHERS)
1133 return NULL;
1134
1135 return &ssl3_ciphers[idx];
1136 }
1137
1138 static int
ssl3_cipher_value_cmp(const void * value,const void * cipher)1139 ssl3_cipher_value_cmp(const void *value, const void *cipher)
1140 {
1141 uint16_t a = *(const uint16_t *)value;
1142 uint16_t b = ((const SSL_CIPHER *)cipher)->value;
1143
1144 return a < b ? -1 : a > b;
1145 }
1146
1147 const SSL_CIPHER *
ssl3_get_cipher_by_value(uint16_t value)1148 ssl3_get_cipher_by_value(uint16_t value)
1149 {
1150 return bsearch(&value, ssl3_ciphers, SSL3_NUM_CIPHERS,
1151 sizeof(ssl3_ciphers[0]), ssl3_cipher_value_cmp);
1152 }
1153
1154 int
ssl3_pending(const SSL * s)1155 ssl3_pending(const SSL *s)
1156 {
1157 if (s->s3->rcontent == NULL)
1158 return 0;
1159 if (tls_content_type(s->s3->rcontent) != SSL3_RT_APPLICATION_DATA)
1160 return 0;
1161
1162 return tls_content_remaining(s->s3->rcontent);
1163 }
1164
1165 int
ssl3_handshake_msg_hdr_len(SSL * s)1166 ssl3_handshake_msg_hdr_len(SSL *s)
1167 {
1168 return (SSL_is_dtls(s) ? DTLS1_HM_HEADER_LENGTH :
1169 SSL3_HM_HEADER_LENGTH);
1170 }
1171
1172 int
ssl3_handshake_msg_start(SSL * s,CBB * handshake,CBB * body,uint8_t msg_type)1173 ssl3_handshake_msg_start(SSL *s, CBB *handshake, CBB *body, uint8_t msg_type)
1174 {
1175 int ret = 0;
1176
1177 if (!CBB_init(handshake, SSL3_RT_MAX_PLAIN_LENGTH))
1178 goto err;
1179 if (!CBB_add_u8(handshake, msg_type))
1180 goto err;
1181 if (SSL_is_dtls(s)) {
1182 unsigned char *data;
1183
1184 if (!CBB_add_space(handshake, &data, DTLS1_HM_HEADER_LENGTH -
1185 SSL3_HM_HEADER_LENGTH))
1186 goto err;
1187 }
1188 if (!CBB_add_u24_length_prefixed(handshake, body))
1189 goto err;
1190
1191 ret = 1;
1192
1193 err:
1194 return (ret);
1195 }
1196
1197 int
ssl3_handshake_msg_finish(SSL * s,CBB * handshake)1198 ssl3_handshake_msg_finish(SSL *s, CBB *handshake)
1199 {
1200 unsigned char *data = NULL;
1201 size_t outlen;
1202 int ret = 0;
1203
1204 if (!CBB_finish(handshake, &data, &outlen))
1205 goto err;
1206
1207 if (outlen > INT_MAX)
1208 goto err;
1209
1210 if (!BUF_MEM_grow_clean(s->init_buf, outlen))
1211 goto err;
1212
1213 memcpy(s->init_buf->data, data, outlen);
1214
1215 s->init_num = (int)outlen;
1216 s->init_off = 0;
1217
1218 if (SSL_is_dtls(s)) {
1219 unsigned long len;
1220 uint8_t msg_type;
1221 CBS cbs;
1222
1223 CBS_init(&cbs, data, outlen);
1224 if (!CBS_get_u8(&cbs, &msg_type))
1225 goto err;
1226
1227 len = outlen - ssl3_handshake_msg_hdr_len(s);
1228
1229 dtls1_set_message_header(s, msg_type, len, 0, len);
1230 dtls1_buffer_message(s, 0);
1231 }
1232
1233 ret = 1;
1234
1235 err:
1236 free(data);
1237
1238 return (ret);
1239 }
1240
1241 int
ssl3_handshake_write(SSL * s)1242 ssl3_handshake_write(SSL *s)
1243 {
1244 return ssl3_record_write(s, SSL3_RT_HANDSHAKE);
1245 }
1246
1247 int
ssl3_record_write(SSL * s,int type)1248 ssl3_record_write(SSL *s, int type)
1249 {
1250 if (SSL_is_dtls(s))
1251 return dtls1_do_write(s, type);
1252
1253 return ssl3_do_write(s, type);
1254 }
1255
1256 int
ssl3_new(SSL * s)1257 ssl3_new(SSL *s)
1258 {
1259 if ((s->s3 = calloc(1, sizeof(*s->s3))) == NULL)
1260 return (0);
1261
1262 s->method->ssl_clear(s);
1263
1264 return (1);
1265 }
1266
1267 void
ssl3_free(SSL * s)1268 ssl3_free(SSL *s)
1269 {
1270 if (s == NULL)
1271 return;
1272
1273 tls1_cleanup_key_block(s);
1274 ssl3_release_read_buffer(s);
1275 ssl3_release_write_buffer(s);
1276
1277 tls_content_free(s->s3->rcontent);
1278
1279 tls_buffer_free(s->s3->alert_fragment);
1280 tls_buffer_free(s->s3->handshake_fragment);
1281
1282 freezero(s->s3->hs.sigalgs, s->s3->hs.sigalgs_len);
1283
1284 sk_SSL_CIPHER_free(s->s3->hs.client_ciphers);
1285 sk_X509_pop_free(s->s3->hs.peer_certs, X509_free);
1286 sk_X509_pop_free(s->s3->hs.peer_certs_no_leaf, X509_free);
1287 sk_X509_pop_free(s->s3->hs.verified_chain, X509_free);
1288 tls_key_share_free(s->s3->hs.key_share);
1289
1290 tls13_secrets_destroy(s->s3->hs.tls13.secrets);
1291 freezero(s->s3->hs.tls13.cookie, s->s3->hs.tls13.cookie_len);
1292 tls13_clienthello_hash_clear(&s->s3->hs.tls13);
1293
1294 tls_buffer_free(s->s3->hs.tls13.quic_read_buffer);
1295
1296 sk_X509_NAME_pop_free(s->s3->hs.tls12.ca_names, X509_NAME_free);
1297
1298 tls1_transcript_free(s);
1299 tls1_transcript_hash_free(s);
1300
1301 free(s->s3->alpn_selected);
1302
1303 freezero(s->s3->peer_quic_transport_params,
1304 s->s3->peer_quic_transport_params_len);
1305
1306 freezero(s->s3, sizeof(*s->s3));
1307
1308 s->s3 = NULL;
1309 }
1310
1311 void
ssl3_clear(SSL * s)1312 ssl3_clear(SSL *s)
1313 {
1314 unsigned char *rp, *wp;
1315 size_t rlen, wlen;
1316
1317 tls1_cleanup_key_block(s);
1318 sk_X509_NAME_pop_free(s->s3->hs.tls12.ca_names, X509_NAME_free);
1319
1320 tls_buffer_free(s->s3->alert_fragment);
1321 s->s3->alert_fragment = NULL;
1322 tls_buffer_free(s->s3->handshake_fragment);
1323 s->s3->handshake_fragment = NULL;
1324
1325 freezero(s->s3->hs.sigalgs, s->s3->hs.sigalgs_len);
1326 s->s3->hs.sigalgs = NULL;
1327 s->s3->hs.sigalgs_len = 0;
1328
1329 sk_SSL_CIPHER_free(s->s3->hs.client_ciphers);
1330 s->s3->hs.client_ciphers = NULL;
