1 /* $OpenBSD: s3_lib.c,v 1.210 2021/05/16 13:56:30 jsing Exp $ */ 2 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) 3 * All rights reserved. 4 * 5 * This package is an SSL implementation written 6 * by Eric Young (eay@cryptsoft.com). 7 * The implementation was written so as to conform with Netscapes SSL. 8 * 9 * This library is free for commercial and non-commercial use as long as 10 * the following conditions are aheared to. The following conditions 11 * apply to all code found in this distribution, be it the RC4, RSA, 12 * lhash, DES, etc., code; not just the SSL code. The SSL documentation 13 * included with this distribution is covered by the same copyright terms 14 * except that the holder is Tim Hudson (tjh@cryptsoft.com). 15 * 16 * Copyright remains Eric Young's, and as such any Copyright notices in 17 * the code are not to be removed. 18 * If this package is used in a product, Eric Young should be given attribution 19 * as the author of the parts of the library used. 20 * This can be in the form of a textual message at program startup or 21 * in documentation (online or textual) provided with the package. 22 * 23 * Redistribution and use in source and binary forms, with or without 24 * modification, are permitted provided that the following conditions 25 * are met: 26 * 1. Redistributions of source code must retain the copyright 27 * notice, this list of conditions and the following disclaimer. 28 * 2. Redistributions in binary form must reproduce the above copyright 29 * notice, this list of conditions and the following disclaimer in the 30 * documentation and/or other materials provided with the distribution. 31 * 3. All advertising materials mentioning features or use of this software 32 * must display the following acknowledgement: 33 * "This product includes cryptographic software written by 34 * Eric Young (eay@cryptsoft.com)" 35 * The word 'cryptographic' can be left out if the rouines from the library 36 * being used are not cryptographic related :-). 37 * 4. If you include any Windows specific code (or a derivative thereof) from 38 * the apps directory (application code) you must include an acknowledgement: 39 * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)" 40 * 41 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND 42 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 43 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 44 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE 45 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 46 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 47 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 48 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 49 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 50 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 51 * SUCH DAMAGE. 52 * 53 * The licence and distribution terms for any publically available version or 54 * derivative of this code cannot be changed. i.e. this code cannot simply be 55 * copied and put under another distribution licence 56 * [including the GNU Public Licence.] 57 */ 58 /* ==================================================================== 59 * Copyright (c) 1998-2007 The OpenSSL Project. All rights reserved. 60 * 61 * Redistribution and use in source and binary forms, with or without 62 * modification, are permitted provided that the following conditions 63 * are met: 64 * 65 * 1. Redistributions of source code must retain the above copyright 66 * notice, this list of conditions and the following disclaimer. 67 * 68 * 2. Redistributions in binary form must reproduce the above copyright 69 * notice, this list of conditions and the following disclaimer in 70 * the documentation and/or other materials provided with the 71 * distribution. 72 * 73 * 3. All advertising materials mentioning features or use of this 74 * software must display the following acknowledgment: 75 * "This product includes software developed by the OpenSSL Project 76 * for use in the OpenSSL Toolkit. (http://www.openssl.org/)" 77 * 78 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to 79 * endorse or promote products derived from this software without 80 * prior written permission. For written permission, please contact 81 * openssl-core@openssl.org. 82 * 83 * 5. Products derived from this software may not be called "OpenSSL" 84 * nor may "OpenSSL" appear in their names without prior written 85 * permission of the OpenSSL Project. 86 * 87 * 6. Redistributions of any form whatsoever must retain the following 88 * acknowledgment: 89 * "This product includes software developed by the OpenSSL Project 90 * for use in the OpenSSL Toolkit (http://www.openssl.org/)" 91 * 92 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY 93 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 94 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR 95 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR 96 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, 97 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT 98 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; 99 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 100 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, 101 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) 102 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED 103 * OF THE POSSIBILITY OF SUCH DAMAGE. 104 * ==================================================================== 105 * 106 * This product includes cryptographic software written by Eric Young 107 * (eay@cryptsoft.com). This product includes software written by Tim 108 * Hudson (tjh@cryptsoft.com). 109 * 110 */ 111 /* ==================================================================== 112 * Copyright 2002 Sun Microsystems, Inc. ALL RIGHTS RESERVED. 113 * 114 * Portions of the attached software ("Contribution") are developed by 115 * SUN MICROSYSTEMS, INC., and are contributed to the OpenSSL project. 116 * 117 * The Contribution is licensed pursuant to the OpenSSL open source 118 * license provided above. 119 * 120 * ECC cipher suite support in OpenSSL originally written by 121 * Vipul Gupta and Sumit Gupta of Sun Microsystems Laboratories. 122 * 123 */ 124 /* ==================================================================== 125 * Copyright 2005 Nokia. All rights reserved. 126 * 127 * The portions of the attached software ("Contribution") is developed by 128 * Nokia Corporation and is licensed pursuant to the OpenSSL open source 129 * license. 130 * 131 * The Contribution, originally written by Mika Kousa and Pasi Eronen of 132 * Nokia Corporation, consists of the "PSK" (Pre-Shared Key) ciphersuites 133 * support (see RFC 4279) to OpenSSL. 134 * 135 * No patent licenses or other rights except those expressly stated in 136 * the OpenSSL open source license shall be deemed granted or received 137 * expressly, by implication, estoppel, or otherwise. 138 * 139 * No assurances are provided by Nokia that the Contribution does not 140 * infringe the patent or other intellectual property rights of any third 141 * party or that the license provides you with all the necessary rights 142 * to make use of the Contribution. 143 * 144 * THE SOFTWARE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. IN 145 * ADDITION TO THE DISCLAIMERS INCLUDED IN THE LICENSE, NOKIA 146 * SPECIFICALLY DISCLAIMS ANY LIABILITY FOR CLAIMS BROUGHT BY YOU OR ANY 147 * OTHER ENTITY BASED ON INFRINGEMENT OF INTELLECTUAL PROPERTY RIGHTS OR 148 * OTHERWISE. 149 */ 150 151 #include <limits.h> 152 #include <stdio.h> 153 154 #include <openssl/bn.h> 155 #include <openssl/curve25519.h> 156 #include <openssl/dh.h> 157 #include <openssl/md5.h> 158 #include <openssl/objects.h> 159 #include <openssl/opensslconf.h> 160 161 #include "bytestring.h" 162 #include "dtls_locl.h" 163 #include "ssl_locl.h" 164 165 #define SSL3_NUM_CIPHERS (sizeof(ssl3_ciphers) / sizeof(SSL_CIPHER)) 166 167 /* 168 * FIXED_NONCE_LEN is a macro that provides in the correct value to set the 169 * fixed nonce length in algorithms2. It is the inverse of the 170 * SSL_CIPHER_AEAD_FIXED_NONCE_LEN macro. 171 */ 172 #define FIXED_NONCE_LEN(x) (((x / 2) & 0xf) << 24) 173 174 /* list of available SSLv3 ciphers (sorted by id) */ 175 const SSL_CIPHER ssl3_ciphers[] = { 176 177 /* The RSA ciphers */ 178 /* Cipher 01 */ 179 { 180 .valid = 1, 181 .name = SSL3_TXT_RSA_NULL_MD5, 182 .id = SSL3_CK_RSA_NULL_MD5, 183 .algorithm_mkey = SSL_kRSA, 184 .algorithm_auth = SSL_aRSA, 185 .algorithm_enc = SSL_eNULL, 186 .algorithm_mac = SSL_MD5, 187 .algorithm_ssl = SSL_SSLV3, 188 .algo_strength = SSL_STRONG_NONE, 189 .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF, 190 .strength_bits = 0, 191 .alg_bits = 0, 192 }, 193 194 /* Cipher 02 */ 195 { 196 .valid = 1, 197 .name = SSL3_TXT_RSA_NULL_SHA, 198 .id = SSL3_CK_RSA_NULL_SHA, 199 .algorithm_mkey = SSL_kRSA, 200 .algorithm_auth = SSL_aRSA, 201 .algorithm_enc = SSL_eNULL, 202 .algorithm_mac = SSL_SHA1, 203 .algorithm_ssl = SSL_SSLV3, 204 .algo_strength = SSL_STRONG_NONE, 205 .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF, 206 .strength_bits = 0, 207 .alg_bits = 0, 208 }, 209 210 /* Cipher 04 */ 211 { 212 .valid = 1, 213 .name = SSL3_TXT_RSA_RC4_128_MD5, 214 .id = SSL3_CK_RSA_RC4_128_MD5, 215 .algorithm_mkey = SSL_kRSA, 216 .algorithm_auth = SSL_aRSA, 217 .algorithm_enc = SSL_RC4, 218 .algorithm_mac = SSL_MD5, 219 .algorithm_ssl = SSL_SSLV3, 220 .algo_strength = SSL_LOW, 221 .