xref: /dragonfly/crypto/libressl/ssl/s3_lib.c (revision 6f5ec8b5) 
1 /* $OpenBSD: s3_lib.c,v 1.238 2022/08/21 19:39:44 jsing Exp $ */
2 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3  * All rights reserved.
4  *
5  * This package is an SSL implementation written
6  * by Eric Young (eay@cryptsoft.com).
7  * The implementation was written so as to conform with Netscapes SSL.
8  *
9  * This library is free for commercial and non-commercial use as long as
10  * the following conditions are aheared to.  The following conditions
11  * apply to all code found in this distribution, be it the RC4, RSA,
12  * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
13  * included with this distribution is covered by the same copyright terms
14  * except that the holder is Tim Hudson (tjh@cryptsoft.com).
15  *
16  * Copyright remains Eric Young's, and as such any Copyright notices in
17  * the code are not to be removed.
18  * If this package is used in a product, Eric Young should be given attribution
19  * as the author of the parts of the library used.
20  * This can be in the form of a textual message at program startup or
21  * in documentation (online or textual) provided with the package.
22  *
23  * Redistribution and use in source and binary forms, with or without
24  * modification, are permitted provided that the following conditions
25  * are met:
26  * 1. Redistributions of source code must retain the copyright
27  *    notice, this list of conditions and the following disclaimer.
28  * 2. Redistributions in binary form must reproduce the above copyright
29  *    notice, this list of conditions and the following disclaimer in the
30  *    documentation and/or other materials provided with the distribution.
31  * 3. All advertising materials mentioning features or use of this software
32  *    must display the following acknowledgement:
33  *    "This product includes cryptographic software written by
34  *     Eric Young (eay@cryptsoft.com)"
35  *    The word 'cryptographic' can be left out if the rouines from the library
36  *    being used are not cryptographic related :-).
37  * 4. If you include any Windows specific code (or a derivative thereof) from
38  *    the apps directory (application code) you must include an acknowledgement:
39  *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
40  *
41  * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
42  * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
43  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
44  * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
45  * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
46  * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
47  * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
48  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
49  * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
50  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
51  * SUCH DAMAGE.
52  *
53  * The licence and distribution terms for any publically available version or
54  * derivative of this code cannot be changed.  i.e. this code cannot simply be
55  * copied and put under another distribution licence
56  * [including the GNU Public Licence.]
57  */
58 /* ====================================================================
59  * Copyright (c) 1998-2007 The OpenSSL Project.  All rights reserved.
60  *
61  * Redistribution and use in source and binary forms, with or without
62  * modification, are permitted provided that the following conditions
63  * are met:
64  *
65  * 1. Redistributions of source code must retain the above copyright
66  *    notice, this list of conditions and the following disclaimer.
67  *
68  * 2. Redistributions in binary form must reproduce the above copyright
69  *    notice, this list of conditions and the following disclaimer in
70  *    the documentation and/or other materials provided with the
71  *    distribution.
72  *
73  * 3. All advertising materials mentioning features or use of this
74  *    software must display the following acknowledgment:
75  *    "This product includes software developed by the OpenSSL Project
76  *    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
77  *
78  * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
79  *    endorse or promote products derived from this software without
80  *    prior written permission. For written permission, please contact
81  *    openssl-core@openssl.org.
82  *
83  * 5. Products derived from this software may not be called "OpenSSL"
84  *    nor may "OpenSSL" appear in their names without prior written
85  *    permission of the OpenSSL Project.
86  *
87  * 6. Redistributions of any form whatsoever must retain the following
88  *    acknowledgment:
89  *    "This product includes software developed by the OpenSSL Project
90  *    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
91  *
92  * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
93  * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
94  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
95  * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
96  * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
97  * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
98  * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
99  * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
100  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
101  * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
102  * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
103  * OF THE POSSIBILITY OF SUCH DAMAGE.