1331 sk_X509_pop_free(s->s3->hs.peer_certs, X509_free);
1332 s->s3->hs.peer_certs = NULL;
1333 sk_X509_pop_free(s->s3->hs.peer_certs_no_leaf, X509_free);
1334 s->s3->hs.peer_certs_no_leaf = NULL;
1335 sk_X509_pop_free(s->s3->hs.verified_chain, X509_free);
1336 s->s3->hs.verified_chain = NULL;
1337
1338 tls_key_share_free(s->s3->hs.key_share);
1339 s->s3->hs.key_share = NULL;
1340
1341 tls13_secrets_destroy(s->s3->hs.tls13.secrets);
1342 s->s3->hs.tls13.secrets = NULL;
1343 freezero(s->s3->hs.tls13.cookie, s->s3->hs.tls13.cookie_len);
1344 s->s3->hs.tls13.cookie = NULL;
1345 s->s3->hs.tls13.cookie_len = 0;
1346 tls13_clienthello_hash_clear(&s->s3->hs.tls13);
1347
1348 tls_buffer_free(s->s3->hs.tls13.quic_read_buffer);
1349 s->s3->hs.tls13.quic_read_buffer = NULL;
1350 s->s3->hs.tls13.quic_read_level = ssl_encryption_initial;
1351 s->s3->hs.tls13.quic_write_level = ssl_encryption_initial;
1352
1353 s->s3->hs.extensions_seen = 0;
1354
1355 rp = s->s3->rbuf.buf;
1356 wp = s->s3->wbuf.buf;
1357 rlen = s->s3->rbuf.len;
1358 wlen = s->s3->wbuf.len;
1359
1360 tls_content_free(s->s3->rcontent);
1361 s->s3->rcontent = NULL;
1362
1363 tls1_transcript_free(s);
1364 tls1_transcript_hash_free(s);
1365
1366 free(s->s3->alpn_selected);
1367 s->s3->alpn_selected = NULL;
1368 s->s3->alpn_selected_len = 0;
1369
1370 freezero(s->s3->peer_quic_transport_params,
1371 s->s3->peer_quic_transport_params_len);
1372 s->s3->peer_quic_transport_params = NULL;
1373 s->s3->peer_quic_transport_params_len = 0;
1374
1375 memset(s->s3, 0, sizeof(*s->s3));
1376
1377 s->s3->rbuf.buf = rp;
1378 s->s3->wbuf.buf = wp;
1379 s->s3->rbuf.len = rlen;
1380 s->s3->wbuf.len = wlen;
1381
1382 ssl_free_wbio_buffer(s);
1383
1384 /* Not needed... */
1385 s->s3->renegotiate = 0;
1386 s->s3->total_renegotiations = 0;
1387 s->s3->num_renegotiations = 0;
1388 s->s3->in_read_app_data = 0;
1389
1390 s->packet_length = 0;
1391 s->version = TLS1_2_VERSION;
1392
1393 s->s3->hs.state = SSL_ST_BEFORE|((s->server) ? SSL_ST_ACCEPT : SSL_ST_CONNECT);
1394 }
1395
1396 long
_SSL_get_shared_group(SSL * s,long n)1397 _SSL_get_shared_group(SSL *s, long n)
1398 {
1399 size_t count;
1400 int nid;
1401
1402 /* OpenSSL document that they return -1 for clients. They return 0. */
1403 if (!s->server)
1404 return 0;
1405
1406 if (n == -1) {
1407 if (!tls1_count_shared_groups(s, &count))
1408 return 0;
1409
1410 if (count > LONG_MAX)
1411 count = LONG_MAX;
1412
1413 return count;
1414 }
1415
1416 /* Undocumented special case added for Suite B profile support. */
1417 if (n == -2)
1418 n = 0;
1419
1420 if (n < 0)
1421 return 0;
1422
1423 if (!tls1_get_shared_group_by_index(s, n, &nid))
1424 return NID_undef;
1425
1426 return nid;
1427 }
1428
1429 long
_SSL_get_peer_tmp_key(SSL * s,EVP_PKEY ** key)1430 _SSL_get_peer_tmp_key(SSL *s, EVP_PKEY **key)
1431 {
1432 EVP_PKEY *pkey = NULL;
1433 int ret = 0;
1434
1435 *key = NULL;
1436
1437 if (s->s3->hs.key_share == NULL)
1438 goto err;
1439
1440 if ((pkey = EVP_PKEY_new()) == NULL)
1441 goto err;
1442 if (!tls_key_share_peer_pkey(s->s3->hs.key_share, pkey))
1443 goto err;
1444
1445 *key = pkey;
1446 pkey = NULL;
1447
1448 ret = 1;
1449
1450 err:
1451 EVP_PKEY_free(pkey);
1452
1453 return (ret);
1454 }
1455
1456 static int
_SSL_session_reused(SSL * s)1457 _SSL_session_reused(SSL *s)
1458 {
1459 return s->hit;
1460 }
1461
1462 static int
_SSL_num_renegotiations(SSL * s)1463 _SSL_num_renegotiations(SSL *s)
1464 {
1465 return s->s3->num_renegotiations;
1466 }
1467
1468 static int
_SSL_clear_num_renegotiations(SSL * s)1469 _SSL_clear_num_renegotiations(SSL *s)
1470 {
1471 int renegs;
1472
1473 renegs = s->s3->num_renegotiations;
1474 s->s3->num_renegotiations = 0;
1475
1476 return renegs;
1477 }
1478
1479 static int
_SSL_total_renegotiations(SSL * s)1480 _SSL_total_renegotiations(SSL *s)
1481 {
1482 return s->s3->total_renegotiations;
1483 }
1484
1485 static int
_SSL_set_tmp_dh(SSL * s,DH * dh)1486 _SSL_set_tmp_dh(SSL *s, DH *dh)
1487 {
1488 DH *dhe_params;
1489
1490 if (dh == NULL) {
1491 SSLerror(s, ERR_R_PASSED_NULL_PARAMETER);
1492 return 0;
1493 }
1494
1495 if (!ssl_security_dh(s, dh)) {
1496 SSLerror(s, SSL_R_DH_KEY_TOO_SMALL);
1497 return 0;
1498 }
1499
1500 if ((dhe_params = DHparams_dup(dh)) == NULL) {
1501 SSLerror(s, ERR_R_DH_LIB);
1502 return 0;
1503 }
1504
1505 DH_free(s->cert->dhe_params);
1506 s->cert->dhe_params = dhe_params;
1507
1508 return 1;
1509 }
1510
1511 static int
_SSL_set_dh_auto(SSL * s,int state)1512 _SSL_set_dh_auto(SSL *s, int state)
1513 {
1514 s->cert->dhe_params_auto = state;
1515 return 1;
1516 }
1517
1518 static int
_SSL_set_tmp_ecdh(SSL * s,EC_KEY * ecdh)1519 _SSL_set_tmp_ecdh(SSL *s, EC_KEY *ecdh)
1520 {
1521 const EC_GROUP *group;
1522 int nid;
1523
1524 if (ecdh == NULL)
1525 return 0;
1526 if ((group = EC_KEY_get0_group(ecdh)) == NULL)
1527 return 0;
1528
1529 nid = EC_GROUP_get_curve_name(group);
1530 return SSL_set1_groups(s, &nid, 1);
1531 }
1532
1533 static int
_SSL_set_ecdh_auto(SSL * s,int state)1534 _SSL_set_ecdh_auto(SSL *s, int state)
1535 {
1536 return 1;
1537 }
1538