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF, 222 .strength_bits = 128, 223 .alg_bits = 128, 224 }, 225 226 /* Cipher 05 */ 227 { 228 .valid = 1, 229 .name = SSL3_TXT_RSA_RC4_128_SHA, 230 .id = SSL3_CK_RSA_RC4_128_SHA, 231 .algorithm_mkey = SSL_kRSA, 232 .algorithm_auth = SSL_aRSA, 233 .algorithm_enc = SSL_RC4, 234 .algorithm_mac = SSL_SHA1, 235 .algorithm_ssl = SSL_SSLV3, 236 .algo_strength = SSL_LOW, 237 .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF, 238 .strength_bits = 128, 239 .alg_bits = 128, 240 }, 241 242 /* Cipher 0A */ 243 { 244 .valid = 1, 245 .name = SSL3_TXT_RSA_DES_192_CBC3_SHA, 246 .id = SSL3_CK_RSA_DES_192_CBC3_SHA, 247 .algorithm_mkey = SSL_kRSA, 248 .algorithm_auth = SSL_aRSA, 249 .algorithm_enc = SSL_3DES, 250 .algorithm_mac = SSL_SHA1, 251 .algorithm_ssl = SSL_SSLV3, 252 .algo_strength = SSL_MEDIUM, 253 .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF, 254 .strength_bits = 112, 255 .alg_bits = 168, 256 }, 257 258 /* 259 * Ephemeral DH (DHE) ciphers. 260 */ 261 262 /* Cipher 16 */ 263 { 264 .valid = 1, 265 .name = SSL3_TXT_EDH_RSA_DES_192_CBC3_SHA, 266 .id = SSL3_CK_EDH_RSA_DES_192_CBC3_SHA, 267 .algorithm_mkey = SSL_kDHE, 268 .algorithm_auth = SSL_aRSA, 269 .algorithm_enc = SSL_3DES, 270 .algorithm_mac = SSL_SHA1, 271 .algorithm_ssl = SSL_SSLV3, 272 .algo_strength = SSL_MEDIUM, 273 .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF, 274 .strength_bits = 112, 275 .alg_bits = 168, 276 }, 277 278 /* Cipher 18 */ 279 { 280 .valid = 1, 281 .name = SSL3_TXT_ADH_RC4_128_MD5, 282 .id = SSL3_CK_ADH_RC4_128_MD5, 283 .algorithm_mkey = SSL_kDHE, 284 .algorithm_auth = SSL_aNULL, 285 .algorithm_enc = SSL_RC4, 286 .algorithm_mac = SSL_MD5, 287 .algorithm_ssl = SSL_SSLV3, 288 .algo_strength = SSL_LOW, 289 .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF, 290 .strength_bits = 128, 291 .alg_bits = 128, 292 }, 293 294 /* Cipher 1B */ 295 { 296 .valid = 1, 297 .name = SSL3_TXT_ADH_DES_192_CBC_SHA, 298 .id = SSL3_CK_ADH_DES_192_CBC_SHA, 299 .algorithm_mkey = SSL_kDHE, 300 .algorithm_auth = SSL_aNULL, 301 .algorithm_enc = SSL_3DES, 302 .algorithm_mac = SSL_SHA1, 303 .algorithm_ssl = SSL_SSLV3, 304 .algo_strength = SSL_MEDIUM, 305 .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF, 306 .strength_bits = 112, 307 .alg_bits = 168, 308 }, 309 310 /* 311 * AES ciphersuites. 312 */ 313 314 /* Cipher 2F */ 315 { 316 .valid = 1, 317 .name = TLS1_TXT_RSA_WITH_AES_128_SHA, 318 .id = TLS1_CK_RSA_WITH_AES_128_SHA, 319 .algorithm_mkey = SSL_kRSA, 320 .algorithm_auth = SSL_aRSA, 321 .algorithm_enc = SSL_AES128, 322 .algorithm_mac = SSL_SHA1, 323 .algorithm_ssl = SSL_TLSV1, 324 .algo_strength = SSL_HIGH, 325 .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF, 326 .strength_bits = 128, 327 .alg_bits = 128, 328 }, 329 330 /* Cipher 33 */ 331 { 332 .valid = 1, 333 .name = TLS1_TXT_DHE_RSA_WITH_AES_128_SHA, 334 .id = TLS1_CK_DHE_RSA_WITH_AES_128_SHA, 335 .algorithm_mkey = SSL_kDHE, 336 .algorithm_auth = SSL_aRSA, 337 .algorithm_enc = SSL_AES128, 338 .algorithm_mac = SSL_SHA1, 339 .algorithm_ssl = SSL_TLSV1, 340 .algo_strength = SSL_HIGH, 341 .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF, 342 .strength_bits = 128, 343 .alg_bits = 128, 344 }, 345 346 /* Cipher 34 */ 347 { 348 .valid = 1, 349 .name = TLS1_TXT_ADH_WITH_AES_128_SHA, 350 .id = TLS1_CK_ADH_WITH_AES_128_SHA, 351 .algorithm_mkey = SSL_kDHE, 352 .algorithm_auth = SSL_aNULL, 353 .algorithm_enc = SSL_AES128, 354 .algorithm_mac = SSL_SHA1, 355 .algorithm_ssl = SSL_TLSV1, 356 .algo_strength = SSL_HIGH, 357 .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF, 358 .strength_bits = 128, 359 .alg_bits = 128, 360 }, 361 362 /* Cipher 35 */ 363 { 364 .valid = 1, 365 .name = TLS1_TXT_RSA_WITH_AES_256_SHA, 366 .id = TLS1_CK_RSA_WITH_AES_256_SHA, 367 .algorithm_mkey = SSL_kRSA, 368 .algorithm_auth = SSL_aRSA, 369 .algorithm_enc = SSL_AES256, 370 .algorithm_mac = SSL_SHA1, 371 .algorithm_ssl = SSL_TLSV1, 372 .algo_strength = SSL_HIGH, 373 .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF, 374 .strength_bits = 256, 375 .alg_bits = 256, 376 }, 377 378 /* Cipher 39 */ 379 { 380 .valid = 1, 381 .name = TLS1_TXT_DHE_RSA_WITH_AES_256_SHA, 382 .id = TLS1_CK_DHE_RSA_WITH_AES_256_SHA, 383 .algorithm_mkey = SSL_kDHE, 384 .algorithm_auth = SSL_aRSA, 385 .algorithm_enc = SSL_AES256, 386 .algorithm_mac = SSL_SHA1, 387 .algorithm_ssl = SSL_TLSV1, 388 .algo_strength = SSL_HIGH, 389 .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF, 390 .strength_bits = 256, 391 .alg_bits = 256, 392 }, 393 394 /* Cipher 3A */ 395 { 396 .valid = 1, 397 .name = TLS1_TXT_ADH_WITH_AES_256_SHA, 398 .id = TLS1_CK_ADH_WITH_AES_256_SHA, 399 .algorithm_mkey = SSL_kDHE, 400 .algorithm_auth = SSL_aNULL, 401 .algorithm_enc = SSL_AES256, 402 .algorithm_mac = SSL_SHA1, 403 .algorithm_ssl = SSL_TLSV1, 404 .algo_strength = SSL_HIGH, 405 .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF, 406 .strength_bits = 256, 407 .alg_bits = 256, 408 }, 409 410 /* TLS v1.2 ciphersuites */ 411 /* Cipher 3B */ 412 { 413 .valid = 1, 414 .name = TLS1_TXT_RSA_WITH_NULL_SHA256, 415 .id = TLS1_CK_RSA_WITH_NULL_SHA256, 416 .algorithm_mkey = SSL_kRSA, 417 .algorithm_auth = SSL_aRSA, 418 .algorithm_enc = SSL_eNULL, 419 .algorithm_mac = SSL_SHA256, 420 .algorithm_ssl = SSL_TLSV1_2, 421 .algo_strength = SSL_STRONG_NONE, 422 .algorithm2 = SSL_HANDSHAKE_MAC_SHA256|TLS1_PRF_SHA256, 423 .strength_bits = 0, 424 .alg_bits = 0, 425 }, 426 427 /* Cipher 3C */ 428 { 429 .valid = 1, 430 .name = TLS1_TXT_RSA_WITH_AES_128_SHA256, 431 .id = TLS1_CK_RSA_WITH_AES_128_SHA256, 432 .algorithm_mkey = SSL_kRSA, 433 .algorithm_auth = SSL_aRSA, 434 .algorithm_enc = SSL_AES128, 435 .algorithm_mac = SSL_SHA256, 436 .algorithm_ssl = SSL_TLSV1_2, 437 .algo_strength = SSL_HIGH, 438 .algorithm2 = SSL_HANDSHAKE_MAC_SHA256|TLS1_PRF_SHA256, 439 .strength_bits = 128, 440 .alg_bits = 128, 441 }, 442 443 /* Cipher 3D */ 444 { 445 .valid = 1, 446 .name = TLS1_TXT_RSA_WITH_AES_256_SHA256, 447 .id = TLS1_CK_RSA_WITH_AES_256_SHA256, 448 .algorithm_mkey = SSL_kRSA, 449 .algorithm_auth = SSL_aRSA, 450 .algorithm_enc = SSL_AES256, 451 .algorithm_mac = SSL_SHA256, 452 .algorithm_ssl = SSL_TLSV1_2, 453 .algo_strength = SSL_HIGH, 454 .algorithm2 = SSL_HANDSHAKE_MAC_SHA256|TLS1_PRF_SHA256, 455 .strength_bits = 256, 456 .alg_bits = 256, 457 }, 458 459 #ifndef OPENSSL_NO_CAMELLIA 460 /* Camellia ciphersuites from RFC4132 (128-bit portion) */ 461 462 /* Cipher 41 */ 463 { 464 .valid = 1, 465 .name = TLS1_TXT_RSA_WITH_CAMELLIA_128_CBC_SHA, 466 .id = TLS1_CK_RSA_WITH_CAMELLIA_128_CBC_SHA, 467 .algorithm_mkey = SSL_kRSA, 468 .algorithm_auth = SSL_aRSA, 469 .algorithm_enc = SSL_CAMELLIA128, 470 .algorithm_mac = SSL_SHA1, 471 .algorithm_ssl = SSL_TLSV1, 472 .algo_strength = SSL_HIGH, 473 .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF, 474 .strength_bits = 128, 475 .alg_bits = 128, 476 }, 477 478 /* Cipher 45 */ 479 { 480 .valid = 1, 481 .name = TLS1_TXT_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA, 482 .id = TLS1_CK_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA, 483 .algorithm_mkey = SSL_kDHE, 484 .algorithm_auth = SSL_aRSA, 485 .algorithm_enc = SSL_CAMELLIA128, 486 .algorithm_mac = SSL_SHA1, 487 .algorithm_ssl = SSL_TLSV1, 488 .algo_strength = SSL_HIGH, 489 .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF, 490 .strength_bits = 128, 491 .alg_bits = 128, 492 }, 493 494 /* Cipher 46 */ 495 { 496 .valid = 1, 497 .name = TLS1_TXT_ADH_WITH_CAMELLIA_128_CBC_SHA, 498 .id = TLS1_CK_ADH_WITH_CAMELLIA_128_CBC_SHA, 499 .algorithm_mkey = SSL_kDHE, 500 .algorithm_auth = SSL_aNULL, 501 .algorithm_enc = SSL_CAMELLIA128, 502 .algorithm_mac = SSL_SHA1, 503 .algorithm_ssl = SSL_TLSV1, 504 .algo_strength = SSL_HIGH, 505 .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF, 506 .strength_bits = 128, 507 .alg_bits = 128, 508 }, 509 #endif /* OPENSSL_NO_CAMELLIA */ 510 511 /* TLS v1.2 ciphersuites */ 512 /* Cipher 67 */ 513 { 514 .valid = 1, 515 .name = TLS1_TXT_DHE_RSA_WITH_AES_128_SHA256, 516 .id = TLS1_CK_DHE_RSA_WITH_AES_128_SHA256, 517 .algorithm_mkey = SSL_kDHE, 518 .algorithm_auth = SSL_aRSA, 519 .algorithm_enc = SSL_AES128, 520 .algorithm_mac = SSL_SHA256, 521 .algorithm_ssl = SSL_TLSV1_2, 522 .algo_strength = SSL_HIGH, 523 .algorithm2 = SSL_HANDSHAKE_MAC_SHA256|TLS1_PRF_SHA256, 524 .strength_bits = 128, 525 .alg_bits = 128, 526 }, 527 528 /* Cipher 6B */ 529 { 530 .valid = 1, 531 .name = TLS1_TXT_DHE_RSA_WITH_AES_256_SHA256, 532 .id = TLS1_CK_DHE_RSA_WITH_AES_256_SHA256, 533 .algorithm_mkey = SSL_kDHE, 534 .algorithm_auth = SSL_aRSA, 535 .algorithm_enc = SSL_AES256, 536 .algorithm_mac = SSL_SHA256, 537 .algorithm_ssl = SSL_TLSV1_2, 538 .algo_strength = SSL_HIGH, 539 .algorithm2 = SSL_HANDSHAKE_MAC_SHA256|TLS1_PRF_SHA256, 540 .strength_bits = 256, 541 .alg_bits = 256, 542 }, 543 544 /* Cipher 6C */ 545 { 546 .valid = 1, 547 .name = TLS1_TXT_ADH_WITH_AES_128_SHA256, 548 .id = TLS1_CK_ADH_WITH_AES_128_SHA256, 549 .algorithm_mkey = SSL_kDHE, 550 .algorithm_auth = SSL_aNULL, 551 .algorithm_enc = SSL_AES128, 552 .algorithm_mac = SSL_SHA256, 553 .algorithm_ssl = SSL_TLSV1_2, 554 .algo_strength = SSL_HIGH, 555 .algorithm2 = SSL_HANDSHAKE_MAC_SHA256|TLS1_PRF_SHA256, 556 .strength_bits = 128, 557 .alg_bits = 128, 558 }, 559 560 /* Cipher 6D */ 561 { 562 .valid = 1, 563 .name = TLS1_TXT_ADH_WITH_AES_256_SHA256, 564 .id = TLS1_CK_ADH_WITH_AES_256_SHA256, 565 .algorithm_mkey = SSL_kDHE, 566 .algorithm_auth = SSL_aNULL, 567 .algorithm_enc = SSL_AES256, 568 .algorithm_mac = SSL_SHA256, 569 .algorithm_ssl = SSL_TLSV1_2, 570 .algo_strength = SSL_HIGH, 571 .algorithm2 = SSL_HANDSHAKE_MAC_SHA256|TLS1_PRF_SHA256, 572 .strength_bits = 256, 573 .alg_bits = 256, 574 }, 575 576 /* GOST Ciphersuites */ 577 578 /* Cipher 81 */ 579 { 580 .valid = 1, 581 .name = "GOST2001-GOST89-GOST89", 582 .id = 0x3000081, 583 .algorithm_mkey = SSL_kGOST, 584 .algorithm_auth = SSL_aGOST01, 585 .algorithm_enc = SSL_eGOST2814789CNT, 586 .algorithm_mac = SSL_GOST89MAC, 587 .algorithm_ssl = SSL_TLSV1, 588 .algo_strength = SSL_HIGH, 589 .algorithm2 = SSL_HANDSHAKE_MAC_GOST94|TLS1_PRF_GOST94| 590 TLS1_STREAM_MAC, 591 .strength_bits = 256, 592 .alg_bits = 256 593 }, 594 595 /* Cipher 83 */ 596 { 597 .valid = 1, 598 .name = "GOST2001-NULL-GOST94", 599 .id = 0x3000083, 600 .algorithm_mkey = SSL_kGOST, 601 .algorithm_auth = SSL_aGOST01, 602 .algorithm_enc = SSL_eNULL, 603 .algorithm_mac = SSL_GOST94, 604 .algorithm_ssl = SSL_TLSV1, 605 .algo_strength = SSL_STRONG_NONE, 606 .algorithm2 = SSL_HANDSHAKE_MAC_GOST94|TLS1_PRF_GOST94, 607 .strength_bits = 0, 608 .alg_bits = 0 609 }, 610 611 #ifndef OPENSSL_NO_CAMELLIA 612 /* Camellia ciphersuites from RFC4132 (256-bit portion) */ 613 614 /* Cipher 84 */ 615 { 616 .valid = 1, 617 .name = TLS1_TXT_RSA_WITH_CAMELLIA_256_CBC_SHA, 618 .id = TLS1_CK_RSA_WITH_CAMELLIA_256_CBC_SHA, 619 .algorithm_mkey = SSL_kRSA, 620 .algorithm_auth = SSL_aRSA, 621 .algorithm_enc = SSL_CAMELLIA256, 622 .algorithm_mac = SSL_SHA1, 623 .algorithm_ssl = SSL_TLSV1, 624 .algo_strength = SSL_HIGH, 625 .