104  * ====================================================================
105  *
106  * This product includes cryptographic software written by Eric Young
107  * (eay@cryptsoft.com).  This product includes software written by Tim
108  * Hudson (tjh@cryptsoft.com).
109  *
110  */
111 /* ====================================================================
112  * Copyright 2002 Sun Microsystems, Inc. ALL RIGHTS RESERVED.
113  *
114  * Portions of the attached software ("Contribution") are developed by
115  * SUN MICROSYSTEMS, INC., and are contributed to the OpenSSL project.
116  *
117  * The Contribution is licensed pursuant to the OpenSSL open source
118  * license provided above.
119  *
120  * ECC cipher suite support in OpenSSL originally written by
121  * Vipul Gupta and Sumit Gupta of Sun Microsystems Laboratories.
122  *
123  */
124 /* ====================================================================
125  * Copyright 2005 Nokia. All rights reserved.
126  *
127  * The portions of the attached software ("Contribution") is developed by
128  * Nokia Corporation and is licensed pursuant to the OpenSSL open source
129  * license.
130  *
131  * The Contribution, originally written by Mika Kousa and Pasi Eronen of
132  * Nokia Corporation, consists of the "PSK" (Pre-Shared Key) ciphersuites
133  * support (see RFC 4279) to OpenSSL.
134  *
135  * No patent licenses or other rights except those expressly stated in
136  * the OpenSSL open source license shall be deemed granted or received
137  * expressly, by implication, estoppel, or otherwise.
138  *
139  * No assurances are provided by Nokia that the Contribution does not
140  * infringe the patent or other intellectual property rights of any third
141  * party or that the license provides you with all the necessary rights
142  * to make use of the Contribution.
143  *
144  * THE SOFTWARE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. IN
145  * ADDITION TO THE DISCLAIMERS INCLUDED IN THE LICENSE, NOKIA
146  * SPECIFICALLY DISCLAIMS ANY LIABILITY FOR CLAIMS BROUGHT BY YOU OR ANY
147  * OTHER ENTITY BASED ON INFRINGEMENT OF INTELLECTUAL PROPERTY RIGHTS OR
148  * OTHERWISE.
149  */
150 
151 #include <limits.h>
152 #include <stdio.h>
153 
154 #include <openssl/bn.h>
155 #include <openssl/curve25519.h>
156 #include <openssl/dh.h>
157 #include <openssl/md5.h>
158 #include <openssl/objects.h>
159 #include <openssl/opensslconf.h>
160 
161 #include "bytestring.h"
162 #include "dtls_locl.h"
163 #include "ssl_locl.h"
164 #include "ssl_sigalgs.h"
165 #include "ssl_tlsext.h"
166 
167 #define SSL3_NUM_CIPHERS	(sizeof(ssl3_ciphers) / sizeof(SSL_CIPHER))
168 
169 /*
170  * FIXED_NONCE_LEN is a macro that provides in the correct value to set the
171  * fixed nonce length in algorithms2. It is the inverse of the
172  * SSL_CIPHER_AEAD_FIXED_NONCE_LEN macro.