1539 static int
_SSL_set_tlsext_host_name(SSL * s,const char * name)1540 _SSL_set_tlsext_host_name(SSL *s, const char *name)
1541 {
1542 int is_ip;
1543 CBS cbs;
1544
1545 free(s->tlsext_hostname);
1546 s->tlsext_hostname = NULL;
1547
1548 if (name == NULL)
1549 return 1;
1550
1551 CBS_init(&cbs, name, strlen(name));
1552
1553 if (!tlsext_sni_is_valid_hostname(&cbs, &is_ip)) {
1554 SSLerror(s, SSL_R_SSL3_EXT_INVALID_SERVERNAME);
1555 return 0;
1556 }
1557 if ((s->tlsext_hostname = strdup(name)) == NULL) {
1558 SSLerror(s, ERR_R_INTERNAL_ERROR);
1559 return 0;
1560 }
1561
1562 return 1;
1563 }
1564
1565 static int
_SSL_set_tlsext_debug_arg(SSL * s,void * arg)1566 _SSL_set_tlsext_debug_arg(SSL *s, void *arg)
1567 {
1568 s->tlsext_debug_arg = arg;
1569 return 1;
1570 }
1571
1572 static int
_SSL_get_tlsext_status_type(SSL * s)1573 _SSL_get_tlsext_status_type(SSL *s)
1574 {
1575 return s->tlsext_status_type;
1576 }
1577
1578 static int
_SSL_set_tlsext_status_type(SSL * s,int type)1579 _SSL_set_tlsext_status_type(SSL *s, int type)
1580 {
1581 s->tlsext_status_type = type;
1582 return 1;
1583 }
1584
1585 static int
_SSL_get_tlsext_status_exts(SSL * s,STACK_OF (X509_EXTENSION)** exts)1586 _SSL_get_tlsext_status_exts(SSL *s, STACK_OF(X509_EXTENSION) **exts)
1587 {
1588 *exts = s->tlsext_ocsp_exts;
1589 return 1;
1590 }
1591
1592 static int
_SSL_set_tlsext_status_exts(SSL * s,STACK_OF (X509_EXTENSION)* exts)1593 _SSL_set_tlsext_status_exts(SSL *s, STACK_OF(X509_EXTENSION) *exts)
1594 {
1595 /* XXX - leak... */
1596 s->tlsext_ocsp_exts = exts;
1597 return 1;
1598 }
1599
1600 static int
_SSL_get_tlsext_status_ids(SSL * s,STACK_OF (OCSP_RESPID)** ids)1601 _SSL_get_tlsext_status_ids(SSL *s, STACK_OF(OCSP_RESPID) **ids)
1602 {
1603 *ids = s->tlsext_ocsp_ids;
1604 return 1;
1605 }
1606
1607 static int
_SSL_set_tlsext_status_ids(SSL * s,STACK_OF (OCSP_RESPID)* ids)1608 _SSL_set_tlsext_status_ids(SSL *s, STACK_OF(OCSP_RESPID) *ids)
1609 {
1610 /* XXX - leak... */
1611 s->tlsext_ocsp_ids = ids;
1612 return 1;
1613 }
1614
1615 static int
_SSL_get_tlsext_status_ocsp_resp(SSL * s,unsigned char ** resp)1616 _SSL_get_tlsext_status_ocsp_resp(SSL *s, unsigned char **resp)
1617 {
1618 if (s->tlsext_ocsp_resp != NULL &&
1619 s->tlsext_ocsp_resp_len < INT_MAX) {
1620 *resp = s->tlsext_ocsp_resp;
1621 return (int)s->tlsext_ocsp_resp_len;
1622 }
1623
1624 *resp = NULL;
1625
1626 return -1;
1627 }
1628
1629 static int
_SSL_set_tlsext_status_ocsp_resp(SSL * s,unsigned char * resp,int resp_len)1630 _SSL_set_tlsext_status_ocsp_resp(SSL *s, unsigned char *resp, int resp_len)
1631 {
1632 free(s->tlsext_ocsp_resp);
1633 s->tlsext_ocsp_resp = NULL;
1634 s->tlsext_ocsp_resp_len = 0;
1635
1636 if (resp_len < 0)
1637 return 0;
1638
1639 s->tlsext_ocsp_resp = resp;
1640 s->tlsext_ocsp_resp_len = (size_t)resp_len;
1641
1642 return 1;
1643 }
1644
1645 int
SSL_set0_chain(SSL * ssl,STACK_OF (X509)* chain)1646 SSL_set0_chain(SSL *ssl, STACK_OF(X509) *chain)
1647 {
1648 return ssl_cert_set0_chain(NULL, ssl, chain);
1649 }
1650 LSSL_ALIAS(SSL_set0_chain);
1651
1652 int
SSL_set1_chain(SSL * ssl,STACK_OF (X509)* chain)1653 SSL_set1_chain(SSL *ssl, STACK_OF(X509) *chain)
1654 {
1655 return ssl_cert_set1_chain(NULL, ssl, chain);
1656 }
1657 LSSL_ALIAS(SSL_set1_chain);
1658
1659 int
SSL_add0_chain_cert(SSL * ssl,X509 * x509)1660 SSL_add0_chain_cert(SSL *ssl, X509 *x509)
1661 {
1662 return ssl_cert_add0_chain_cert(NULL, ssl, x509);
1663 }
1664 LSSL_ALIAS(SSL_add0_chain_cert);
1665
1666 int
SSL_add1_chain_cert(SSL * ssl,X509 * x509)1667 SSL_add1_chain_cert(SSL *ssl, X509 *x509)
1668 {
1669 return ssl_cert_add1_chain_cert(NULL, ssl, x509);
1670 }
1671 LSSL_ALIAS(SSL_add1_chain_cert);
1672
1673 int
SSL_get0_chain_certs(const SSL * ssl,STACK_OF (X509)** out_chain)1674 SSL_get0_chain_certs(const SSL *ssl, STACK_OF(X509) **out_chain)
1675 {
1676 *out_chain = NULL;
1677
1678 if (ssl->cert->key != NULL)
1679 *out_chain = ssl->cert->key->chain;
1680
1681 return 1;
1682 }
1683 LSSL_ALIAS(SSL_get0_chain_certs);
1684
1685 int
SSL_clear_chain_certs(SSL * ssl)1686 SSL_clear_chain_certs(SSL *ssl)
1687 {
1688 return ssl_cert_set0_chain(NULL, ssl, NULL);
1689 }
1690 LSSL_ALIAS(SSL_clear_chain_certs);
1691
1692 int
SSL_set1_groups(SSL * s,const int * groups,size_t groups_len)1693 SSL_set1_groups(SSL *s, const int *groups, size_t groups_len)
1694 {
1695 return tls1_set_groups(&s->tlsext_supportedgroups,
1696 &s->tlsext_supportedgroups_length, groups, groups_len);
1697 }
1698 LSSL_ALIAS(SSL_set1_groups);
1699
1700 int
SSL_set1_groups_list(SSL * s,const char * groups)1701 SSL_set1_groups_list(SSL *s, const char *groups)
1702 {
1703 return tls1_set_group_list(&s->tlsext_supportedgroups,
1704 &s->tlsext_supportedgroups_length, groups);
1705 }
1706 LSSL_ALIAS(SSL_set1_groups_list);
1707
1708 static int
_SSL_get_signature_nid(SSL * s,int * nid)1709 _SSL_get_signature_nid(SSL *s, int *nid)
1710 {
1711 const struct ssl_sigalg *sigalg;
1712
1713 if ((sigalg = s->s3->hs.our_sigalg) == NULL)
1714 return 0;
1715
1716 *nid = EVP_MD_type(sigalg->md());
1717
1718 return 1;