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF, 626 .strength_bits = 256, 627 .alg_bits = 256, 628 }, 629 630 /* Cipher 88 */ 631 { 632 .valid = 1, 633 .name = TLS1_TXT_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA, 634 .id = TLS1_CK_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA, 635 .algorithm_mkey = SSL_kDHE, 636 .algorithm_auth = SSL_aRSA, 637 .algorithm_enc = SSL_CAMELLIA256, 638 .algorithm_mac = SSL_SHA1, 639 .algorithm_ssl = SSL_TLSV1, 640 .algo_strength = SSL_HIGH, 641 .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF, 642 .strength_bits = 256, 643 .alg_bits = 256, 644 }, 645 646 /* Cipher 89 */ 647 { 648 .valid = 1, 649 .name = TLS1_TXT_ADH_WITH_CAMELLIA_256_CBC_SHA, 650 .id = TLS1_CK_ADH_WITH_CAMELLIA_256_CBC_SHA, 651 .algorithm_mkey = SSL_kDHE, 652 .algorithm_auth = SSL_aNULL, 653 .algorithm_enc = SSL_CAMELLIA256, 654 .algorithm_mac = SSL_SHA1, 655 .algorithm_ssl = SSL_TLSV1, 656 .algo_strength = SSL_HIGH, 657 .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF, 658 .strength_bits = 256, 659 .alg_bits = 256, 660 }, 661 #endif /* OPENSSL_NO_CAMELLIA */ 662 663 /* 664 * GCM ciphersuites from RFC5288. 665 */ 666 667 /* Cipher 9C */ 668 { 669 .valid = 1, 670 .name = TLS1_TXT_RSA_WITH_AES_128_GCM_SHA256, 671 .id = TLS1_CK_RSA_WITH_AES_128_GCM_SHA256, 672 .algorithm_mkey = SSL_kRSA, 673 .algorithm_auth = SSL_aRSA, 674 .algorithm_enc = SSL_AES128GCM, 675 .algorithm_mac = SSL_AEAD, 676 .algorithm_ssl = SSL_TLSV1_2, 677 .algo_strength = SSL_HIGH, 678 .algorithm2 = SSL_HANDSHAKE_MAC_SHA256|TLS1_PRF_SHA256| 679 FIXED_NONCE_LEN(4)| 680 SSL_CIPHER_ALGORITHM2_VARIABLE_NONCE_IN_RECORD, 681 .strength_bits = 128, 682 .alg_bits = 128, 683 }, 684 685 /* Cipher 9D */ 686 { 687 .valid = 1, 688 .name = TLS1_TXT_RSA_WITH_AES_256_GCM_SHA384, 689 .id = TLS1_CK_RSA_WITH_AES_256_GCM_SHA384, 690 .algorithm_mkey = SSL_kRSA, 691 .algorithm_auth = SSL_aRSA, 692 .algorithm_enc = SSL_AES256GCM, 693 .algorithm_mac = SSL_AEAD, 694 .algorithm_ssl = SSL_TLSV1_2, 695 .algo_strength = SSL_HIGH, 696 .algorithm2 = SSL_HANDSHAKE_MAC_SHA384|TLS1_PRF_SHA384| 697 FIXED_NONCE_LEN(4)| 698 SSL_CIPHER_ALGORITHM2_VARIABLE_NONCE_IN_RECORD, 699 .strength_bits = 256, 700 .alg_bits = 256, 701 }, 702 703 /* Cipher 9E */ 704 { 705 .valid = 1, 706 .name = TLS1_TXT_DHE_RSA_WITH_AES_128_GCM_SHA256, 707 .id = TLS1_CK_DHE_RSA_WITH_AES_128_GCM_SHA256, 708 .algorithm_mkey = SSL_kDHE, 709 .algorithm_auth = SSL_aRSA, 710 .algorithm_enc = SSL_AES128GCM, 711 .algorithm_mac = SSL_AEAD, 712 .algorithm_ssl = SSL_TLSV1_2, 713 .algo_strength = SSL_HIGH, 714 .algorithm2 = SSL_HANDSHAKE_MAC_SHA256|TLS1_PRF_SHA256| 715 FIXED_NONCE_LEN(4)| 716 SSL_CIPHER_ALGORITHM2_VARIABLE_NONCE_IN_RECORD, 717 .strength_bits = 128, 718 .alg_bits = 128, 719 }, 720 721 /* Cipher 9F */ 722 { 723 .valid = 1, 724 .name = TLS1_TXT_DHE_RSA_WITH_AES_256_GCM_SHA384, 725 .id = TLS1_CK_DHE_RSA_WITH_AES_256_GCM_SHA384, 726 .algorithm_mkey = SSL_kDHE, 727 .algorithm_auth = SSL_aRSA, 728 .algorithm_enc = SSL_AES256GCM, 729 .algorithm_mac = SSL_AEAD, 730 .algorithm_ssl = SSL_TLSV1_2, 731 .algo_strength = SSL_HIGH, 732 .algorithm2 = SSL_HANDSHAKE_MAC_SHA384|TLS1_PRF_SHA384| 733 FIXED_NONCE_LEN(4)| 734 SSL_CIPHER_ALGORITHM2_VARIABLE_NONCE_IN_RECORD, 735 .strength_bits = 256, 736 .alg_bits = 256, 737 }, 738 739 /* Cipher A6 */ 740 { 741 .valid = 1, 742 .name = TLS1_TXT_ADH_WITH_AES_128_GCM_SHA256, 743 .id = TLS1_CK_ADH_WITH_AES_128_GCM_SHA256, 744 .algorithm_mkey = SSL_kDHE, 745 .algorithm_auth = SSL_aNULL, 746 .algorithm_enc = SSL_AES128GCM, 747 .algorithm_mac = SSL_AEAD, 748 .algorithm_ssl = SSL_TLSV1_2, 749 .algo_strength = SSL_HIGH, 750 .algorithm2 = SSL_HANDSHAKE_MAC_SHA256|TLS1_PRF_SHA256| 751 FIXED_NONCE_LEN(4)| 752 SSL_CIPHER_ALGORITHM2_VARIABLE_NONCE_IN_RECORD, 753 .strength_bits = 128, 754 .alg_bits = 128, 755 }, 756 757 /* Cipher A7 */ 758 { 759 .valid = 1, 760 .name = TLS1_TXT_ADH_WITH_AES_256_GCM_SHA384, 761 .id = TLS1_CK_ADH_WITH_AES_256_GCM_SHA384, 762 .algorithm_mkey = SSL_kDHE, 763 .algorithm_auth = SSL_aNULL, 764 .algorithm_enc = SSL_AES256GCM, 765 .algorithm_mac = SSL_AEAD, 766 .algorithm_ssl = SSL_TLSV1_2, 767 .algo_strength = SSL_HIGH, 768 .algorithm2 = SSL_HANDSHAKE_MAC_SHA384|TLS1_PRF_SHA384| 769 FIXED_NONCE_LEN(4)| 770 SSL_CIPHER_ALGORITHM2_VARIABLE_NONCE_IN_RECORD, 771 .strength_bits = 256, 772 .alg_bits = 256, 773 }, 774 775 #ifndef OPENSSL_NO_CAMELLIA 776 /* TLS 1.2 Camellia SHA-256 ciphersuites from RFC5932 */ 777 778 /* Cipher BA */ 779 { 780 .valid = 1, 781 .name = TLS1_TXT_RSA_WITH_CAMELLIA_128_CBC_SHA256, 782 .id = TLS1_CK_RSA_WITH_CAMELLIA_128_CBC_SHA256, 783 .algorithm_mkey = SSL_kRSA, 784 .algorithm_auth = SSL_aRSA, 785 .algorithm_enc = SSL_CAMELLIA128, 786 .algorithm_mac = SSL_SHA256, 787 .algorithm_ssl = SSL_TLSV1_2, 788 .algo_strength = SSL_HIGH, 789 .algorithm2 = SSL_HANDSHAKE_MAC_SHA256|TLS1_PRF_SHA256, 790 .strength_bits = 128, 791 .alg_bits = 128, 792 }, 793 794 /* Cipher BE */ 795 { 796 .valid = 1, 797 .name = TLS1_TXT_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA256, 798 .id = TLS1_CK_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA256, 799 .algorithm_mkey = SSL_kDHE, 800 .algorithm_auth = SSL_aRSA, 801 .algorithm_enc = SSL_CAMELLIA128, 802 .algorithm_mac = SSL_SHA256, 803 .algorithm_ssl = SSL_TLSV1_2, 804 .algo_strength = SSL_HIGH, 805 .algorithm2 = SSL_HANDSHAKE_MAC_SHA256|TLS1_PRF_SHA256, 806 .strength_bits = 128, 807 .alg_bits = 128, 808 }, 809 810 /* Cipher BF */ 811 { 812 .valid = 1, 813 .name = TLS1_TXT_ADH_WITH_CAMELLIA_128_CBC_SHA256, 814 .id = TLS1_CK_ADH_WITH_CAMELLIA_128_CBC_SHA256, 815 .algorithm_mkey = SSL_kDHE, 816 .algorithm_auth = SSL_aNULL, 817 .algorithm_enc = SSL_CAMELLIA128, 818 .algorithm_mac = SSL_SHA256, 819 .algorithm_ssl = SSL_TLSV1_2, 820 .algo_strength = SSL_HIGH, 821 .algorithm2 = SSL_HANDSHAKE_MAC_SHA256|TLS1_PRF_SHA256, 822 .strength_bits = 128, 823 .alg_bits = 128, 824 }, 825 826 /* Cipher C0 */ 827 { 828 .valid = 1, 829 .name = TLS1_TXT_RSA_WITH_CAMELLIA_256_CBC_SHA256, 830 .id = TLS1_CK_RSA_WITH_CAMELLIA_256_CBC_SHA256, 831 .algorithm_mkey = SSL_kRSA, 832 .algorithm_auth = SSL_aRSA, 833 .algorithm_enc = SSL_CAMELLIA256, 834 .algorithm_mac = SSL_SHA256, 835 .algorithm_ssl = SSL_TLSV1_2, 836 .algo_strength = SSL_HIGH, 837 .algorithm2 = SSL_HANDSHAKE_MAC_SHA256|TLS1_PRF_SHA256, 838 .strength_bits = 256, 839 .alg_bits = 256, 840 }, 841 842 /* Cipher C4 */ 843 { 844 .valid = 1, 845 .name = TLS1_TXT_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA256, 846 .id = TLS1_CK_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA256, 847 .algorithm_mkey = SSL_kDHE, 848 .algorithm_auth = SSL_aRSA, 849 .algorithm_enc = SSL_CAMELLIA256, 850 .algorithm_mac = SSL_SHA256, 851 .algorithm_ssl = SSL_TLSV1_2, 852 .algo_strength = SSL_HIGH, 853 .algorithm2 = SSL_HANDSHAKE_MAC_SHA256|TLS1_PRF_SHA256, 854 .strength_bits = 256, 855 .alg_bits = 256, 856 }, 857 858 /* Cipher C5 */ 859 { 860 .valid = 1, 861 .name = TLS1_TXT_ADH_WITH_CAMELLIA_256_CBC_SHA256, 862 .id = TLS1_CK_ADH_WITH_CAMELLIA_256_CBC_SHA256, 863 .algorithm_mkey = SSL_kDHE, 864 .algorithm_auth = SSL_aNULL, 865 .algorithm_enc = SSL_CAMELLIA256, 866 .algorithm_mac = SSL_SHA256, 867 .algorithm_ssl = SSL_TLSV1_2, 868 .algo_strength = SSL_HIGH, 869 .algorithm2 = SSL_HANDSHAKE_MAC_SHA256|TLS1_PRF_SHA256, 870 .strength_bits = 256, 871 .alg_bits = 256, 872 }, 873 #endif /* OPENSSL_NO_CAMELLIA */ 874 875 /* 876 * TLSv1.3 cipher suites. 877 */ 878 879 #ifdef LIBRESSL_HAS_TLS1_3 880 /* Cipher 1301 */ 881 { 882 .valid = 1, 883 .name = TLS1_3_TXT_AES_128_GCM_SHA256, 884 .id = TLS1_3_CK_AES_128_GCM_SHA256, 885 .algorithm_mkey = SSL_kTLS1_3, 886 .algorithm_auth = SSL_aTLS1_3, 887 .algorithm_enc = SSL_AES128GCM, 888 .algorithm_mac = SSL_AEAD, 889 .algorithm_ssl = SSL_TLSV1_3, 890 .algo_strength = SSL_HIGH, 891 .algorithm2 = SSL_HANDSHAKE_MAC_SHA256, /* XXX */ 892 .strength_bits = 128, 893 .alg_bits = 128, 894 }, 895 896 /* Cipher 1302 */ 897 { 898 .valid = 1, 899 .name = TLS1_3_TXT_AES_256_GCM_SHA384, 900 .id = TLS1_3_CK_AES_256_GCM_SHA384, 901 .algorithm_mkey = SSL_kTLS1_3, 902 .algorithm_auth = SSL_aTLS1_3, 903 .algorithm_enc = SSL_AES256GCM, 904 .algorithm_mac = SSL_AEAD, 905 .algorithm_ssl = SSL_TLSV1_3, 906 .algo_strength = SSL_HIGH, 907 .algorithm2 = SSL_HANDSHAKE_MAC_SHA384, /* XXX */ 908 .strength_bits = 256, 909 .alg_bits = 256, 910 }, 911 912 /* Cipher 1303 */ 913 { 914 .valid = 1, 915 .name = TLS1_3_TXT_CHACHA20_POLY1305_SHA256, 916 .id = TLS1_3_CK_CHACHA20_POLY1305_SHA256, 917 .algorithm_mkey = SSL_kTLS1_3, 918 .algorithm_auth = SSL_aTLS1_3, 919 .algorithm_enc = SSL_CHACHA20POLY1305, 920 .algorithm_mac = SSL_AEAD, 921 .algorithm_ssl = SSL_TLSV1_3, 922 .algo_strength = SSL_HIGH, 923 .algorithm2 = SSL_HANDSHAKE_MAC_SHA256, /* XXX */ 924 .strength_bits = 256, 925 .alg_bits = 256, 926 }, 927 #endif 928 929 /* Cipher C006 */ 930 { 931 .valid = 1, 932 .name = TLS1_TXT_ECDHE_ECDSA_WITH_NULL_SHA, 933 .id = TLS1_CK_ECDHE_ECDSA_WITH_NULL_SHA, 934 .algorithm_mkey = SSL_kECDHE, 935 .algorithm_auth = SSL_aECDSA, 936 .algorithm_enc = SSL_eNULL, 937 .algorithm_mac = SSL_SHA1, 938 .algorithm_ssl = SSL_TLSV1, 939 .algo_strength = SSL_STRONG_NONE, 940 .