173  */
174 #define FIXED_NONCE_LEN(x) (((x / 2) & 0xf) << 24)
175 
176 /* list of available SSLv3 ciphers (sorted by id) */
177 const SSL_CIPHER ssl3_ciphers[] = {
178 
179 	/* The RSA ciphers */
180 	/* Cipher 01 */
181 	{
182 		.valid = 1,
183 		.name = SSL3_TXT_RSA_NULL_MD5,
184 		.id = SSL3_CK_RSA_NULL_MD5,
185 		.algorithm_mkey = SSL_kRSA,
186 		.algorithm_auth = SSL_aRSA,
187 		.algorithm_enc = SSL_eNULL,
188 		.algorithm_mac = SSL_MD5,
189 		.algorithm_ssl = SSL_SSLV3,
190 		.algo_strength = SSL_STRONG_NONE,
191 		.algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
192 		.strength_bits = 0,
193 		.alg_bits = 0,
194 	},
195 
196 	/* Cipher 02 */
197 	{
198 		.valid = 1,
199 		.name = SSL3_TXT_RSA_NULL_SHA,
200 		.id = SSL3_CK_RSA_NULL_SHA,
201 		.algorithm_mkey = SSL_kRSA,
202 		.algorithm_auth = SSL_aRSA,
203 		.algorithm_enc = SSL_eNULL,
204 		.algorithm_mac = SSL_SHA1,
205 		.algorithm_ssl = SSL_SSLV3,
206 		.algo_strength = SSL_STRONG_NONE,
207 		.algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
208 		.strength_bits = 0,
209 		.alg_bits = 0,
210 	},
211 
212 	/* Cipher 04 */
213 	{
214 		.valid = 1,
215 		.name = SSL3_TXT_RSA_RC4_128_MD5,
216 		.id = SSL3_CK_RSA_RC4_128_MD5,
217 		.algorithm_mkey = SSL_kRSA,
218 		.algorithm_auth = SSL_aRSA,
219 		.algorithm_enc = SSL_RC4,
220 		.algorithm_mac = SSL_MD5,
221 		.algorithm_ssl = SSL_SSLV3,
222 		.algo_strength = SSL_LOW,
223 		.algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
224 		.strength_bits = 128,
225 		.alg_bits = 128,
226 	},
227 
228 	/* Cipher 05 */
229 	{
230 		.valid = 1,
231 		.name = SSL3_TXT_RSA_RC4_128_SHA,
232 		.id = SSL3_CK_RSA_RC4_128_SHA,
233 		.algorithm_mkey = SSL_kRSA,
234 		.algorithm_auth = SSL_aRSA,
235 		.algorithm_enc = SSL_RC4,
236 		.algorithm_mac = SSL_SHA1,
237 		.algorithm_ssl = SSL_SSLV3,
238 		.algo_strength = SSL_LOW,
239 		.algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
240 		.strength_bits = 128,
241 		.alg_bits = 128,
242 	},
243 
244 	/* Cipher 0A */
245 	{
246 		.valid = 1,
247 		.name = SSL3_TXT_RSA_DES_192_CBC3_SHA,
248 		.id = SSL3_CK_RSA_DES_192_CBC3_SHA,
249 		.algorithm_mkey = SSL_kRSA,
250 		.algorithm_auth = SSL_aRSA,
251 		.algorithm_enc = SSL_3DES,
252 		.algorithm_mac = SSL_SHA1,
253 		.algorithm_ssl = SSL_SSLV3,
254 		.algo_strength = SSL_MEDIUM,
255 		.algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
256 		.strength_bits = 112,
257 		.alg_bits = 168,
258 	},
259 
260 	/*
261 	 * Ephemeral DH (DHE) ciphers.