1719 }
1720
1721 static int
_SSL_get_peer_signature_nid(SSL * s,int * nid)1722 _SSL_get_peer_signature_nid(SSL *s, int *nid)
1723 {
1724 const struct ssl_sigalg *sigalg;
1725
1726 if ((sigalg = s->s3->hs.peer_sigalg) == NULL)
1727 return 0;
1728
1729 *nid = EVP_MD_type(sigalg->md());
1730
1731 return 1;
1732 }
1733
1734 int
SSL_get_signature_type_nid(const SSL * s,int * nid)1735 SSL_get_signature_type_nid(const SSL *s, int *nid)
1736 {
1737 const struct ssl_sigalg *sigalg;
1738
1739 if ((sigalg = s->s3->hs.our_sigalg) == NULL)
1740 return 0;
1741
1742 *nid = sigalg->key_type;
1743 if (sigalg->key_type == EVP_PKEY_RSA &&
1744 (sigalg->flags & SIGALG_FLAG_RSA_PSS))
1745 *nid = EVP_PKEY_RSA_PSS;
1746
1747 return 1;
1748 }
1749 LSSL_ALIAS(SSL_get_signature_type_nid);
1750
1751 int
SSL_get_peer_signature_type_nid(const SSL * s,int * nid)1752 SSL_get_peer_signature_type_nid(const SSL *s, int *nid)
1753 {
1754 const struct ssl_sigalg *sigalg;
1755
1756 if ((sigalg = s->s3->hs.peer_sigalg) == NULL)
1757 return 0;
1758
1759 *nid = sigalg->key_type;
1760 if (sigalg->key_type == EVP_PKEY_RSA &&
1761 (sigalg->flags & SIGALG_FLAG_RSA_PSS))
1762 *nid = EVP_PKEY_RSA_PSS;
1763
1764 return 1;
1765 }
1766 LSSL_ALIAS(SSL_get_peer_signature_type_nid);
1767
1768 long
ssl3_ctrl(SSL * s,int cmd,long larg,void * parg)1769 ssl3_ctrl(SSL *s, int cmd, long larg, void *parg)
1770 {
1771 switch (cmd) {
1772 case SSL_CTRL_GET_SESSION_REUSED:
1773 return _SSL_session_reused(s);
1774
1775 case SSL_CTRL_GET_NUM_RENEGOTIATIONS:
1776 return _SSL_num_renegotiations(s);
1777
1778 case SSL_CTRL_CLEAR_NUM_RENEGOTIATIONS:
1779 return _SSL_clear_num_renegotiations(s);
1780
1781 case SSL_CTRL_GET_TOTAL_RENEGOTIATIONS:
1782 return _SSL_total_renegotiations(s);
1783
1784 case SSL_CTRL_SET_TMP_DH:
1785 return _SSL_set_tmp_dh(s, parg);
1786
1787 case SSL_CTRL_SET_TMP_DH_CB:
1788 SSLerror(s, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
1789 return 0;
1790
1791 case SSL_CTRL_SET_DH_AUTO:
1792 return _SSL_set_dh_auto(s, larg);
1793
1794 case SSL_CTRL_SET_TMP_ECDH:
1795 return _SSL_set_tmp_ecdh(s, parg);
1796
1797 case SSL_CTRL_SET_TMP_ECDH_CB:
1798 SSLerror(s, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
1799 return 0;
1800
1801 case SSL_CTRL_SET_ECDH_AUTO:
1802 return _SSL_set_ecdh_auto(s, larg);
1803
1804 case SSL_CTRL_SET_TLSEXT_HOSTNAME:
1805 if (larg != TLSEXT_NAMETYPE_host_name) {
1806 SSLerror(s, SSL_R_SSL3_EXT_INVALID_SERVERNAME_TYPE);
1807 return 0;
1808 }
1809 return _SSL_set_tlsext_host_name(s, parg);
1810
1811 case SSL_CTRL_SET_TLSEXT_DEBUG_ARG:
1812 return _SSL_set_tlsext_debug_arg(s, parg);
1813
1814 case SSL_CTRL_GET_TLSEXT_STATUS_REQ_TYPE:
1815 return _SSL_get_tlsext_status_type(s);
1816
1817 case SSL_CTRL_SET_TLSEXT_STATUS_REQ_TYPE:
1818 return _SSL_set_tlsext_status_type(s, larg);
1819
1820 case SSL_CTRL_GET_TLSEXT_STATUS_REQ_EXTS:
1821 return _SSL_get_tlsext_status_exts(s, parg);
1822
1823 case SSL_CTRL_SET_TLSEXT_STATUS_REQ_EXTS:
1824 return _SSL_set_tlsext_status_exts(s, parg);
1825
1826 case SSL_CTRL_GET_TLSEXT_STATUS_REQ_IDS:
1827 return _SSL_get_tlsext_status_ids(s, parg);
1828
1829 case SSL_CTRL_SET_TLSEXT_STATUS_REQ_IDS:
1830 return _SSL_set_tlsext_status_ids(s, parg);
1831
1832 case SSL_CTRL_GET_TLSEXT_STATUS_REQ_OCSP_RESP:
1833 return _SSL_get_tlsext_status_ocsp_resp(s, parg);
1834
1835 case SSL_CTRL_SET_TLSEXT_STATUS_REQ_OCSP_RESP:
1836 return _SSL_set_tlsext_status_ocsp_resp(s, parg, larg);
1837
1838 case SSL_CTRL_CHAIN:
1839 if (larg == 0)
1840 return SSL_set0_chain(s, (STACK_OF(X509) *)parg);
1841 else
1842 return SSL_set1_chain(s, (STACK_OF(X509) *)parg);
1843
1844 case SSL_CTRL_CHAIN_CERT:
1845 if (larg == 0)
1846 return SSL_add0_chain_cert(s, (X509 *)parg);
1847 else
1848 return SSL_add1_chain_cert(s, (X509 *)parg);
1849
1850 case SSL_CTRL_GET_CHAIN_CERTS:
1851 return SSL_get0_chain_certs(s, (STACK_OF(X509) **)parg);
1852
1853 case SSL_CTRL_SET_GROUPS:
1854 return SSL_set1_groups(s, parg, larg);
1855
1856 case SSL_CTRL_SET_GROUPS_LIST:
1857 return SSL_set1_groups_list(s, parg);
1858
1859 case SSL_CTRL_GET_SHARED_GROUP:
1860 return _SSL_get_shared_group(s, larg);
1861
1862 /* XXX - rename to SSL_CTRL_GET_PEER_TMP_KEY and remove server check. */
1863 case SSL_CTRL_GET_SERVER_TMP_KEY:
1864 if (s->server != 0)
1865 return 0;
1866 return _SSL_get_peer_tmp_key(s, parg);
1867
1868 case SSL_CTRL_GET_MIN_PROTO_VERSION:
1869 return SSL_get_min_proto_version(s);
1870
1871 case SSL_CTRL_GET_MAX_PROTO_VERSION:
1872 return SSL_get_max_proto_version(s);
1873
1874 case SSL_CTRL_SET_MIN_PROTO_VERSION:
1875 if (larg < 0 || larg > UINT16_MAX)
1876 return 0;
1877 return SSL_set_min_proto_version(s, larg);
1878
1879 case SSL_CTRL_SET_MAX_PROTO_VERSION:
1880 if (larg < 0 || larg > UINT16_MAX)
1881 return 0;
1882 return SSL_set_max_proto_version(s, larg);
1883
1884 case SSL_CTRL_GET_SIGNATURE_NID:
1885 return _SSL_get_signature_nid(s, parg);
1886
1887 case SSL_CTRL_GET_PEER_SIGNATURE_NID:
1888 return _SSL_get_peer_signature_nid(s, parg);
1889
1890 /*
1891 * Legacy controls that should eventually be removed.