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF, 941 .strength_bits = 0, 942 .alg_bits = 0, 943 }, 944 945 /* Cipher C007 */ 946 { 947 .valid = 1, 948 .name = TLS1_TXT_ECDHE_ECDSA_WITH_RC4_128_SHA, 949 .id = TLS1_CK_ECDHE_ECDSA_WITH_RC4_128_SHA, 950 .algorithm_mkey = SSL_kECDHE, 951 .algorithm_auth = SSL_aECDSA, 952 .algorithm_enc = SSL_RC4, 953 .algorithm_mac = SSL_SHA1, 954 .algorithm_ssl = SSL_TLSV1, 955 .algo_strength = SSL_LOW, 956 .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF, 957 .strength_bits = 128, 958 .alg_bits = 128, 959 }, 960 961 /* Cipher C008 */ 962 { 963 .valid = 1, 964 .name = TLS1_TXT_ECDHE_ECDSA_WITH_DES_192_CBC3_SHA, 965 .id = TLS1_CK_ECDHE_ECDSA_WITH_DES_192_CBC3_SHA, 966 .algorithm_mkey = SSL_kECDHE, 967 .algorithm_auth = SSL_aECDSA, 968 .algorithm_enc = SSL_3DES, 969 .algorithm_mac = SSL_SHA1, 970 .algorithm_ssl = SSL_TLSV1, 971 .algo_strength = SSL_MEDIUM, 972 .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF, 973 .strength_bits = 112, 974 .alg_bits = 168, 975 }, 976 977 /* Cipher C009 */ 978 { 979 .valid = 1, 980 .name = TLS1_TXT_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, 981 .id = TLS1_CK_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, 982 .algorithm_mkey = SSL_kECDHE, 983 .algorithm_auth = SSL_aECDSA, 984 .algorithm_enc = SSL_AES128, 985 .algorithm_mac = SSL_SHA1, 986 .algorithm_ssl = SSL_TLSV1, 987 .algo_strength = SSL_HIGH, 988 .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF, 989 .strength_bits = 128, 990 .alg_bits = 128, 991 }, 992 993 /* Cipher C00A */ 994 { 995 .valid = 1, 996 .name = TLS1_TXT_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, 997 .id = TLS1_CK_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, 998 .algorithm_mkey = SSL_kECDHE, 999 .algorithm_auth = SSL_aECDSA, 1000 .algorithm_enc = SSL_AES256, 1001 .algorithm_mac = SSL_SHA1, 1002 .algorithm_ssl = SSL_TLSV1, 1003 .algo_strength = SSL_HIGH, 1004 .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF, 1005 .strength_bits = 256, 1006 .alg_bits = 256, 1007 }, 1008 1009 /* Cipher C010 */ 1010 { 1011 .valid = 1, 1012 .name = TLS1_TXT_ECDHE_RSA_WITH_NULL_SHA, 1013 .id = TLS1_CK_ECDHE_RSA_WITH_NULL_SHA, 1014 .algorithm_mkey = SSL_kECDHE, 1015 .algorithm_auth = SSL_aRSA, 1016 .algorithm_enc = SSL_eNULL, 1017 .algorithm_mac = SSL_SHA1, 1018 .algorithm_ssl = SSL_TLSV1, 1019 .algo_strength = SSL_STRONG_NONE, 1020 .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF, 1021 .strength_bits = 0, 1022 .alg_bits = 0, 1023 }, 1024 1025 /* Cipher C011 */ 1026 { 1027 .valid = 1, 1028 .name = TLS1_TXT_ECDHE_RSA_WITH_RC4_128_SHA, 1029 .id = TLS1_CK_ECDHE_RSA_WITH_RC4_128_SHA, 1030 .algorithm_mkey = SSL_kECDHE, 1031 .algorithm_auth = SSL_aRSA, 1032 .algorithm_enc = SSL_RC4, 1033 .algorithm_mac = SSL_SHA1, 1034 .algorithm_ssl = SSL_TLSV1, 1035 .algo_strength = SSL_LOW, 1036 .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF, 1037 .strength_bits = 128, 1038 .alg_bits = 128, 1039 }, 1040 1041 /* Cipher C012 */ 1042 { 1043 .valid = 1, 1044 .name = TLS1_TXT_ECDHE_RSA_WITH_DES_192_CBC3_SHA, 1045 .id = TLS1_CK_ECDHE_RSA_WITH_DES_192_CBC3_SHA, 1046 .algorithm_mkey = SSL_kECDHE, 1047 .algorithm_auth = SSL_aRSA, 1048 .algorithm_enc = SSL_3DES, 1049 .algorithm_mac = SSL_SHA1, 1050 .algorithm_ssl = SSL_TLSV1, 1051 .algo_strength = SSL_MEDIUM, 1052 .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF, 1053 .strength_bits = 112, 1054 .alg_bits = 168, 1055 }, 1056 1057 /* Cipher C013 */ 1058 { 1059 .valid = 1, 1060 .name = TLS1_TXT_ECDHE_RSA_WITH_AES_128_CBC_SHA, 1061 .id = TLS1_CK_ECDHE_RSA_WITH_AES_128_CBC_SHA, 1062 .algorithm_mkey = SSL_kECDHE, 1063 .algorithm_auth = SSL_aRSA, 1064 .algorithm_enc = SSL_AES128, 1065 .algorithm_mac = SSL_SHA1, 1066 .algorithm_ssl = SSL_TLSV1, 1067 .algo_strength = SSL_HIGH, 1068 .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF, 1069 .strength_bits = 128, 1070 .alg_bits = 128, 1071 }, 1072 1073 /* Cipher C014 */ 1074 { 1075 .valid = 1, 1076 .name = TLS1_TXT_ECDHE_RSA_WITH_AES_256_CBC_SHA, 1077 .id = TLS1_CK_ECDHE_RSA_WITH_AES_256_CBC_SHA, 1078 .algorithm_mkey = SSL_kECDHE, 1079 .algorithm_auth = SSL_aRSA, 1080 .algorithm_enc = SSL_AES256, 1081 .algorithm_mac = SSL_SHA1, 1082 .algorithm_ssl = SSL_TLSV1, 1083 .algo_strength = SSL_HIGH, 1084 .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF, 1085 .strength_bits = 256, 1086 .alg_bits = 256, 1087 }, 1088 1089 /* Cipher C015 */ 1090 { 1091 .valid = 1, 1092 .name = TLS1_TXT_ECDH_anon_WITH_NULL_SHA, 1093 .id = TLS1_CK_ECDH_anon_WITH_NULL_SHA, 1094 .algorithm_mkey = SSL_kECDHE, 1095 .algorithm_auth = SSL_aNULL, 1096 .algorithm_enc = SSL_eNULL, 1097 .algorithm_mac = SSL_SHA1, 1098 .algorithm_ssl = SSL_TLSV1, 1099 .algo_strength = SSL_STRONG_NONE, 1100 .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF, 1101 .strength_bits = 0, 1102 .alg_bits = 0, 1103 }, 1104 1105 /* Cipher C016 */ 1106 { 1107 .valid = 1, 1108 .name = TLS1_TXT_ECDH_anon_WITH_RC4_128_SHA, 1109 .id = TLS1_CK_ECDH_anon_WITH_RC4_128_SHA, 1110 .algorithm_mkey = SSL_kECDHE, 1111 .algorithm_auth = SSL_aNULL, 1112 .algorithm_enc = SSL_RC4, 1113 .algorithm_mac = SSL_SHA1, 1114 .algorithm_ssl = SSL_TLSV1, 1115 .algo_strength = SSL_LOW, 1116 .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF, 1117 .strength_bits = 128, 1118 .alg_bits = 128, 1119 }, 1120 1121 /* Cipher C017 */ 1122 { 1123 .valid = 1, 1124 .name = TLS1_TXT_ECDH_anon_WITH_DES_192_CBC3_SHA, 1125 .id = TLS1_CK_ECDH_anon_WITH_DES_192_CBC3_SHA, 1126 .algorithm_mkey = SSL_kECDHE, 1127 .algorithm_auth = SSL_aNULL, 1128 .algorithm_enc = SSL_3DES, 1129 .algorithm_mac = SSL_SHA1, 1130 .algorithm_ssl = SSL_TLSV1, 1131 .algo_strength = SSL_MEDIUM, 1132 .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF, 1133 .strength_bits = 112, 1134 .alg_bits = 168, 1135 }, 1136 1137 /* Cipher C018 */ 1138 { 1139 .valid = 1, 1140 .name = TLS1_TXT_ECDH_anon_WITH_AES_128_CBC_SHA, 1141 .id = TLS1_CK_ECDH_anon_WITH_AES_128_CBC_SHA, 1142 .algorithm_mkey = SSL_kECDHE, 1143 .algorithm_auth = SSL_aNULL, 1144 .algorithm_enc = SSL_AES128, 1145 .algorithm_mac = SSL_SHA1, 1146 .algorithm_ssl = SSL_TLSV1, 1147 .algo_strength = SSL_HIGH, 1148 .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF, 1149 .strength_bits = 128, 1150 .alg_bits = 128, 1151 }, 1152 1153 /* Cipher C019 */ 1154 { 1155 .valid = 1, 1156 .name = TLS1_TXT_ECDH_anon_WITH_AES_256_CBC_SHA, 1157 .id = TLS1_CK_ECDH_anon_WITH_AES_256_CBC_SHA, 1158 .algorithm_mkey = SSL_kECDHE, 1159 .algorithm_auth = SSL_aNULL, 1160 .algorithm_enc = SSL_AES256, 1161 .algorithm_mac = SSL_SHA1, 1162 .algorithm_ssl = SSL_TLSV1, 1163 .algo_strength = SSL_HIGH, 1164 .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF, 1165 .strength_bits = 256, 1166 .alg_bits = 256, 1167 }, 1168 1169 1170 /* HMAC based TLS v1.2 ciphersuites from RFC5289 */ 1171 1172 /* Cipher C023 */ 1173 { 1174 .valid = 1, 1175 .name = TLS1_TXT_ECDHE_ECDSA_WITH_AES_128_SHA256, 1176 .id = TLS1_CK_ECDHE_ECDSA_WITH_AES_128_SHA256, 1177 .algorithm_mkey = SSL_kECDHE, 1178 .algorithm_auth = SSL_aECDSA, 1179 .algorithm_enc = SSL_AES128, 1180 .algorithm_mac = SSL_SHA256, 1181 .algorithm_ssl = SSL_TLSV1_2, 1182 .algo_strength = SSL_HIGH, 1183 .algorithm2 = SSL_HANDSHAKE_MAC_SHA256|TLS1_PRF_SHA256, 1184 .strength_bits = 128, 1185 .alg_bits = 128, 1186 }, 1187 1188 /* Cipher C024 */ 1189 { 1190 .valid = 1, 1191 .name = TLS1_TXT_ECDHE_ECDSA_WITH_AES_256_SHA384, 1192 .id = TLS1_CK_ECDHE_ECDSA_WITH_AES_256_SHA384, 1193 .algorithm_mkey = SSL_kECDHE, 1194 .algorithm_auth = SSL_aECDSA, 1195 .algorithm_enc = SSL_AES256, 1196 .algorithm_mac = SSL_SHA384, 1197 .algorithm_ssl = SSL_TLSV1_2, 1198 .algo_strength = SSL_HIGH, 1199 .algorithm2 = SSL_HANDSHAKE_MAC_SHA384|TLS1_PRF_SHA384, 1200 .strength_bits = 256, 1201 .alg_bits = 256, 1202 }, 1203 1204 /* Cipher C027 */ 1205 { 1206 .valid = 1, 1207 .name = TLS1_TXT_ECDHE_RSA_WITH_AES_128_SHA256, 1208 .id = TLS1_CK_ECDHE_RSA_WITH_AES_128_SHA256, 1209 .algorithm_mkey = SSL_kECDHE, 1210 .algorithm_auth = SSL_aRSA, 1211 .algorithm_enc = SSL_AES128, 1212 .algorithm_mac = SSL_SHA256, 1213 .algorithm_ssl = SSL_TLSV1_2, 1214 .algo_strength = SSL_HIGH, 1215 .algorithm2 = SSL_HANDSHAKE_MAC_SHA256|TLS1_PRF_SHA256, 1216 .strength_bits = 128, 1217 .alg_bits = 128, 1218 }, 1219 1220 /* Cipher C028 */ 1221 { 1222 .valid = 1, 1223 .name = TLS1_TXT_ECDHE_RSA_WITH_AES_256_SHA384, 1224 .id = TLS1_CK_ECDHE_RSA_WITH_AES_256_SHA384, 1225 .algorithm_mkey = SSL_kECDHE, 1226 .algorithm_auth = SSL_aRSA, 1227 .algorithm_enc = SSL_AES256, 1228 .algorithm_mac = SSL_SHA384, 1229 .algorithm_ssl = SSL_TLSV1_2, 1230 .algo_strength = SSL_HIGH, 1231 .algorithm2 = SSL_HANDSHAKE_MAC_SHA384|TLS1_PRF_SHA384, 1232 .strength_bits = 256, 1233 .alg_bits = 256, 1234 }, 1235 1236 /* GCM based TLS v1.2 