262 	 */
263 
264 	/* Cipher 16 */
265 	{
266 		.valid = 1,
267 		.name = SSL3_TXT_EDH_RSA_DES_192_CBC3_SHA,
268 		.id = SSL3_CK_EDH_RSA_DES_192_CBC3_SHA,
269 		.algorithm_mkey = SSL_kDHE,
270 		.algorithm_auth = SSL_aRSA,
271 		.algorithm_enc = SSL_3DES,
272 		.algorithm_mac = SSL_SHA1,
273 		.algorithm_ssl = SSL_SSLV3,
274 		.algo_strength = SSL_MEDIUM,
275 		.algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
276 		.strength_bits = 112,
277 		.alg_bits = 168,
278 	},
279 
280 	/* Cipher 18 */
281 	{
282 		.valid = 1,
283 		.name = SSL3_TXT_ADH_RC4_128_MD5,
284 		.id = SSL3_CK_ADH_RC4_128_MD5,
285 		.algorithm_mkey = SSL_kDHE,
286 		.algorithm_auth = SSL_aNULL,
287 		.algorithm_enc = SSL_RC4,
288 		.algorithm_mac = SSL_MD5,
289 		.algorithm_ssl = SSL_SSLV3,
290 		.algo_strength = SSL_LOW,
291 		.algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
292 		.strength_bits = 128,
293 		.alg_bits = 128,
294 	},
295 
296 	/* Cipher 1B */
297 	{
298 		.valid = 1,
299 		.name = SSL3_TXT_ADH_DES_192_CBC_SHA,
300 		.id = SSL3_CK_ADH_DES_192_CBC_SHA,
301 		.algorithm_mkey = SSL_kDHE,
302 		.algorithm_auth = SSL_aNULL,
303 		.algorithm_enc = SSL_3DES,
304 		.algorithm_mac = SSL_SHA1,
305 		.algorithm_ssl = SSL_SSLV3,
306 		.algo_strength = SSL_MEDIUM,
307 		.algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
308 		.strength_bits = 112,
309 		.alg_bits = 168,
310 	},
311 
312 	/*
313 	 * AES ciphersuites.
314 	 */
315 
316 	/* Cipher 2F */
317 	{
318 		.valid = 1,
319 		.name = TLS1_TXT_RSA_WITH_AES_128_SHA,
320 		.id = TLS1_CK_RSA_WITH_AES_128_SHA,
321 		.algorithm_mkey = SSL_kRSA,
322 		.algorithm_auth = SSL_aRSA,
323 		.algorithm_enc = SSL_AES128,
324 		.algorithm_mac = SSL_SHA1,
325 		.algorithm_ssl = SSL_TLSV1,
326 		.algo_strength = SSL_HIGH,
327 		.algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
328 		.strength_bits = 128,
329 		.alg_bits = 128,
330 	},
331 
332 	/* Cipher 33 */
333 	{
334 		.valid = 1,
335 		.name = TLS1_TXT_DHE_RSA_WITH_AES_128_SHA,
336 		.id = TLS1_CK_DHE_RSA_WITH_AES_128_SHA,
337 		.algorithm_mkey = SSL_kDHE,
338 		.algorithm_auth = SSL_aRSA,
339 		.algorithm_enc = SSL_AES128,
340 		.algorithm_mac = SSL_SHA1,
341 		.algorithm_ssl = SSL_TLSV1,
342 		.algo_strength = SSL_HIGH,
343 		.algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
344 		.strength_bits = 128,
345 		.alg_bits = 128,
346 	},
347 
348 	/* Cipher 34 */
349 	{
350 		.valid = 1,
351 		.name = TLS1_TXT_ADH_WITH_AES_128_SHA,
352 		.id = TLS1_CK_ADH_WITH_AES_128_SHA,
353 		.algorithm_mkey = SSL_kDHE,
354 		.algorithm_auth = SSL_aNULL,
355 		.algorithm_enc = SSL_AES128,
356 		.algorithm_mac = SSL_SHA1,
357 		.algorithm_ssl = SSL_TLSV1,