1892 */
1893 case SSL_CTRL_GET_CLIENT_CERT_REQUEST:
1894 return 0;
1895
1896 case SSL_CTRL_GET_FLAGS:
1897 return (int)(s->s3->flags);
1898
1899 case SSL_CTRL_NEED_TMP_RSA:
1900 return 0;
1901
1902 case SSL_CTRL_SET_TMP_RSA:
1903 case SSL_CTRL_SET_TMP_RSA_CB:
1904 SSLerror(s, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
1905 return 0;
1906 }
1907
1908 return 0;
1909 }
1910
1911 long
ssl3_callback_ctrl(SSL * s,int cmd,void (* fp)(void))1912 ssl3_callback_ctrl(SSL *s, int cmd, void (*fp)(void))
1913 {
1914 switch (cmd) {
1915 case SSL_CTRL_SET_TMP_RSA_CB:
1916 SSLerror(s, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
1917 return 0;
1918
1919 case SSL_CTRL_SET_TMP_DH_CB:
1920 s->cert->dhe_params_cb = (DH *(*)(SSL *, int, int))fp;
1921 return 1;
1922
1923 case SSL_CTRL_SET_TMP_ECDH_CB:
1924 return 1;
1925
1926 case SSL_CTRL_SET_TLSEXT_DEBUG_CB:
1927 s->tlsext_debug_cb = (void (*)(SSL *, int , int,
1928 unsigned char *, int, void *))fp;
1929 return 1;
1930 }
1931
1932 return 0;
1933 }
1934
1935 static int
_SSL_CTX_set_tmp_dh(SSL_CTX * ctx,DH * dh)1936 _SSL_CTX_set_tmp_dh(SSL_CTX *ctx, DH *dh)
1937 {
1938 DH *dhe_params;
1939
1940 if (dh == NULL) {
1941 SSLerrorx(ERR_R_PASSED_NULL_PARAMETER);
1942 return 0;
1943 }
1944
1945 if (!ssl_ctx_security_dh(ctx, dh)) {
1946 SSLerrorx(SSL_R_DH_KEY_TOO_SMALL);
1947 return 0;
1948 }
1949
1950 if ((dhe_params = DHparams_dup(dh)) == NULL) {
1951 SSLerrorx(ERR_R_DH_LIB);
1952 return 0;
1953 }
1954
1955 DH_free(ctx->cert->dhe_params);
1956 ctx->cert->dhe_params = dhe_params;
1957
1958 return 1;
1959 }
1960
1961 static int
_SSL_CTX_set_dh_auto(SSL_CTX * ctx,int state)1962 _SSL_CTX_set_dh_auto(SSL_CTX *ctx, int state)
1963 {
1964 ctx->cert->dhe_params_auto = state;
1965 return 1;
1966 }
1967
1968 static int
_SSL_CTX_set_tmp_ecdh(SSL_CTX * ctx,EC_KEY * ecdh)1969 _SSL_CTX_set_tmp_ecdh(SSL_CTX *ctx, EC_KEY *ecdh)
1970 {
1971 const EC_GROUP *group;
1972 int nid;
1973
1974 if (ecdh == NULL)
1975 return 0;
1976 if ((group = EC_KEY_get0_group(ecdh)) == NULL)
1977 return 0;
1978
1979 nid = EC_GROUP_get_curve_name(group);
1980 return SSL_CTX_set1_groups(ctx, &nid, 1);
1981 }
1982
1983 static int
_SSL_CTX_set_ecdh_auto(SSL_CTX * ctx,int state)1984 _SSL_CTX_set_ecdh_auto(SSL_CTX *ctx, int state)
1985 {
1986 return 1;
1987 }
1988
1989 static int
_SSL_CTX_set_tlsext_servername_arg(SSL_CTX * ctx,void * arg)1990 _SSL_CTX_set_tlsext_servername_arg(SSL_CTX *ctx, void *arg)
1991 {
1992 ctx->tlsext_servername_arg = arg;
1993 return 1;
1994 }
1995
1996 static int
_SSL_CTX_get_tlsext_ticket_keys(SSL_CTX * ctx,unsigned char * keys,int keys_len)1997 _SSL_CTX_get_tlsext_ticket_keys(SSL_CTX *ctx, unsigned char *keys, int keys_len)
1998 {
1999 if (keys == NULL)
2000 return 48;
2001
2002 if (keys_len != 48) {
2003 SSLerrorx(SSL_R_INVALID_TICKET_KEYS_LENGTH);
2004 return 0;
2005 }
2006
2007 memcpy(keys, ctx->tlsext_tick_key_name, 16);
2008 memcpy(keys + 16, ctx->tlsext_tick_hmac_key, 16);
2009 memcpy(keys + 32, ctx->tlsext_tick_aes_key, 16);
2010
2011 return 1;
2012 }
2013
2014 static int
_SSL_CTX_set_tlsext_ticket_keys(SSL_CTX * ctx,unsigned char * keys,int keys_len)2015 _SSL_CTX_set_tlsext_ticket_keys(SSL_CTX *ctx, unsigned char *keys, int keys_len)
2016 {
2017 if (keys == NULL)
2018 return 48;
2019
2020 if (keys_len != 48) {
2021 SSLerrorx(SSL_R_INVALID_TICKET_KEYS_LENGTH);
2022 return 0;
2023 }
2024
2025 memcpy(ctx->tlsext_tick_key_name, keys, 16);
2026 memcpy(ctx->tlsext_tick_hmac_key, keys + 16, 16);
2027 memcpy(ctx->tlsext_tick_aes_key, keys + 32, 16);
2028
2029 return 1;
2030 }
2031
2032 static int
_SSL_CTX_get_tlsext_status_arg(SSL_CTX * ctx,void ** arg)2033 _SSL_CTX_get_tlsext_status_arg(SSL_CTX *ctx, void **arg)
2034 {
2035 *arg = ctx->tlsext_status_arg;
2036 return 1;
2037 }
2038
2039 static int
_SSL_CTX_set_tlsext_status_arg(SSL_CTX * ctx,void * arg)2040 _SSL_CTX_set_tlsext_status_arg(SSL_CTX *ctx, void *arg)
2041 {
2042 ctx->tlsext_status_arg = arg;
2043 return 1;
2044 }
2045
2046 int
SSL_CTX_set0_chain(SSL_CTX * ctx,STACK_OF (X509)* chain)2047 SSL_CTX_set0_chain(SSL_CTX *ctx, STACK_OF(X509) *chain)
2048 {
2049 return ssl_cert_set0_chain(ctx, NULL, chain);
2050 }
2051 LSSL_ALIAS(SSL_CTX_set0_chain);
2052
2053 int
SSL_CTX_set1_chain(SSL_CTX * ctx,STACK_OF (X509)* chain)2054 SSL_CTX_set1_chain(SSL_CTX *ctx, STACK_OF(X509) *chain)
2055 {
2056 return ssl_cert_set1_chain(ctx, NULL, chain);
2057 }
2058 LSSL_ALIAS(SSL_CTX_set1_chain);
2059
2060 int