ciphersuites from RFC5289 */ 1237 1238 /* Cipher C02B */ 1239 { 1240 .valid = 1, 1241 .name = TLS1_TXT_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, 1242 .id = TLS1_CK_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, 1243 .algorithm_mkey = SSL_kECDHE, 1244 .algorithm_auth = SSL_aECDSA, 1245 .algorithm_enc = SSL_AES128GCM, 1246 .algorithm_mac = SSL_AEAD, 1247 .algorithm_ssl = SSL_TLSV1_2, 1248 .algo_strength = SSL_HIGH, 1249 .algorithm2 = SSL_HANDSHAKE_MAC_SHA256|TLS1_PRF_SHA256| 1250 FIXED_NONCE_LEN(4)| 1251 SSL_CIPHER_ALGORITHM2_VARIABLE_NONCE_IN_RECORD, 1252 .strength_bits = 128, 1253 .alg_bits = 128, 1254 }, 1255 1256 /* Cipher C02C */ 1257 { 1258 .valid = 1, 1259 .name = TLS1_TXT_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, 1260 .id = TLS1_CK_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, 1261 .algorithm_mkey = SSL_kECDHE, 1262 .algorithm_auth = SSL_aECDSA, 1263 .algorithm_enc = SSL_AES256GCM, 1264 .algorithm_mac = SSL_AEAD, 1265 .algorithm_ssl = SSL_TLSV1_2, 1266 .algo_strength = SSL_HIGH, 1267 .algorithm2 = SSL_HANDSHAKE_MAC_SHA384|TLS1_PRF_SHA384| 1268 FIXED_NONCE_LEN(4)| 1269 SSL_CIPHER_ALGORITHM2_VARIABLE_NONCE_IN_RECORD, 1270 .strength_bits = 256, 1271 .alg_bits = 256, 1272 }, 1273 1274 /* Cipher C02F */ 1275 { 1276 .valid = 1, 1277 .name = TLS1_TXT_ECDHE_RSA_WITH_AES_128_GCM_SHA256, 1278 .id = TLS1_CK_ECDHE_RSA_WITH_AES_128_GCM_SHA256, 1279 .algorithm_mkey = SSL_kECDHE, 1280 .algorithm_auth = SSL_aRSA, 1281 .algorithm_enc = SSL_AES128GCM, 1282 .algorithm_mac = SSL_AEAD, 1283 .algorithm_ssl = SSL_TLSV1_2, 1284 .algo_strength = SSL_HIGH, 1285 .algorithm2 = SSL_HANDSHAKE_MAC_SHA256|TLS1_PRF_SHA256| 1286 FIXED_NONCE_LEN(4)| 1287 SSL_CIPHER_ALGORITHM2_VARIABLE_NONCE_IN_RECORD, 1288 .strength_bits = 128, 1289 .alg_bits = 128, 1290 }, 1291 1292 /* Cipher C030 */ 1293 { 1294 .valid = 1, 1295 .name = TLS1_TXT_ECDHE_RSA_WITH_AES_256_GCM_SHA384, 1296 .id = TLS1_CK_ECDHE_RSA_WITH_AES_256_GCM_SHA384, 1297 .algorithm_mkey = SSL_kECDHE, 1298 .algorithm_auth = SSL_aRSA, 1299 .algorithm_enc = SSL_AES256GCM, 1300 .algorithm_mac = SSL_AEAD, 1301 .algorithm_ssl = SSL_TLSV1_2, 1302 .algo_strength = SSL_HIGH, 1303 .algorithm2 = SSL_HANDSHAKE_MAC_SHA384|TLS1_PRF_SHA384| 1304 FIXED_NONCE_LEN(4)| 1305 SSL_CIPHER_ALGORITHM2_VARIABLE_NONCE_IN_RECORD, 1306 .strength_bits = 256, 1307 .alg_bits = 256, 1308 }, 1309 1310 /* Cipher CCA8 */ 1311 { 1312 .valid = 1, 1313 .name = TLS1_TXT_ECDHE_RSA_WITH_CHACHA20_POLY1305, 1314 .id = TLS1_CK_ECDHE_RSA_CHACHA20_POLY1305, 1315 .algorithm_mkey = SSL_kECDHE, 1316 .algorithm_auth = SSL_aRSA, 1317 .algorithm_enc = SSL_CHACHA20POLY1305, 1318 .algorithm_mac = SSL_AEAD, 1319 .algorithm_ssl = SSL_TLSV1_2, 1320 .algo_strength = SSL_HIGH, 1321 .algorithm2 = SSL_HANDSHAKE_MAC_SHA256|TLS1_PRF_SHA256| 1322 FIXED_NONCE_LEN(12), 1323 .strength_bits = 256, 1324 .alg_bits = 256, 1325 }, 1326 1327 /* Cipher CCA9 */ 1328 { 1329 .valid = 1, 1330 .name = TLS1_TXT_ECDHE_ECDSA_WITH_CHACHA20_POLY1305, 1331 .id = TLS1_CK_ECDHE_ECDSA_CHACHA20_POLY1305, 1332 .algorithm_mkey = SSL_kECDHE, 1333 .algorithm_auth = SSL_aECDSA, 1334 .algorithm_enc = SSL_CHACHA20POLY1305, 1335 .algorithm_mac = SSL_AEAD, 1336 .algorithm_ssl = SSL_TLSV1_2, 1337 .algo_strength = SSL_HIGH, 1338 .algorithm2 = SSL_HANDSHAKE_MAC_SHA256|TLS1_PRF_SHA256| 1339 FIXED_NONCE_LEN(12), 1340 .strength_bits = 256, 1341 .alg_bits = 256, 1342 }, 1343 1344 /* Cipher CCAA */ 1345 { 1346 .valid = 1, 1347 .name = TLS1_TXT_DHE_RSA_WITH_CHACHA20_POLY1305, 1348 .id = TLS1_CK_DHE_RSA_CHACHA20_POLY1305, 1349 .algorithm_mkey = SSL_kDHE, 1350 .algorithm_auth = SSL_aRSA, 1351 .algorithm_enc = SSL_CHACHA20POLY1305, 1352 .algorithm_mac = SSL_AEAD, 1353 .algorithm_ssl = SSL_TLSV1_2, 1354 .algo_strength = SSL_HIGH, 1355 .algorithm2 = SSL_HANDSHAKE_MAC_SHA256|TLS1_PRF_SHA256| 1356 FIXED_NONCE_LEN(12), 1357 .strength_bits = 256, 1358 .alg_bits = 256, 1359 }, 1360 1361 /* Cipher FF85 FIXME IANA */ 1362 { 1363 .valid = 1, 1364 .name = "GOST2012256-GOST89-GOST89", 1365 .id = 0x300ff85, /* FIXME IANA */ 1366 .algorithm_mkey = SSL_kGOST, 1367 .algorithm_auth = SSL_aGOST01, 1368 .algorithm_enc = SSL_eGOST2814789CNT, 1369 .algorithm_mac = SSL_GOST89MAC, 1370 .algorithm_ssl = SSL_TLSV1, 1371 .algo_strength = SSL_HIGH, 1372 .algorithm2 = SSL_HANDSHAKE_MAC_STREEBOG256|TLS1_PRF_STREEBOG256| 1373 TLS1_STREAM_MAC, 1374 .strength_bits = 256, 1375 .alg_bits = 256 1376 }, 1377 1378 /* Cipher FF87 FIXME IANA */ 1379 { 1380 .valid = 1, 1381 .name = "GOST2012256-NULL-STREEBOG256", 1382 .id = 0x300ff87, /* FIXME IANA */ 1383 .algorithm_mkey = SSL_kGOST, 1384 .algorithm_auth = SSL_aGOST01, 1385 .algorithm_enc = SSL_eNULL, 1386 .algorithm_mac = SSL_STREEBOG256, 1387 .algorithm_ssl = SSL_TLSV1, 1388 .algo_strength = SSL_STRONG_NONE, 1389 .algorithm2 = SSL_HANDSHAKE_MAC_STREEBOG256|TLS1_PRF_STREEBOG256, 1390 .strength_bits = 0, 1391 .alg_bits = 0 1392 }, 1393 1394 1395 /* end of list */ 1396 }; 1397 1398 int 1399 ssl3_num_ciphers(void) 1400 { 1401 return (SSL3_NUM_CIPHERS); 1402 } 1403 1404 const SSL_CIPHER * 1405 ssl3_get_cipher(unsigned int u) 1406 { 1407 if (u < SSL3_NUM_CIPHERS) 1408 return (&(ssl3_ciphers[SSL3_NUM_CIPHERS - 1 - u])); 1409 else 1410 return (NULL); 1411 } 1412 1413 const SSL_CIPHER * 1414 ssl3_get_cipher_by_id(unsigned int id) 1415 { 1416 const SSL_CIPHER *cp; 1417 SSL_CIPHER c; 1418 1419 c.id = id; 1420 cp = OBJ_bsearch_ssl_cipher_id(&c, ssl3_ciphers, SSL3_NUM_CIPHERS); 1421 if (cp != NULL && cp->valid == 1) 1422 return (cp); 1423 1424 return (NULL); 1425 } 1426 1427 const SSL_CIPHER * 1428 ssl3_get_cipher_by_value(uint16_t value) 1429 { 1430 return ssl3_get_cipher_by_id(SSL3_CK_ID | value); 1431 } 1432 1433 uint16_t 1434 ssl3_cipher_get_value(const SSL_CIPHER *c) 1435 { 1436 return (c->id & SSL3_CK_VALUE_MASK); 1437 } 1438 1439 int 1440 ssl3_pending(const SSL *s) 1441 { 1442 if (s->internal->rstate == SSL_ST_READ_BODY) 1443 return 0; 1444 1445 return (S3I(s)->rrec.type == SSL3_RT_APPLICATION_DATA) ? 1446 S3I(s)->rrec.length : 0; 1447 } 1448 1449 int 1450 ssl3_handshake_msg_hdr_len(SSL *s) 1451 { 1452 return (SSL_is_dtls(s) ? DTLS1_HM_HEADER_LENGTH : 1453 SSL3_HM_HEADER_LENGTH); 1454 } 1455 1456 int 1457 ssl3_handshake_msg_start(SSL *s, CBB *handshake, CBB *body, uint8_t msg_type) 1458 { 1459 int ret = 0; 1460 1461 if (!CBB_init(handshake, SSL3_RT_MAX_PLAIN_LENGTH)) 1462 goto err; 1463 if (!CBB_add_u8(handshake, msg_type)) 1464 goto err; 1465 if (SSL_is_dtls(s)) { 1466 unsigned char *data; 1467 1468 if (!CBB_add_space(handshake, &data, DTLS1_HM_HEADER_LENGTH - 1469 SSL3_HM_HEADER_LENGTH)) 1470 goto err; 1471 } 1472 if (!CBB_add_u24_length_prefixed(handshake, body)) 1473 goto err; 1474 1475 ret = 1; 1476 1477 err: 1478 return (ret); 1479 } 1480 1481 int 1482 ssl3_handshake_msg_finish(SSL *s, CBB *handshake) 1483 { 1484 unsigned char *data = NULL; 1485 size_t outlen; 1486 int ret = 0; 1487 1488 if (!CBB_finish(handshake, &data, &outlen)) 1489 goto err; 1490 1491 if (outlen > INT_MAX) 1492 goto err; 1493 1494 if (!BUF_MEM_grow_clean(s->internal->init_buf, outlen)) 1495 goto err; 1496 1497 memcpy(s->internal->init_buf->data, data, outlen); 1498 1499 s->internal->init_num = (int)outlen; 1500 s->internal->init_off = 0; 1501 1502 if (SSL_is_dtls(s)) { 1503 unsigned long len; 1504 uint8_t msg_type; 1505 CBS cbs; 1506 1507 CBS_init(&cbs, data, outlen); 1508 if (!CBS_get_u8(&cbs, &msg_type)) 1509 goto err; 1510 1511 len = outlen - ssl3_handshake_msg_hdr_len(s); 1512 1513 dtls1_set_message_header(s, msg_type, len, 0, len); 1514 dtls1_buffer_message(s, 0); 1515 } 1516 1517 ret = 1; 1518 1519 err: 1520 free(data); 1521 1522 return (ret); 1523 } 1524 1525 int 1526 ssl3_handshake_write(SSL *s) 1527 { 1528 return ssl3_record_write(s, SSL3_RT_HANDSHAKE); 1529 } 1530 1531 int 1532 ssl3_record_write(SSL *s, int type) 1533 { 1534 if (SSL_is_dtls(s)) 1535 return dtls1_do_write(s, type); 1536 1537 return ssl3_do_write(s, type); 1538 } 1539 1540 int 1541 ssl3_new(SSL *s) 1542 { 1543 if ((s->s3 = calloc(1, sizeof(*s->s3))) == NULL) 1544 return (0); 1545 if ((S3I(s) = calloc(1, sizeof(*S3I(s)))) == NULL) { 1546 free(s->s3); 1547 return (0); 1548 } 1549 1550 s->method->internal->ssl_clear(s); 1551 1552 return (1); 1553 } 1554 1555 void 1556 ssl3_free(SSL *s) 1557 { 1558 if (s == NULL) 1559 return; 1560 1561 tls1_cleanup_key_block(s); 1562 ssl3_release_read_buffer(s); 1563 ssl3_release_write_buffer(s); 1564 freezero(S3I(s)->hs.sigalgs, S3I(s)->hs.sigalgs_len); 1565 1566 DH_free(S3I(s)->tmp.dh); 1567 EC_KEY_free(S3I(s)->tmp.ecdh); 1568 freezero(S3I(s)->tmp.x25519, X25519_KEY_LENGTH); 1569 1570 tls13_key_share_free(S3I(s)->hs.tls13.key_share); 1571 tls13_secrets_destroy(S3I(s)->hs.tls13.secrets); 1572 freezero(S3I(s)->hs.tls13.cookie, S3I(s)->hs.tls13.cookie_len); 1573 tls13_clienthello_hash_clear(&S3I(s)->hs.tls13); 1574 1575 sk_X509_NAME_pop_free(S3I(s)->hs.tls12.ca_names, X509_NAME_free); 1576 1577 tls1_transcript_free(s); 1578 tls1_transcript_hash_free(s); 1579 1580 free(S3I(s)->alpn_selected); 1581 1582 freezero(S3I(s), sizeof(*S3I(s))); 1583 freezero(s->s3, sizeof(*s->s3)); 1584 1585 s->s3 = NULL; 1586 } 1587 1588 void 1589 ssl3_clear(SSL *s) 1590 { 1591 struct ssl3_state_internal_st *internal; 1592 unsigned char *rp, *wp; 1593 size_t rlen, wlen; 1594 1595 tls1_cleanup_key_block(s); 1596 sk_X509_NAME_pop_free(S3I(s)->hs.tls12.ca_names, X509_NAME_free); 1597 1598 DH_free(S3I(s)->tmp.dh); 1599 S3I(s)->tmp.dh = NULL; 1600 EC_KEY_free(S3I(s)->tmp.ecdh); 1601 S3I(s)->tmp.ecdh = NULL; 1602 S3I(s)->tmp.ecdh_nid = NID_undef; 1603 freezero(S3I(s)->tmp.x25519, X25519_KEY_LENGTH); 1604 S3I(s)->tmp.x25519 = NULL; 1605 1606 freezero(S3I(s)->hs.sigalgs, S3I(s)->hs.sigalgs_len); 1607 S3I(s)->hs.sigalgs = NULL; 1608 S3I(s)->hs.sigalgs_len = 0; 1609 1610 tls13_key_share_free(S3I(s)->hs.tls13.key_share); 1611 S3I(s)->hs.tls13.key_share = NULL; 1612 1613 tls13_secrets_destroy(S3I(s)->hs.tls13.secrets); 1614 S3I(s)->hs.tls13.secrets = NULL; 1615 freezero(S3I(s)->hs.tls13.cookie, S3I(s)->hs.tls13.cookie_len); 1616 S3I(s)->hs.tls13.cookie = NULL; 1617 S3I(s)->hs.tls13.cookie_len = 0; 1618 tls13_clienthello_hash_clear(&S3I(s)->hs.tls13); 1619 1620 S3I(s)->hs.extensions_seen = 0; 1621 1622 rp = S3I(s)->rbuf.buf; 1623 wp = S3I(s)->wbuf.buf; 1624 rlen = S3I(s)->rbuf.len; 1625 wlen = S3I(s)->wbuf.len; 1626 1627 tls1_transcript_free(s); 1628 tls1_transcript_hash_free(s); 1629 1630 free(S3I(s)->alpn_selected); 1631 S3I(s)->alpn_selected = NULL; 1632 S3I(s)->alpn_selected_len = 0; 1633 1634 memset(S3I(s), 0, sizeof(*S3I(s))); 1635 internal = S3I(s); 1636 memset(s->s3, 0, sizeof(*s->s3)); 1637 S3I(s) = internal; 1638 1639 S3I(s)->rbuf.buf = rp; 1640 S3I(s)->wbuf.buf = wp; 1641 S3I(s)->rbuf.len = rlen; 1642 S3I(s)->wbuf.len = wlen; 1643 1644 ssl_free_wbio_buffer(s); 1645 1646 /* Not needed... */ 1647 S3I(s)->renegotiate = 0; 1648 S3I(s)->total_renegotiations = 0; 1649 S3I(s)->num_renegotiations = 0; 1650 S3I(s)->in_read_app_data = 0; 1651 1652 s->internal->packet_length = 0; 1653 s->version = TLS1_VERSION; 1654 1655 S3I(s)->hs.state = SSL_ST_BEFORE|((s->server) ? SSL_ST_ACCEPT : SSL_ST_CONNECT); 1656 } 1657 1658 long 1659 _SSL_get_peer_tmp_key(SSL *s, EVP_PKEY **key) 1660 { 1661 EVP_PKEY *pkey = NULL; 1662 SESS_CERT *sc; 1663 int ret = 0; 1664 1665 *key = NULL; 1666 1667 if (s->session == NULL || SSI(s)->sess_cert == NULL) 1668 return 0; 1669 1670 sc = SSI(s)->sess_cert; 1671 1672 if ((pkey = EVP_PKEY_new()) == NULL) 1673 return 0; 1674 1675 if (sc->peer_dh_tmp != NULL) { 1676 if (!EVP_PKEY_set1_DH(pkey, sc->peer_dh_tmp)) 1677 goto err; 1678 } else if (sc->peer_ecdh_tmp) { 1679 if (!EVP_PKEY_set1_EC_KEY(pkey, sc->peer_ecdh_tmp)) 1680 goto err; 1681 } else if (sc->peer_x25519_tmp != NULL) { 1682 if (!ssl_kex_dummy_ecdhe_x25519(pkey)) 1683 goto err; 1684 } else if (S3I(s)->hs.tls13.key_share != NULL) { 1685 if (!tls13_key_share_peer_pkey(S3I(s)->hs.tls13.key_share, 1686 pkey)) 1687 goto err; 1688 } else { 1689 goto err; 1690 } 1691 1692 *key = pkey; 1693 pkey = NULL; 1694 1695 ret = 1; 1696 1697 err: 1698 EVP_PKEY_free(pkey); 1699 1700 return (ret); 1701 } 1702 1703 static int 1704 _SSL_session_reused(SSL *s) 1705 { 1706 return s->internal->hit; 1707 } 1708 1709 static int 1710 _SSL_num_renegotiations(SSL *s) 1711 { 1712 return S3I(s)->num_renegotiations; 1713 } 1714 1715 static int 1716 _SSL_clear_num_renegotiations(SSL *s) 1717 { 1718 int renegs; 1719 1720 renegs = S3I(s)->num_renegotiations; 1721 S3I(s)->num_renegotiations = 0; 1722 1723 return renegs; 1724 } 1725 1726 static int 1727 _SSL_total_renegotiations(SSL *s) 1728 { 1729 return S3I(s)->total_renegotiations; 1730 } 1731 1732 static int 1733 _SSL_set_tmp_dh(SSL *s, DH *dh) 1734 { 1735 DH *dh_tmp; 1736 1737 if (dh == NULL) { 1738 SSLerror(s, ERR_R_PASSED_NULL_PARAMETER); 1739 return 0; 1740 } 1741 1742 if ((dh_tmp = DHparams_dup(dh)) == NULL) { 1743 SSLerror(s, ERR_R_DH_LIB); 1744 return 0; 1745 } 1746 1747 DH_free(s->cert->dh_tmp); 1748 s->cert->dh_tmp = dh_tmp; 1749 1750 return 1; 1751 } 1752 1753 static int 1754 _SSL_set_dh_auto(SSL *s, int state) 1755 { 1756 s->cert->dh_tmp_auto = state; 1757 return 1; 1758 } 1759 1760 static int 1761 _SSL_set_tmp_ecdh(SSL *s, EC_KEY *ecdh) 1762 { 1763 const EC_GROUP *group; 1764 int nid; 1765 1766 if (ecdh == NULL) 1767 return 0; 1768 if ((group = EC_KEY_get0_group(ecdh)) == NULL) 1769 return 0; 1770 1771 nid = EC_GROUP_get_curve_name(group); 1772 return SSL_set1_groups(s, &nid, 1); 1773 } 1774 1775 static int 1776 _SSL_set_ecdh_auto(SSL *s, int state) 1777 { 1778 return 1; 1779 } 1780 1781 static int 1782 _SSL_set_tlsext_host_name(SSL *s, const char *name) 1783 { 1784 free(s->tlsext_hostname); 1785 s->tlsext_hostname = NULL; 1786 1787 if (name == NULL) 1788 return 1; 1789 1790 if (strlen(name) > TLSEXT_MAXLEN_host_name) { 1791 SSLerror(s, SSL_R_SSL3_EXT_INVALID_SERVERNAME); 1792 return 0; 1793 } 1794 1795 if ((s->tlsext_hostname = strdup(name)) == NULL) { 1796 SSLerror(s, ERR_R_INTERNAL_ERROR); 1797 return 0; 1798 } 1799 1800 return 1; 1801 } 1802 1803 static int 1804 _SSL_set_tlsext_debug_arg(SSL *s, void *arg) 1805 { 1806 s->internal->tlsext_debug_arg = arg; 1807 return 1; 1808 } 1809 1810 static int 1811 _SSL_set_tlsext_status_type(SSL *s, int type) 1812 { 1813 s->tlsext_status_type = type; 1814 return 1; 1815 } 1816 1817 static int 1818 _SSL_get_tlsext_status_exts(SSL *s, STACK_OF(X509_EXTENSION) **exts) 1819 { 1820 *exts = s->internal->tlsext_ocsp_exts; 1821 return 1; 1822 } 1823 1824 static int 1825 _SSL_set_tlsext_status_exts(SSL *s, STACK_OF(X509_EXTENSION) *exts) 1826 { 1827 /* XXX - leak... */ 1828 s->internal->tlsext_ocsp_exts = exts; 1829 return 1; 1830 } 1831 1832 static int 1833 _SSL_get_tlsext_status_ids(SSL *s, STACK_OF(OCSP_RESPID) **ids) 1834 { 1835 *ids = s->internal->tlsext_ocsp_ids; 1836 return 1; 1837 } 1838 1839 static int 1840 _SSL_set_tlsext_status_ids(SSL *s, STACK_OF(OCSP_RESPID) *ids) 1841 { 1842 /* XXX - leak... */ 1843 s->internal->tlsext_ocsp_ids = ids; 1844 return 1; 1845 } 1846 1847 static int 1848 _SSL_get_tlsext_status_ocsp_resp(SSL *s, unsigned char **resp) 1849 { 1850 if (s->internal->tlsext_ocsp_resp != NULL && 1851 s->internal->tlsext_ocsp_resp_len < INT_MAX) { 1852 *resp = s->internal->tlsext_ocsp_resp; 1853 return (int)s->internal->tlsext_ocsp_resp_len; 1854 } 1855 1856 *resp = NULL; 1857 1858 return -1; 1859 } 1860 1861 static int 1862 _SSL_set_tlsext_status_ocsp_resp(SSL *s, unsigned char *resp, int resp_len) 1863 { 1864 free(s->internal->tlsext_ocsp_resp); 1865 s->internal->tlsext_ocsp_resp = NULL; 1866 s->internal->tlsext_ocsp_resp_len = 0; 1867 1868 if (resp_len < 0) 1869 return 0; 1870 1871 s->internal->tlsext_ocsp_resp = resp; 1872 s->internal->tlsext_ocsp_resp_len = (size_t)resp_len; 1873 1874 return 1; 1875 } 1876 1877 int 1878 SSL_set0_chain(SSL *ssl, STACK_OF(X509) *chain) 1879 { 1880 return ssl_cert_set0_chain(ssl->cert, chain); 1881 } 1882 1883 int 1884 SSL_set1_chain(SSL *ssl, STACK_OF(X509) *chain) 1885 { 1886 return ssl_cert_set1_chain(ssl->cert, chain); 1887 } 1888 1889 int 1890 SSL_add0_chain_cert(SSL *ssl, X509 *x509) 1891 { 1892 return ssl_cert_add0_chain_cert(ssl->cert, x509); 1893 } 1894 1895 int 1896 SSL_add1_chain_cert(SSL *ssl, X509 *x509) 1897 { 1898 return ssl_cert_add1_chain_cert(ssl->cert, x509); 1899 } 1900 1901 int 1902 SSL_get0_chain_certs(const SSL *ssl, STACK_OF(X509) **out_chain) 1903 { 1904 *out_chain = NULL; 1905 1906 if (ssl->cert->key != NULL) 1907 *out_chain = ssl->cert->key->chain; 1908 1909 return 1; 1910 } 1911 1912 int 1913 SSL_clear_chain_certs(SSL *ssl) 1914 { 1915 return ssl_cert_set0_chain(ssl->cert, NULL); 1916 } 1917 1918 int 1919 SSL_set1_groups(SSL *s, const int *groups, size_t groups_len) 1920 { 1921 return tls1_set_groups(&s->internal->tlsext_supportedgroups, 1922 &s->internal->tlsext_supportedgroups_length, groups, groups_len); 1923 } 1924 1925 int 1926 SSL_set1_groups_list(SSL *s, const char *groups) 1927 { 1928 return tls1_set_group_list(&s->internal->tlsext_supportedgroups, 1929 &s->internal->tlsext_supportedgroups_length, groups); 1930 } 1931 1932 long 1933 ssl3_ctrl(SSL *s, int cmd, long larg, void *parg) 1934 { 1935 switch (cmd) { 1936 case SSL_CTRL_GET_SESSION_REUSED: 1937 return _SSL_session_reused(s); 1938 1939 case SSL_CTRL_GET_NUM_RENEGOTIATIONS: 1940 return _SSL_num_renegotiations(s); 1941 1942 case SSL_CTRL_CLEAR_NUM_RENEGOTIATIONS: 1943 return _SSL_clear_num_renegotiations(s); 1944 1945 case SSL_CTRL_GET_TOTAL_RENEGOTIATIONS: 1946 return _SSL_total_renegotiations(s); 1947 1948 case SSL_CTRL_SET_TMP_DH: 1949 return _SSL_set_tmp_dh(s, parg); 1950 1951 case SSL_CTRL_SET_TMP_DH_CB: 1952 SSLerror(s, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED); 1953 return 0; 1954 1955 case SSL_CTRL_SET_DH_AUTO: 1956 return _SSL_set_dh_auto(s, larg); 1957 1958 case SSL_CTRL_SET_TMP_ECDH: 1959 return _SSL_set_tmp_ecdh(s, parg); 1960 1961 case SSL_CTRL_SET_TMP_ECDH_CB: 1962 SSLerror(s, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED); 1963 return 0; 1964 1965 case SSL_CTRL_SET_ECDH_AUTO: 1966 return _SSL_set_ecdh_auto(s, larg); 1967 1968 case SSL_CTRL_SET_TLSEXT_HOSTNAME: 1969 if (larg != TLSEXT_NAMETYPE_host_name) { 1970 SSLerror(s, SSL_R_SSL3_EXT_INVALID_SERVERNAME_TYPE); 1971 return 0; 1972 } 1973 return _SSL_set_tlsext_host_name(s, parg); 1974 1975 case SSL_CTRL_SET_TLSEXT_DEBUG_ARG: 1976 return _SSL_set_tlsext_debug_arg(s, parg); 1977 1978 case SSL_CTRL_SET_TLSEXT_STATUS_REQ_TYPE: 1979 return _SSL_set_tlsext_status_type(s, larg); 1980 1981 case SSL_CTRL_GET_TLSEXT_STATUS_REQ_EXTS: 1982 return _SSL_get_tlsext_status_exts(s, parg); 1983 1984 case SSL_CTRL_SET_TLSEXT_STATUS_REQ_EXTS: 1985 return _SSL_set_tlsext_status_exts(s, parg); 1986 1987 case SSL_CTRL_GET_TLSEXT_STATUS_REQ_IDS: 1988 return _SSL_get_tlsext_status_ids(s, parg); 1989 1990 case SSL_CTRL_SET_TLSEXT_STATUS_REQ_IDS: 1991 return _SSL_set_tlsext_status_ids(s, parg); 1992 1993 case SSL_CTRL_GET_TLSEXT_STATUS_REQ_OCSP_RESP: 1994 return _SSL_get_tlsext_status_ocsp_resp(s, parg); 1995 1996 case SSL_CTRL_SET_TLSEXT_STATUS_REQ_OCSP_RESP: 1997 return _SSL_set_tlsext_status_ocsp_resp(s, parg, larg); 1998 1999 case SSL_CTRL_CHAIN: 2000 if (larg == 0) 2001 return SSL_set0_chain(s, (STACK_OF(X509) *)parg); 2002 else 2003 return SSL_set1_chain(s, (STACK_OF(X509) *)parg); 2004 2005 case SSL_CTRL_CHAIN_CERT: 2006 if (larg == 0) 2007 return SSL_add0_chain_cert(s, (X509 *)parg); 2008 else 2009 return SSL_add1_chain_cert(s, (X509 *)parg); 2010 2011 case SSL_CTRL_GET_CHAIN_CERTS: 2012 return SSL_get0_chain_certs(s, (STACK_OF(X509) **)parg); 2013 2014 case SSL_CTRL_SET_GROUPS: 2015 return SSL_set1_groups(s, parg, larg); 2016 2017 case SSL_CTRL_SET_GROUPS_LIST: 2018 return SSL_set1_groups_list(s, parg); 2019 2020 /* XXX - rename to SSL_CTRL_GET_PEER_TMP_KEY and remove server check. */ 2021 case SSL_CTRL_GET_SERVER_TMP_KEY: 2022 if (s->server != 0) 2023 return 0; 2024 return _SSL_get_peer_tmp_key(s, parg); 2025 2026 case SSL_CTRL_GET_MIN_PROTO_VERSION: 2027 return SSL_get_min_proto_version(s); 2028 2029 case SSL_CTRL_GET_MAX_PROTO_VERSION: 2030 return SSL_get_max_proto_version(s); 2031 2032 case SSL_CTRL_SET_MIN_PROTO_VERSION: 2033 if (larg < 0 || larg > UINT16_MAX) 2034 return 0; 2035 return SSL_set_min_proto_version(s, larg); 2036 2037 case SSL_CTRL_SET_MAX_PROTO_VERSION: 2038 if (larg < 0 || larg > UINT16_MAX) 2039 return 0; 2040 return SSL_set_max_proto_version(s, larg); 2041 2042 /* 2043 * Legacy controls that should eventually be removed. 