358 		.algo_strength = SSL_HIGH,
359 		.algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
360 		.strength_bits = 128,
361 		.alg_bits = 128,
362 	},
363 
364 	/* Cipher 35 */
365 	{
366 		.valid = 1,
367 		.name = TLS1_TXT_RSA_WITH_AES_256_SHA,
368 		.id = TLS1_CK_RSA_WITH_AES_256_SHA,
369 		.algorithm_mkey = SSL_kRSA,
370 		.algorithm_auth = SSL_aRSA,
371 		.algorithm_enc = SSL_AES256,
372 		.algorithm_mac = SSL_SHA1,
373 		.algorithm_ssl = SSL_TLSV1,
374 		.algo_strength = SSL_HIGH,
375 		.algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
376 		.strength_bits = 256,
377 		.alg_bits = 256,
378 	},
379 
380 	/* Cipher 39 */
381 	{
382 		.valid = 1,
383 		.name = TLS1_TXT_DHE_RSA_WITH_AES_256_SHA,
384 		.id = TLS1_CK_DHE_RSA_WITH_AES_256_SHA,
385 		.algorithm_mkey = SSL_kDHE,
386 		.algorithm_auth = SSL_aRSA,
387 		.algorithm_enc = SSL_AES256,
388 		.algorithm_mac = SSL_SHA1,
389 		.algorithm_ssl = SSL_TLSV1,
390 		.algo_strength = SSL_HIGH,
391 		.algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
392 		.strength_bits = 256,
393 		.alg_bits = 256,
394 	},
395 
396 	/* Cipher 3A */
397 	{
398 		.valid = 1,
399 		.name = TLS1_TXT_ADH_WITH_AES_256_SHA,
400 		.id = TLS1_CK_ADH_WITH_AES_256_SHA,
401 		.algorithm_mkey = SSL_kDHE,
402 		.algorithm_auth = SSL_aNULL,
403 		.algorithm_enc = SSL_AES256,
404 		.algorithm_mac = SSL_SHA1,
405 		.algorithm_ssl = SSL_TLSV1,
406 		.algo_strength = SSL_HIGH,
407 		.algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
408 		.strength_bits = 256,
409 		.alg_bits = 256,
410 	},
411 
412 	/* TLS v1.2 ciphersuites */
413 	/* Cipher 3B */
414 	{
415 		.valid = 1,
416 		.name = TLS1_TXT_RSA_WITH_NULL_SHA256,
417 		.id = TLS1_CK_RSA_WITH_NULL_SHA256,
418 		.algorithm_mkey = SSL_kRSA,
419 		.algorithm_auth = SSL_aRSA,
420 		.algorithm_enc = SSL_eNULL,
421 		.algorithm_mac = SSL_SHA256,
422 		.algorithm_ssl = SSL_TLSV1_2,
423 		.algo_strength = SSL_STRONG_NONE,
424 		.algorithm2 = SSL_HANDSHAKE_MAC_SHA256|TLS1_PRF_SHA256,
425 		.strength_bits = 0,
426 		.alg_bits = 0,
427 	},
428 
429 	/* Cipher 3C */
430 	{
431 		.valid = 1,
432 		.name = TLS1_TXT_RSA_WITH_AES_128_SHA256,
433 		.id = TLS1_CK_RSA_WITH_AES_128_SHA256,
434 		.algorithm_mkey = SSL_kRSA,
435 		.algorithm_auth = SSL_aRSA,
436 		.algorithm_enc = SSL_AES128,
437 		.algorithm_mac = SSL_SHA256,
438 		.algorithm_ssl = SSL_TLSV1_2,
439 		.algo_strength = SSL_HIGH,
440 		.algorithm2 = SSL_HANDSHAKE_MAC_SHA256|TLS1_PRF_SHA256,
441 		.strength_bits = 128,
442 		.alg_bits = 128,
443 	},
444 
445 	/* Cipher 3D */
446 	{
447 		.valid = 1,
448 		.name = TLS1_TXT_RSA_WITH_AES_256_SHA256,
449 		.id = TLS1_CK_RSA_WITH_AES_256_SHA256,