SSL_CTX_add0_chain_cert(SSL_CTX * ctx,X509 * x509)2061 SSL_CTX_add0_chain_cert(SSL_CTX *ctx, X509 *x509)
2062 {
2063 return ssl_cert_add0_chain_cert(ctx, NULL, x509);
2064 }
2065 LSSL_ALIAS(SSL_CTX_add0_chain_cert);
2066
2067 int
SSL_CTX_add1_chain_cert(SSL_CTX * ctx,X509 * x509)2068 SSL_CTX_add1_chain_cert(SSL_CTX *ctx, X509 *x509)
2069 {
2070 return ssl_cert_add1_chain_cert(ctx, NULL, x509);
2071 }
2072 LSSL_ALIAS(SSL_CTX_add1_chain_cert);
2073
2074 int
SSL_CTX_get0_chain_certs(const SSL_CTX * ctx,STACK_OF (X509)** out_chain)2075 SSL_CTX_get0_chain_certs(const SSL_CTX *ctx, STACK_OF(X509) **out_chain)
2076 {
2077 *out_chain = NULL;
2078
2079 if (ctx->cert->key != NULL)
2080 *out_chain = ctx->cert->key->chain;
2081
2082 return 1;
2083 }
2084 LSSL_ALIAS(SSL_CTX_get0_chain_certs);
2085
2086 int
SSL_CTX_clear_chain_certs(SSL_CTX * ctx)2087 SSL_CTX_clear_chain_certs(SSL_CTX *ctx)
2088 {
2089 return ssl_cert_set0_chain(ctx, NULL, NULL);
2090 }
2091 LSSL_ALIAS(SSL_CTX_clear_chain_certs);
2092
2093 static int
_SSL_CTX_add_extra_chain_cert(SSL_CTX * ctx,X509 * cert)2094 _SSL_CTX_add_extra_chain_cert(SSL_CTX *ctx, X509 *cert)
2095 {
2096 if (ctx->extra_certs == NULL) {
2097 if ((ctx->extra_certs = sk_X509_new_null()) == NULL)
2098 return 0;
2099 }
2100 if (sk_X509_push(ctx->extra_certs, cert) == 0)
2101 return 0;
2102
2103 return 1;
2104 }
2105
2106 static int
_SSL_CTX_get_extra_chain_certs(SSL_CTX * ctx,STACK_OF (X509)** certs)2107 _SSL_CTX_get_extra_chain_certs(SSL_CTX *ctx, STACK_OF(X509) **certs)
2108 {
2109 *certs = ctx->extra_certs;
2110 if (*certs == NULL)
2111 *certs = ctx->cert->key->chain;
2112
2113 return 1;
2114 }
2115
2116 static int
_SSL_CTX_get_extra_chain_certs_only(SSL_CTX * ctx,STACK_OF (X509)** certs)2117 _SSL_CTX_get_extra_chain_certs_only(SSL_CTX *ctx, STACK_OF(X509) **certs)
2118 {
2119 *certs = ctx->extra_certs;
2120 return 1;
2121 }
2122
2123 static int
_SSL_CTX_clear_extra_chain_certs(SSL_CTX * ctx)2124 _SSL_CTX_clear_extra_chain_certs(SSL_CTX *ctx)
2125 {
2126 sk_X509_pop_free(ctx->extra_certs, X509_free);
2127 ctx->extra_certs = NULL;
2128 return 1;
2129 }
2130
2131 int
SSL_CTX_set1_groups(SSL_CTX * ctx,const int * groups,size_t groups_len)2132 SSL_CTX_set1_groups(SSL_CTX *ctx, const int *groups, size_t groups_len)
2133 {
2134 return tls1_set_groups(&ctx->tlsext_supportedgroups,
2135 &ctx->tlsext_supportedgroups_length, groups, groups_len);
2136 }
2137 LSSL_ALIAS(SSL_CTX_set1_groups);
2138
2139 int
SSL_CTX_set1_groups_list(SSL_CTX * ctx,const char * groups)2140 SSL_CTX_set1_groups_list(SSL_CTX *ctx, const char *groups)
2141 {
2142 return tls1_set_group_list(&ctx->tlsext_supportedgroups,
2143 &ctx->tlsext_supportedgroups_length, groups);
2144 }
2145 LSSL_ALIAS(SSL_CTX_set1_groups_list);
2146
2147 long
ssl3_ctx_ctrl(SSL_CTX * ctx,int cmd,long larg,void * parg)2148 ssl3_ctx_ctrl(SSL_CTX *ctx, int cmd, long larg, void *parg)
2149 {
2150 switch (cmd) {
2151 case SSL_CTRL_SET_TMP_DH:
2152 return _SSL_CTX_set_tmp_dh(ctx, parg);
2153
2154 case SSL_CTRL_SET_TMP_DH_CB:
2155 SSLerrorx(ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
2156 return 0;
2157
2158 case SSL_CTRL_SET_DH_AUTO:
2159 return _SSL_CTX_set_dh_auto(ctx, larg);
2160
2161 case SSL_CTRL_SET_TMP_ECDH:
2162 return _SSL_CTX_set_tmp_ecdh(ctx, parg);
2163
2164 case SSL_CTRL_SET_TMP_ECDH_CB:
2165 SSLerrorx(ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
2166 return 0;
2167
2168 case SSL_CTRL_SET_ECDH_AUTO:
2169 return _SSL_CTX_set_ecdh_auto(ctx, larg);
2170
2171 case SSL_CTRL_SET_TLSEXT_SERVERNAME_ARG:
2172 return _SSL_CTX_set_tlsext_servername_arg(ctx, parg);
2173
2174 case SSL_CTRL_GET_TLSEXT_TICKET_KEYS:
2175 return _SSL_CTX_get_tlsext_ticket_keys(ctx, parg, larg);
2176
2177 case SSL_CTRL_SET_TLSEXT_TICKET_KEYS:
2178 return _SSL_CTX_set_tlsext_ticket_keys(ctx, parg, larg);
2179
2180 case SSL_CTRL_GET_TLSEXT_STATUS_REQ_CB_ARG:
2181 return _SSL_CTX_get_tlsext_status_arg(ctx, parg);
2182
2183 case SSL_CTRL_SET_TLSEXT_STATUS_REQ_CB_ARG:
2184 return _SSL_CTX_set_tlsext_status_arg(ctx, parg);
2185
2186 case SSL_CTRL_CHAIN:
2187 if (larg == 0)
2188 return SSL_CTX_set0_chain(ctx, (STACK_OF(X509) *)parg);
2189 else
2190 return SSL_CTX_set1_chain(ctx, (STACK_OF(X509) *)parg);
2191
2192 case SSL_CTRL_CHAIN_CERT:
2193 if (larg == 0)
2194 return SSL_CTX_add0_chain_cert(ctx, (X509 *)parg);
2195 else
2196 return SSL_CTX_add1_chain_cert(ctx, (X509 *)parg);
2197
2198 case SSL_CTRL_GET_CHAIN_CERTS:
2199 return SSL_CTX_get0_chain_certs(ctx, (STACK_OF(X509) **)parg);
2200
2201 case SSL_CTRL_EXTRA_CHAIN_CERT:
2202 return _SSL_CTX_add_extra_chain_cert(ctx, parg);
2203
2204 case SSL_CTRL_GET_EXTRA_CHAIN_CERTS:
2205 if (larg == 0)
2206 return _SSL_CTX_get_extra_chain_certs(ctx, parg);
2207 else
2208 return _SSL_CTX_get_extra_chain_certs_only(ctx, parg);
2209
2210 case SSL_CTRL_CLEAR_EXTRA_CHAIN_CERTS:
2211 return _SSL_CTX_clear_extra_chain_certs(ctx);
2212
2213 case SSL_CTRL_SET_GROUPS:
2214 return SSL_CTX_set1_groups(ctx, parg, larg);
2215
2216 case SSL_CTRL_SET_GROUPS_LIST:
2217 return SSL_CTX_set1_groups_list(ctx, parg);
2218
2219 case SSL_CTRL_GET_MIN_PROTO_VERSION:
2220 return SSL_CTX_get_min_proto_version(ctx);
2221
2222 case SSL_CTRL_GET_MAX_PROTO_VERSION:
2223 return SSL_CTX_get_max_proto_version(ctx);
2224
2225 case SSL_CTRL_SET_MIN_PROTO_VERSION:
2226 if (larg < 0 || larg > UINT16_MAX)
2227 return 0;
2228 return SSL_CTX_set_min_proto_version(ctx, larg);
2229
2230 case SSL_CTRL_SET_MAX_PROTO_VERSION:
2231 if (larg < 0 || larg > UINT16_MAX)
2232 return 0;
2233 return SSL_CTX_set_max_proto_version(ctx, larg);
2234
2235 /*
2236 * Legacy controls that should eventually be removed.
2237 */
2238 case SSL_CTRL_NEED_TMP_RSA:
2239 return 0;
2240
2241 case SSL_CTRL_SET_TMP_RSA:
2242 case SSL_CTRL_SET_TMP_RSA_CB:
2243 SSLerrorx(ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
2244 return 0;
2245 }
2246
2247 return 0;
2248 }
2249
2250 long
ssl3_ctx_callback_ctrl(SSL_CTX * ctx,int cmd,void (* fp)(void))2251 ssl3_ctx_callback_ctrl(SSL_CTX *ctx, int cmd, void (*fp)(void))
2252 {
2253 switch (cmd) {
2254 case SSL_CTRL_SET_TMP_RSA_CB:
2255 SSLerrorx(ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
2256 return 0;
2257
2258 case SSL_CTRL_SET_TMP_DH_CB:
2259 ctx->cert->dhe_params_cb =
2260 (DH *(*)(SSL *, int, int))fp;
2261 return 1;
2262
2263 case SSL_CTRL_SET_TMP_ECDH_CB:
2264 return 1;
2265
2266 case SSL_CTRL_SET_TLSEXT_SERVERNAME_CB:
2267 ctx->tlsext_servername_callback =
2268 (int (*)(SSL *, int *, void *))fp;
2269 return 1;
2270
2271 case SSL_CTRL_GET_TLSEXT_STATUS_REQ_CB:
2272 *(int (**)(SSL *, void *))fp = ctx->tlsext_status_cb;
2273 return 1;
2274
2275 case SSL_CTRL_SET_TLSEXT_STATUS_REQ_CB:
2276 ctx->tlsext_status_cb = (int (*)(SSL *, void *))fp;
2277 return 1;
2278
2279 case SSL_CTRL_SET_TLSEXT_TICKET_KEY_CB:
2280 ctx->tlsext_ticket_key_cb = (int (*)(SSL *, unsigned char *,
2281 unsigned char *, EVP_CIPHER_CTX *, HMAC_CTX *, int))fp;
2282 return 1;
2283 }
2284
2285 return 0;
2286 }
2287
2288 SSL_CIPHER *
ssl3_choose_cipher(SSL * s,STACK_OF (SSL_CIPHER)* clnt,STACK_OF (SSL_CIPHER)* srvr)2289 ssl3_choose_cipher(SSL *s, STACK_OF(SSL_CIPHER) *clnt,
2290 STACK_OF(SSL_CIPHER) *srvr)
2291 {
2292 unsigned long alg_k, alg_a, mask_k, mask_a;
2293 STACK_OF(SSL_CIPHER) *prio, *allow;
2294 SSL_CIPHER *c, *ret = NULL;
2295 int can_use_ecc;
2296 int i, ii, nid, ok;
2297 SSL_CERT *cert;
2298
2299 /* Let's see which ciphers we can support */
2300 cert = s->cert;
2301
2302 can_use_ecc = tls1_get_supported_group(s, &nid);
2303
2304 /*
2305 * Do not set the compare functions, because this may lead to a
2306 * reordering by "id". We want to keep the original ordering.
2307 * We may pay a price in performance during sk_SSL_CIPHER_find(),
2308 * but would have to pay with the price of sk_SSL_CIPHER_dup().
2309 */
2310
2311 if (s->options & SSL_OP_CIPHER_SERVER_PREFERENCE) {
2312 prio = srvr;
2313 allow = clnt;
2314 } else {
2315 prio = clnt;
2316 allow = srvr;
2317 }
2318
2319 for (i = 0; i < sk_SSL_CIPHER_num(prio); i++) {
2320 c = sk_SSL_CIPHER_value(prio, i);
2321
2322 /* Skip TLS v1.2 only ciphersuites if not supported. */
2323 if ((c->algorithm_ssl & SSL_TLSV1_2) &&
2324 !SSL_USE_TLS1_2_CIPHERS(s))
2325 continue;
2326
2327 /* Skip TLS v1.3 only ciphersuites if not supported. */
2328 if ((c->algorithm_ssl & SSL_TLSV1_3) &&
2329 !SSL_USE_TLS1_3_CIPHERS(s))
2330 continue;
2331
2332 /* If TLS v1.3, only allow TLS v1.3 ciphersuites. */
2333 if (SSL_USE_TLS1_3_CIPHERS(s) &&
2334 !(c->algorithm_ssl & SSL_TLSV1_3))
2335 continue;
2336
2337 if (!ssl_security_shared_cipher(s, c))
2338 continue;
2339
2340 ssl_set_cert_masks(cert, c);
2341 mask_k = cert->mask_k;
2342 mask_a = cert->mask_a;
2343
2344 alg_k = c->algorithm_mkey;
2345 alg_a = c->algorithm_auth;
2346
2347 ok = (alg_k & mask_k) && (alg_a & mask_a);
2348
2349 /*
2350 * If we are considering an ECC cipher suite that uses our
2351 * certificate check it.