2044 */ 2045 case SSL_CTRL_GET_CLIENT_CERT_REQUEST: 2046 return 0; 2047 2048 case SSL_CTRL_GET_FLAGS: 2049 return (int)(s->s3->flags); 2050 2051 case SSL_CTRL_NEED_TMP_RSA: 2052 return 0; 2053 2054 case SSL_CTRL_SET_TMP_RSA: 2055 case SSL_CTRL_SET_TMP_RSA_CB: 2056 SSLerror(s, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED); 2057 return 0; 2058 } 2059 2060 return 0; 2061 } 2062 2063 long 2064 ssl3_callback_ctrl(SSL *s, int cmd, void (*fp)(void)) 2065 { 2066 switch (cmd) { 2067 case SSL_CTRL_SET_TMP_RSA_CB: 2068 SSLerror(s, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED); 2069 return 0; 2070 2071 case SSL_CTRL_SET_TMP_DH_CB: 2072 s->cert->dh_tmp_cb = (DH *(*)(SSL *, int, int))fp; 2073 return 1; 2074 2075 case SSL_CTRL_SET_TMP_ECDH_CB: 2076 return 1; 2077 2078 case SSL_CTRL_SET_TLSEXT_DEBUG_CB: 2079 s->internal->tlsext_debug_cb = (void (*)(SSL *, int , int, 2080 unsigned char *, int, void *))fp; 2081 return 1; 2082 } 2083 2084 return 0; 2085 } 2086 2087 static int 2088 _SSL_CTX_set_tmp_dh(SSL_CTX *ctx, DH *dh) 2089 { 2090 DH *dh_tmp; 2091 2092 if ((dh_tmp = DHparams_dup(dh)) == NULL) { 2093 SSLerrorx(ERR_R_DH_LIB); 2094 return 0; 2095 } 2096 2097 DH_free(ctx->internal->cert->dh_tmp); 2098 ctx->internal->cert->dh_tmp = dh_tmp; 2099 2100 return 1; 2101 } 2102 2103 static int 2104 _SSL_CTX_set_dh_auto(SSL_CTX *ctx, int state) 2105 { 2106 ctx->internal->cert->dh_tmp_auto = state; 2107 return 1; 2108 } 2109 2110 static int 2111 _SSL_CTX_set_tmp_ecdh(SSL_CTX *ctx, EC_KEY *ecdh) 2112 { 2113 const EC_GROUP *group; 2114 int nid; 2115 2116 if (ecdh == NULL) 2117 return 0; 2118 if ((group = EC_KEY_get0_group(ecdh)) == NULL) 2119 return 0; 2120 2121 nid = EC_GROUP_get_curve_name(group); 2122 return SSL_CTX_set1_groups(ctx, &nid, 1); 2123 } 2124 2125 static int 2126 _SSL_CTX_set_ecdh_auto(SSL_CTX *ctx, int state) 2127 { 2128 return 1; 2129 } 2130 2131 static int 2132 _SSL_CTX_set_tlsext_servername_arg(SSL_CTX *ctx, void *arg) 2133 { 2134 ctx->internal->tlsext_servername_arg = arg; 2135 return 1; 2136 } 2137 2138 static int 2139 _SSL_CTX_get_tlsext_ticket_keys(SSL_CTX *ctx, unsigned char *keys, int keys_len) 2140 { 2141 if (keys == NULL) 2142 return 48; 2143 2144 if (keys_len != 48) { 2145 SSLerrorx(SSL_R_INVALID_TICKET_KEYS_LENGTH); 2146 return 0; 2147 } 2148 2149 memcpy(keys, ctx->internal->tlsext_tick_key_name, 16); 2150 memcpy(keys + 16, ctx->internal->tlsext_tick_hmac_key, 16); 2151 memcpy(keys + 32, ctx->internal->tlsext_tick_aes_key, 16); 2152 2153 return 1; 2154 } 2155 2156 static int 2157 _SSL_CTX_set_tlsext_ticket_keys(SSL_CTX *ctx, unsigned char *keys, int keys_len) 2158 { 2159 if (keys == NULL) 2160 return 48; 2161 2162 if (keys_len != 48) { 2163 SSLerrorx(SSL_R_INVALID_TICKET_KEYS_LENGTH); 2164 return 0; 2165 } 2166 2167 memcpy(ctx->internal->tlsext_tick_key_name, keys, 16); 2168 memcpy(ctx->internal->tlsext_tick_hmac_key, keys + 16, 16); 2169 memcpy(ctx->internal->tlsext_tick_aes_key, keys + 32, 16); 2170 2171 return 1; 2172 } 2173 2174 static int 2175 _SSL_CTX_get_tlsext_status_arg(SSL_CTX *ctx, void **arg) 2176 { 2177 *arg = ctx->internal->tlsext_status_arg; 2178 return 1; 2179 } 2180 2181 static int 2182 _SSL_CTX_set_tlsext_status_arg(SSL_CTX *ctx, void *arg) 2183 { 2184 ctx->internal->tlsext_status_arg = arg; 2185 return 1; 2186 } 2187 2188 int 2189 SSL_CTX_set0_chain(SSL_CTX *ctx, STACK_OF(X509) *chain) 2190 { 2191 return ssl_cert_set0_chain(ctx->internal->cert, chain); 2192 } 2193 2194 int 2195 SSL_CTX_set1_chain(SSL_CTX *ctx, STACK_OF(X509) *chain) 2196 { 2197 return ssl_cert_set1_chain(ctx->internal->cert, chain); 2198 } 2199 2200 int 2201 SSL_CTX_add0_chain_cert(SSL_CTX *ctx, X509 *x509) 2202 { 2203 return ssl_cert_add0_chain_cert(ctx->internal->cert, x509); 2204 } 2205 2206 int 2207 SSL_CTX_add1_chain_cert(SSL_CTX *ctx, X509 *x509) 2208 { 2209 return ssl_cert_add1_chain_cert(ctx->internal->cert, x509); 2210 } 2211 2212 int 2213 SSL_CTX_get0_chain_certs(const SSL_CTX *ctx, STACK_OF(X509) **out_chain) 2214 { 2215 *out_chain = NULL; 2216 2217 if (ctx->internal->cert->key != NULL) 2218 *out_chain = ctx->internal->cert->key->chain; 2219 2220 return 1; 2221 } 2222 2223 int 2224 SSL_CTX_clear_chain_certs(SSL_CTX *ctx) 2225 { 2226 return ssl_cert_set0_chain(ctx->internal->cert, NULL); 2227 } 2228 2229 static int 2230 _SSL_CTX_add_extra_chain_cert(SSL_CTX *ctx, X509 *cert) 2231 { 2232 if (ctx->extra_certs == NULL) { 2233 if ((ctx->extra_certs = sk_X509_new_null()) == NULL) 2234 return 0; 2235 } 2236 if (sk_X509_push(ctx->extra_certs, cert) == 0) 2237 return 0; 2238 2239 return 1; 2240 } 2241 2242 static int 2243 _SSL_CTX_get_extra_chain_certs(SSL_CTX *ctx, STACK_OF(X509) **certs) 2244 { 2245 *certs = ctx->extra_certs; 2246 if (*certs == NULL) 2247 *certs = ctx->internal->cert->key->chain; 2248 2249 return 1; 2250 } 2251 2252 static int 2253 _SSL_CTX_get_extra_chain_certs_only(SSL_CTX *ctx, STACK_OF(X509) **certs) 2254 { 2255 *certs = ctx->extra_certs; 2256 return 1; 2257 } 2258 2259 static int 2260 _SSL_CTX_clear_extra_chain_certs(SSL_CTX *ctx) 2261 { 2262 sk_X509_pop_free(ctx->extra_certs, X509_free); 2263 ctx->extra_certs = NULL; 2264 return 1; 2265 } 2266 2267 int 2268 SSL_CTX_set1_groups(SSL_CTX *ctx, const int *groups, size_t groups_len) 2269 { 2270 return tls1_set_groups(&ctx->internal->tlsext_supportedgroups, 2271 &ctx->internal->tlsext_supportedgroups_length, groups, groups_len); 2272 } 2273 2274 int 2275 SSL_CTX_set1_groups_list(SSL_CTX *ctx, const char *groups) 2276 { 2277 return tls1_set_group_list(&ctx->internal->tlsext_supportedgroups, 2278 &ctx->internal->tlsext_supportedgroups_length, groups); 2279 } 2280 2281 long 2282 ssl3_ctx_ctrl(SSL_CTX *ctx, int cmd, long larg, void *parg) 2283 { 2284 switch (cmd) { 2285 case SSL_CTRL_SET_TMP_DH: 2286 return _SSL_CTX_set_tmp_dh(ctx, parg); 2287 2288 case SSL_CTRL_SET_TMP_DH_CB: 2289 SSLerrorx(ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED); 2290 return 0; 2291 2292 case SSL_CTRL_SET_DH_AUTO: 2293 return _SSL_CTX_set_dh_auto(ctx, larg); 2294 2295 case SSL_CTRL_SET_TMP_ECDH: 2296 return _SSL_CTX_set_tmp_ecdh(ctx, parg); 2297 2298 case SSL_CTRL_SET_TMP_ECDH_CB: 2299 SSLerrorx(ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED); 2300 return 0; 2301 2302 case SSL_CTRL_SET_ECDH_AUTO: 2303 return _SSL_CTX_set_ecdh_auto(ctx, larg); 2304 2305 case SSL_CTRL_SET_TLSEXT_SERVERNAME_ARG: 2306 return _SSL_CTX_set_tlsext_servername_arg(ctx, parg); 2307 2308 case SSL_CTRL_GET_TLSEXT_TICKET_KEYS: 2309 return _SSL_CTX_get_tlsext_ticket_keys(ctx, parg, larg); 2310 2311 case SSL_CTRL_SET_TLSEXT_TICKET_KEYS: 2312 return _SSL_CTX_set_tlsext_ticket_keys(ctx, parg, larg); 2313 2314 case SSL_CTRL_GET_TLSEXT_STATUS_REQ_CB_ARG: 2315 return _SSL_CTX_get_tlsext_status_arg(ctx, parg); 2316 2317 case SSL_CTRL_SET_TLSEXT_STATUS_REQ_CB_ARG: 2318 return _SSL_CTX_set_tlsext_status_arg(ctx, parg); 2319 2320 case SSL_CTRL_CHAIN: 2321 if (larg == 0) 2322 return SSL_CTX_set0_chain(ctx, (STACK_OF(X509) *)parg); 2323 else 2324 return SSL_CTX_set1_chain(ctx, (STACK_OF(X509) *)parg); 2325 2326 case SSL_CTRL_CHAIN_CERT: 2327 if (larg == 0) 2328 return SSL_CTX_add0_chain_cert(ctx, (X509 *)parg); 2329 else 2330 return SSL_CTX_add1_chain_cert(ctx, (X509 *)parg); 2331 2332 case SSL_CTRL_GET_CHAIN_CERTS: 2333 return SSL_CTX_get0_chain_certs(ctx, (STACK_OF(X509) **)parg); 2334 2335 case SSL_CTRL_EXTRA_CHAIN_CERT: 2336 return _SSL_CTX_add_extra_chain_cert(ctx, parg); 2337 2338 case SSL_CTRL_GET_EXTRA_CHAIN_CERTS: 2339 if (larg == 0) 2340 return _SSL_CTX_get_extra_chain_certs(ctx, parg); 2341 else 2342 return _SSL_CTX_get_extra_chain_certs_only(ctx, parg); 2343 2344 case SSL_CTRL_CLEAR_EXTRA_CHAIN_CERTS: 2345 return _SSL_CTX_clear_extra_chain_certs(ctx); 2346 2347 case SSL_CTRL_SET_GROUPS: 2348 return SSL_CTX_set1_groups(ctx, parg, larg); 2349 2350 case SSL_CTRL_SET_GROUPS_LIST: 2351 return SSL_CTX_set1_groups_list(ctx, parg); 2352 2353 case SSL_CTRL_GET_MIN_PROTO_VERSION: 2354 return SSL_CTX_get_min_proto_version(ctx); 2355 2356 case SSL_CTRL_GET_MAX_PROTO_VERSION: 2357 return SSL_CTX_get_max_proto_version(ctx); 2358 2359 case SSL_CTRL_SET_MIN_PROTO_VERSION: 2360 if (larg < 0 || larg > UINT16_MAX) 2361 return 0; 2362 return SSL_CTX_set_min_proto_version(ctx, larg); 2363 2364 case SSL_CTRL_SET_MAX_PROTO_VERSION: 2365 if (larg < 0 || larg > UINT16_MAX) 2366 return 0; 2367 return SSL_CTX_set_max_proto_version(ctx, larg); 2368 2369 /* 2370 * Legacy controls that should eventually be removed. 