450 		.algorithm_mkey = SSL_kRSA,
451 		.algorithm_auth = SSL_aRSA,
452 		.algorithm_enc = SSL_AES256,
453 		.algorithm_mac = SSL_SHA256,
454 		.algorithm_ssl = SSL_TLSV1_2,
455 		.algo_strength = SSL_HIGH,
456 		.algorithm2 = SSL_HANDSHAKE_MAC_SHA256|TLS1_PRF_SHA256,
457 		.strength_bits = 256,
458 		.alg_bits = 256,
459 	},
460 
461 #ifndef OPENSSL_NO_CAMELLIA
462 	/* Camellia ciphersuites from RFC4132 (128-bit portion) */
463 
464 	/* Cipher 41 */
465 	{
466 		.valid = 1,
467 		.name = TLS1_TXT_RSA_WITH_CAMELLIA_128_CBC_SHA,
468 		.id = TLS1_CK_RSA_WITH_CAMELLIA_128_CBC_SHA,
469 		.algorithm_mkey = SSL_kRSA,
470 		.algorithm_auth = SSL_aRSA,
471 		.algorithm_enc = SSL_CAMELLIA128,
472 		.algorithm_mac = SSL_SHA1,
473 		.algorithm_ssl = SSL_TLSV1,
474 		.algo_strength = SSL_HIGH,
475 		.algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
476 		.strength_bits = 128,
477 		.alg_bits = 128,
478 	},
479 
480 	/* Cipher 45 */
481 	{
482 		.valid = 1,
483 		.name = TLS1_TXT_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA,
484 		.id = TLS1_CK_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA,
485 		.algorithm_mkey = SSL_kDHE,
486 		.algorithm_auth = SSL_aRSA,
487 		.algorithm_enc = SSL_CAMELLIA128,
488 		.algorithm_mac = SSL_SHA1,
489 		.algorithm_ssl = SSL_TLSV1,
490 		.algo_strength = SSL_HIGH,
491 		.algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
492 		.strength_bits = 128,
493 		.alg_bits = 128,
494 	},
495 
496 	/* Cipher 46 */
497 	{
498 		.valid = 1,
499 		.name = TLS1_TXT_ADH_WITH_CAMELLIA_128_CBC_SHA,
500 		.id = TLS1_CK_ADH_WITH_CAMELLIA_128_CBC_SHA,
501 		.algorithm_mkey = SSL_kDHE,
502 		.algorithm_auth = SSL_aNULL,
503 		.algorithm_enc = SSL_CAMELLIA128,
504 		.algorithm_mac = SSL_SHA1,
505 		.algorithm_ssl = SSL_TLSV1,
506 		.algo_strength = SSL_HIGH,
507 		.algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
508 		.strength_bits = 128,
509 		.alg_bits = 128,
510 	},
511 #endif /* OPENSSL_NO_CAMELLIA */
512 
513 	/* TLS v1.2 ciphersuites */
514 	/* Cipher 67 */
515 	{
516 		.valid = 1,
517 		.name = TLS1_TXT_DHE_RSA_WITH_AES_128_SHA256,
518 		.id = TLS1_CK_DHE_RSA_WITH_AES_128_SHA256,
519 		.algorithm_mkey = SSL_kDHE,
520 		.algorithm_auth = SSL_aRSA,
521 		.algorithm_enc = SSL_AES128,
522 		.algorithm_mac = SSL_SHA256,
523 		.algorithm_ssl = SSL_TLSV1_2,
524 		.algo_strength = SSL_HIGH,
525 		.algorithm2 = SSL_HANDSHAKE_MAC_SHA256|TLS1_PRF_SHA256,
526 		.strength_bits = 128,
527 		.alg_bits = 128,
528 	},
529 
530 	/* Cipher 6B */
531 	{
532 		.valid = 1,
533 		.name = TLS1_TXT_DHE_RSA_WITH_AES_256_SHA256,
534 		.id = TLS1_CK_DHE_RSA_WITH_AES_256_SHA256,
535 		.algorithm_mkey = SSL_kDHE,