2352 */
2353 if (alg_a & SSL_aECDSA)
2354 ok = ok && tls1_check_ec_server_key(s);
2355 /*
2356 * If we are considering an ECC cipher suite that uses
2357 * an ephemeral EC key check it.
2358 */
2359 if (alg_k & SSL_kECDHE)
2360 ok = ok && can_use_ecc;
2361
2362 if (!ok)
2363 continue;
2364 ii = sk_SSL_CIPHER_find(allow, c);
2365 if (ii >= 0) {
2366 ret = sk_SSL_CIPHER_value(allow, ii);
2367 break;
2368 }
2369 }
2370 return (ret);
2371 }
2372
2373 #define SSL3_CT_RSA_SIGN 1
2374 #define SSL3_CT_RSA_FIXED_DH 3
2375 #define SSL3_CT_ECDSA_SIGN 64
2376
2377 int
ssl3_get_req_cert_types(SSL * s,CBB * cbb)2378 ssl3_get_req_cert_types(SSL *s, CBB *cbb)
2379 {
2380 unsigned long alg_k;
2381
2382 alg_k = s->s3->hs.cipher->algorithm_mkey;
2383
2384 if ((alg_k & SSL_kDHE) != 0) {
2385 if (!CBB_add_u8(cbb, SSL3_CT_RSA_FIXED_DH))
2386 return 0;
2387 }
2388
2389 if (!CBB_add_u8(cbb, SSL3_CT_RSA_SIGN))
2390 return 0;
2391
2392 /*
2393 * ECDSA certs can be used with RSA cipher suites as well
2394 * so we don't need to check for SSL_kECDH or SSL_kECDHE.
2395 */
2396 if (!CBB_add_u8(cbb, SSL3_CT_ECDSA_SIGN))
2397 return 0;
2398
2399 return 1;
2400 }
2401
2402 int
ssl3_shutdown(SSL * s)2403 ssl3_shutdown(SSL *s)
2404 {
2405 int ret;
2406
2407 /*
2408 * Don't do anything much if we have not done the handshake or
2409 * we don't want to send messages :-)
2410 */
2411 if ((s->quiet_shutdown) || (s->s3->hs.state == SSL_ST_BEFORE)) {
2412 s->shutdown = (SSL_SENT_SHUTDOWN|SSL_RECEIVED_SHUTDOWN);
2413 return (1);
2414 }
2415
2416 if (!(s->shutdown & SSL_SENT_SHUTDOWN)) {
2417 s->shutdown|=SSL_SENT_SHUTDOWN;
2418 ssl3_send_alert(s, SSL3_AL_WARNING, SSL_AD_CLOSE_NOTIFY);
2419 /*
2420 * Our shutdown alert has been sent now, and if it still needs
2421 * to be written, s->s3->alert_dispatch will be true
2422 */
2423 if (s->s3->alert_dispatch)
2424 return (-1); /* return WANT_WRITE */
2425 } else if (s->s3->alert_dispatch) {
2426 /* resend it if not sent */
2427 ret = ssl3_dispatch_alert(s);
2428 if (ret == -1) {
2429 /*
2430 * We only get to return -1 here the 2nd/Nth
2431 * invocation, we must have already signalled
2432 * return 0 upon a previous invoation,
2433 * return WANT_WRITE
2434 */
2435 return (ret);
2436 }
2437 } else if (!(s->shutdown & SSL_RECEIVED_SHUTDOWN)) {
2438 /* If we are waiting for a close from our peer, we are closed */
2439 s->method->ssl_read_bytes(s, 0, NULL, 0, 0);
2440 if (!(s->shutdown & SSL_RECEIVED_SHUTDOWN)) {
2441 return (-1); /* return WANT_READ */
2442 }
2443 }
2444
2445 if ((s->shutdown == (SSL_SENT_SHUTDOWN|SSL_RECEIVED_SHUTDOWN)) &&
2446 !s->s3->alert_dispatch)
2447 return (1);
2448 else
2449 return (0);
2450 }
2451
2452 int
ssl3_write(SSL * s,const void * buf,int len)2453 ssl3_write(SSL *s, const void *buf, int len)
2454 {
2455 errno = 0;
2456
2457 if (s->s3->renegotiate)
2458 ssl3_renegotiate_check(s);
2459
2460 return s->method->ssl_write_bytes(s, SSL3_RT_APPLICATION_DATA,
2461 buf, len);
2462 }
2463
2464 static int
ssl3_read_internal(SSL * s,void * buf,int len,int peek)2465 ssl3_read_internal(SSL *s, void *buf, int len, int peek)
2466 {
2467 int ret;
2468
2469 errno = 0;
2470 if (s->s3->renegotiate)
2471 ssl3_renegotiate_check(s);
2472 s->s3->in_read_app_data = 1;
2473
2474 ret = s->method->ssl_read_bytes(s, SSL3_RT_APPLICATION_DATA, buf, len,
2475 peek);
2476 if ((ret == -1) && (s->s3->in_read_app_data == 2)) {
2477 /*
2478 * ssl3_read_bytes decided to call s->handshake_func,
2479 * which called ssl3_read_bytes to read handshake data.
2480 * However, ssl3_read_bytes actually found application data
2481 * and thinks that application data makes sense here; so disable
2482 * handshake processing and try to read application data again.
2483 */
2484 s->in_handshake++;
2485 ret = s->method->ssl_read_bytes(s, SSL3_RT_APPLICATION_DATA,
2486 buf, len, peek);
2487 s->in_handshake--;
2488 } else
2489 s->s3->in_read_app_data = 0;
2490
2491 return (ret);
2492 }
2493
2494 int
ssl3_read(SSL * s,void * buf,int len)2495 ssl3_read(SSL *s, void *buf, int len)
2496 {
2497 return ssl3_read_internal(s, buf, len, 0);
2498 }
2499
2500 int
ssl3_peek(SSL * s,void * buf,int len)2501 ssl3_peek(SSL *s, void *buf, int len)
2502 {
2503 return ssl3_read_internal(s, buf, len, 1);
2504 }
2505
2506 int
ssl3_renegotiate(SSL * s)2507 ssl3_renegotiate(SSL *s)
2508 {
2509 if (s->handshake_func == NULL)
2510 return 1;
2511
2512 if (s->s3->flags & SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS)
2513 return 0;
2514
2515 s->s3->renegotiate = 1;
2516
2517 return 1;
2518 }
2519
2520 int
ssl3_renegotiate_check(SSL * s)2521 ssl3_renegotiate_check(SSL *s)
2522 {
2523 if (!s->s3->renegotiate)
2524 return 0;
2525 if (SSL_in_init(s) || s->s3->rbuf.left != 0 || s->s3->wbuf.left != 0)
2526 return 0;
2527
2528 s->s3->hs.state = SSL_ST_RENEGOTIATE;
2529 s->s3->renegotiate = 0;
2530 s->s3->num_renegotiations++;
2531 s->s3->total_renegotiations++;
2532
2533 return 1;
2534 }
2535