2371 */ 2372 case SSL_CTRL_NEED_TMP_RSA: 2373 return 0; 2374 2375 case SSL_CTRL_SET_TMP_RSA: 2376 case SSL_CTRL_SET_TMP_RSA_CB: 2377 SSLerrorx(ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED); 2378 return 0; 2379 } 2380 2381 return 0; 2382 } 2383 2384 long 2385 ssl3_ctx_callback_ctrl(SSL_CTX *ctx, int cmd, void (*fp)(void)) 2386 { 2387 switch (cmd) { 2388 case SSL_CTRL_SET_TMP_RSA_CB: 2389 SSLerrorx(ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED); 2390 return 0; 2391 2392 case SSL_CTRL_SET_TMP_DH_CB: 2393 ctx->internal->cert->dh_tmp_cb = 2394 (DH *(*)(SSL *, int, int))fp; 2395 return 1; 2396 2397 case SSL_CTRL_SET_TMP_ECDH_CB: 2398 return 1; 2399 2400 case SSL_CTRL_SET_TLSEXT_SERVERNAME_CB: 2401 ctx->internal->tlsext_servername_callback = 2402 (int (*)(SSL *, int *, void *))fp; 2403 return 1; 2404 2405 case SSL_CTRL_GET_TLSEXT_STATUS_REQ_CB: 2406 *(int (**)(SSL *, void *))fp = ctx->internal->tlsext_status_cb; 2407 return 1; 2408 2409 case SSL_CTRL_SET_TLSEXT_STATUS_REQ_CB: 2410 ctx->internal->tlsext_status_cb = (int (*)(SSL *, void *))fp; 2411 return 1; 2412 2413 case SSL_CTRL_SET_TLSEXT_TICKET_KEY_CB: 2414 ctx->internal->tlsext_ticket_key_cb = (int (*)(SSL *, unsigned char *, 2415 unsigned char *, EVP_CIPHER_CTX *, HMAC_CTX *, int))fp; 2416 return 1; 2417 } 2418 2419 return 0; 2420 } 2421 2422 /* 2423 * This function needs to check if the ciphers required are actually available. 2424 */ 2425 const SSL_CIPHER * 2426 ssl3_get_cipher_by_char(const unsigned char *p) 2427 { 2428 uint16_t cipher_value; 2429 CBS cbs; 2430 2431 /* We have to assume it is at least 2 bytes due to existing API. */ 2432 CBS_init(&cbs, p, 2); 2433 if (!CBS_get_u16(&cbs, &cipher_value)) 2434 return NULL; 2435 2436 return ssl3_get_cipher_by_value(cipher_value); 2437 } 2438 2439 int 2440 ssl3_put_cipher_by_char(const SSL_CIPHER *c, unsigned char *p) 2441 { 2442 CBB cbb; 2443 2444 if (p == NULL) 2445 return (2); 2446 2447 if ((c->id & ~SSL3_CK_VALUE_MASK) != SSL3_CK_ID) 2448 return (0); 2449 2450 memset(&cbb, 0, sizeof(cbb)); 2451 2452 /* We have to assume it is at least 2 bytes due to existing API. */ 2453 if (!CBB_init_fixed(&cbb, p, 2)) 2454 goto err; 2455 if (!CBB_add_u16(&cbb, ssl3_cipher_get_value(c))) 2456 goto err; 2457 if (!CBB_finish(&cbb, NULL, NULL)) 2458 goto err; 2459 2460 return (2); 2461 2462 err: 2463 CBB_cleanup(&cbb); 2464 return (0); 2465 } 2466 2467 SSL_CIPHER * 2468 ssl3_choose_cipher(SSL *s, STACK_OF(SSL_CIPHER) *clnt, 2469 STACK_OF(SSL_CIPHER) *srvr) 2470 { 2471 unsigned long alg_k, alg_a, mask_k, mask_a; 2472 STACK_OF(SSL_CIPHER) *prio, *allow; 2473 SSL_CIPHER *c, *ret = NULL; 2474 int can_use_ecc; 2475 int i, ii, ok; 2476 CERT *cert; 2477 2478 /* Let's see which ciphers we can support */ 2479 cert = s->cert; 2480 2481 can_use_ecc = (tls1_get_shared_curve(s) != NID_undef); 2482 2483 /* 2484 * Do not set the compare functions, because this may lead to a 2485 * reordering by "id". We want to keep the original ordering. 2486 * We may pay a price in performance during sk_SSL_CIPHER_find(), 2487 * but would have to pay with the price of sk_SSL_CIPHER_dup(). 2488 */ 2489 2490 if (s->internal->options & SSL_OP_CIPHER_SERVER_PREFERENCE) { 2491 prio = srvr; 2492 allow = clnt; 2493 } else { 2494 prio = clnt; 2495 allow = srvr; 2496 } 2497 2498 for (i = 0; i < sk_SSL_CIPHER_num(prio); i++) { 2499 c = sk_SSL_CIPHER_value(prio, i); 2500 2501 /* Skip TLS v1.2 only ciphersuites if not supported. */ 2502 if ((c->algorithm_ssl & SSL_TLSV1_2) && 2503 !SSL_USE_TLS1_2_CIPHERS(s)) 2504 continue; 2505 2506 /* Skip TLS v1.3 only ciphersuites if not supported. */ 2507 if ((c->algorithm_ssl & SSL_TLSV1_3) && 2508 !SSL_USE_TLS1_3_CIPHERS(s)) 2509 continue; 2510 2511 /* If TLS v1.3, only allow TLS v1.3 ciphersuites. */ 2512 if (SSL_USE_TLS1_3_CIPHERS(s) && 2513 !(c->algorithm_ssl & SSL_TLSV1_3)) 2514 continue; 2515 2516 ssl_set_cert_masks(cert, c); 2517 mask_k = cert->mask_k; 2518 mask_a = cert->mask_a; 2519 2520 alg_k = c->algorithm_mkey; 2521 alg_a = c->algorithm_auth; 2522 2523 ok = (alg_k & mask_k) && (alg_a & mask_a); 2524 2525 /* 2526 * If we are considering an ECC cipher suite that uses our 2527 * certificate check it. 2528 */ 2529 if (alg_a & SSL_aECDSA) 2530 ok = ok && tls1_check_ec_server_key(s); 2531 /* 2532 * If we are considering an ECC cipher suite that uses 2533 * an ephemeral EC key check it. 2534 */ 2535 if (alg_k & SSL_kECDHE) 2536 ok = ok && can_use_ecc; 2537 2538 if (!ok) 2539 continue; 2540 ii = sk_SSL_CIPHER_find(allow, c); 2541 if (ii >= 0) { 2542 ret = sk_SSL_CIPHER_value(allow, ii); 2543 break; 2544 } 2545 } 2546 return (ret); 2547 } 2548 2549 int 2550 ssl3_get_req_cert_types(SSL *s, CBB *cbb) 2551 { 2552 unsigned long alg_k; 2553 2554 alg_k = S3I(s)->hs.cipher->algorithm_mkey; 2555 2556 #ifndef OPENSSL_NO_GOST 2557 if ((alg_k & SSL_kGOST) != 0) { 2558 if (!CBB_add_u8(cbb, TLS_CT_GOST01_SIGN)) 2559 return 0; 2560 if (!CBB_add_u8(cbb, TLS_CT_GOST12_256_SIGN)) 2561 return 0; 2562 if (!CBB_add_u8(cbb, TLS_CT_GOST12_512_SIGN)) 2563 return 0; 2564 if (!CBB_add_u8(cbb, TLS_CT_GOST12_256_SIGN_COMPAT)) 2565 return 0; 2566 if (!CBB_add_u8(cbb, TLS_CT_GOST12_512_SIGN_COMPAT)) 2567 return 0; 2568 } 2569 #endif 2570 2571 if ((alg_k & SSL_kDHE) != 0) { 2572 if (!CBB_add_u8(cbb, SSL3_CT_RSA_FIXED_DH)) 2573 return 0; 2574 } 2575 2576 if (!CBB_add_u8(cbb, SSL3_CT_RSA_SIGN)) 2577 return 0; 2578 2579 /* 2580 * ECDSA certs can be used with RSA cipher suites as well 2581 * so we don't need to check for SSL_kECDH or SSL_kECDHE. 2582 */ 2583 if (!CBB_add_u8(cbb, TLS_CT_ECDSA_SIGN)) 2584 return 0; 2585 2586 return 1; 2587 } 2588 2589 int 2590 ssl3_shutdown(SSL *s) 2591 { 2592 int ret; 2593 2594 /* 2595 * Don't do anything much if we have not done the handshake or 2596 * we don't want to send messages :-) 2597 */ 2598 if ((s->internal->quiet_shutdown) || (S3I(s)->hs.state == SSL_ST_BEFORE)) { 2599 s->internal->shutdown = (SSL_SENT_SHUTDOWN|SSL_RECEIVED_SHUTDOWN); 2600 return (1); 2601 } 2602 2603 if (!(s->internal->shutdown & SSL_SENT_SHUTDOWN)) { 2604 s->internal->shutdown|=SSL_SENT_SHUTDOWN; 2605 ssl3_send_alert(s, SSL3_AL_WARNING, SSL_AD_CLOSE_NOTIFY); 2606 /* 2607 * Our shutdown alert has been sent now, and if it still needs 2608 * to be written, S3I(s)->alert_dispatch will be true 2609 */ 2610 if (S3I(s)->alert_dispatch) 2611 return(-1); /* return WANT_WRITE */ 2612 } else if (S3I(s)->alert_dispatch) { 2613 /* resend it if not sent */ 2614 ret = s->method->ssl_dispatch_alert(s); 2615 if (ret == -1) { 2616 /* 2617 * We only get to return -1 here the 2nd/Nth 2618 * invocation, we must have already signalled 2619 * return 0 upon a previous invoation, 2620 * return WANT_WRITE 2621 */ 2622 return (ret); 2623 } 2624 } else if (!(s->internal->shutdown & SSL_RECEIVED_SHUTDOWN)) { 2625 /* If we are waiting for a close from our peer, we are closed */ 2626 s->method->internal->ssl_read_bytes(s, 0, NULL, 0, 0); 2627 if (!(s->internal->shutdown & SSL_RECEIVED_SHUTDOWN)) { 2628 return(-1); /* return WANT_READ */ 2629 } 2630 } 2631 2632 if ((s->internal->shutdown == (SSL_SENT_SHUTDOWN|SSL_RECEIVED_SHUTDOWN)) && 2633 !S3I(s)->alert_dispatch) 2634 return (1); 2635 else 2636 return (0); 2637 } 2638 2639 int 2640 ssl3_write(SSL *s, const void *buf, int len) 2641 { 2642 errno = 0; 2643 2644 if (S3I(s)->renegotiate) 2645 ssl3_renegotiate_check(s); 2646 2647 return s->method->internal->ssl_write_bytes(s, 2648 SSL3_RT_APPLICATION_DATA, buf, len); 2649 } 2650 2651 static int 2652 ssl3_read_internal(SSL *s, void *buf, int len, int peek) 2653 { 2654 int ret; 2655 2656 errno = 0; 2657 if (S3I(s)->renegotiate) 2658 ssl3_renegotiate_check(s); 2659 S3I(s)->in_read_app_data = 1; 2660 ret = s->method->internal->ssl_read_bytes(s, 2661 SSL3_RT_APPLICATION_DATA, buf, len, peek); 2662 if ((ret == -1) && (S3I(s)->in_read_app_data == 2)) { 2663 /* 2664 * ssl3_read_bytes decided to call s->internal->handshake_func, 2665 * which called ssl3_read_bytes to read handshake data. 2666 * However, ssl3_read_bytes actually found application data 2667 * and thinks that application data makes sense here; so disable 2668 * handshake processing and try to read application data again. 2669 */ 2670 s->internal->in_handshake++; 2671 ret = s->method->internal->ssl_read_bytes(s, 2672 SSL3_RT_APPLICATION_DATA, buf, len, peek); 2673 s->internal->in_handshake--; 2674 } else 2675 S3I(s)->in_read_app_data = 0; 2676 2677 return (ret); 2678 } 2679 2680 int 2681 ssl3_read(SSL *s, void *buf, int len) 2682 { 2683 return ssl3_read_internal(s, buf, len, 0); 2684 } 2685 2686 int 2687 ssl3_peek(SSL *s, void *buf, int len) 2688 { 2689 return ssl3_read_internal(s, buf, len, 1); 2690 } 2691 2692 int 2693 ssl3_renegotiate(SSL *s) 2694 { 2695 if (s->internal->handshake_func == NULL) 2696 return (1); 2697 2698 if (s->s3->flags & SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS) 2699 return (0); 2700 2701 S3I(s)->renegotiate = 1; 2702 return (1); 2703 } 2704 2705 int 2706 ssl3_renegotiate_check(SSL *s) 2707 { 2708 int ret = 0; 2709 2710 if (S3I(s)->renegotiate) { 2711 if ((S3I(s)->rbuf.left == 0) && (S3I(s)->wbuf.left == 0) && 2712 !SSL_in_init(s)) { 2713 /* 2714 * If we are the server, and we have sent 2715 * a 'RENEGOTIATE' message, we need to go 2716 * to SSL_ST_ACCEPT. 2717 */ 2718 /* SSL_ST_ACCEPT */ 2719 S3I(s)->hs.state = SSL_ST_RENEGOTIATE; 2720 S3I(s)->renegotiate = 0; 2721 S3I(s)->num_renegotiations++; 2722 S3I(s)->total_renegotiations++; 2723 ret = 1; 2724 } 2725 } 2726 return (ret); 2727 } 2728