536 		.algorithm_auth = SSL_aRSA,
537 		.algorithm_enc = SSL_AES256,
538 		.algorithm_mac = SSL_SHA256,
539 		.algorithm_ssl = SSL_TLSV1_2,
540 		.algo_strength = SSL_HIGH,
541 		.algorithm2 = SSL_HANDSHAKE_MAC_SHA256|TLS1_PRF_SHA256,
542 		.strength_bits = 256,
543 		.alg_bits = 256,
544 	},
545 
546 	/* Cipher 6C */
547 	{
548 		.valid = 1,
549 		.name = TLS1_TXT_ADH_WITH_AES_128_SHA256,
550 		.id = TLS1_CK_ADH_WITH_AES_128_SHA256,
551 		.algorithm_mkey = SSL_kDHE,
552 		.algorithm_auth = SSL_aNULL,
553 		.algorithm_enc = SSL_AES128,
554 		.algorithm_mac = SSL_SHA256,
555 		.algorithm_ssl = SSL_TLSV1_2,
556 		.algo_strength = SSL_HIGH,
557 		.algorithm2 = SSL_HANDSHAKE_MAC_SHA256|TLS1_PRF_SHA256,
558 		.strength_bits = 128,
559 		.alg_bits = 128,
560 	},
561 
562 	/* Cipher 6D */
563 	{
564 		.valid = 1,
565 		.name = TLS1_TXT_ADH_WITH_AES_256_SHA256,
566 		.id = TLS1_CK_ADH_WITH_AES_256_SHA256,
567 		.algorithm_mkey = SSL_kDHE,
568 		.algorithm_auth = SSL_aNULL,
569 		.algorithm_enc = SSL_AES256,
570 		.algorithm_mac = SSL_SHA256,
571 		.algorithm_ssl = SSL_TLSV1_2,
572 		.algo_strength = SSL_HIGH,
573 		.algorithm2 = SSL_HANDSHAKE_MAC_SHA256|TLS1_PRF_SHA256,
574 		.strength_bits = 256,
575 		.alg_bits = 256,
576 	},
577 
578 	/* GOST Ciphersuites */
579 
580 	/* Cipher 81 */
581 	{
582 		.valid = 1,
583 		.name = "GOST2001-GOST89-GOST89",
584 		.id = 0x3000081,
585 		.algorithm_mkey = SSL_kGOST,
586 		.algorithm_auth = SSL_aGOST01,
587 		.algorithm_enc = SSL_eGOST2814789CNT,
588 		.algorithm_mac = SSL_GOST89MAC,
589 		.algorithm_ssl = SSL_TLSV1,
590 		.algo_strength = SSL_HIGH,
591 		.algorithm2 = SSL_HANDSHAKE_MAC_GOST94|TLS1_PRF_GOST94|
592 		    TLS1_STREAM_MAC,
593 		.strength_bits = 256,
594 		.alg_bits = 256
595 	},
596 
597 	/* Cipher 83 */
598 	{
599 		.valid = 1,
600 		.name = "GOST2001-NULL-GOST94",
601 		.id = 0x3000083,
602 		.algorithm_mkey = SSL_kGOST,
603 		.algorithm_auth = SSL_aGOST01,
604 		.algorithm_enc = SSL_eNULL,
605 		.algorithm_mac = SSL_GOST94,
606 		.algorithm_ssl = SSL_TLSV1,
607 		.algo_strength = SSL_STRONG_NONE,
608 		.algorithm2 = SSL_HANDSHAKE_MAC_GOST94|TLS1_PRF_GOST94,
609 		.strength_bits = 0,
610 		.alg_bits = 0
611 	},
612 
613 #ifndef OPENSSL_NO_CAMELLIA
614 	/* Camellia ciphersuites from RFC4132 (256-bit portion) */
615 
616 	/* Cipher 84 */
617 	{
618 		.valid = 1,
619 		.name = TLS1_TXT_RSA_WITH_CAMELLIA_256_CBC_SHA,
620 		.id = TLS1_CK_RSA_WITH_CAMELLIA_256_CBC_SHA,
621 		.algorithm_mkey = SSL_kRSA,
622 		.algorithm_auth = SSL_aRSA,
623 		.algorithm_enc = SSL_CAMELLIA256,
624 		.algorithm_mac = SSL_SHA1,
625 		.algorithm_ssl = SSL_TLSV1,
626 		.algo_strength = SSL_HIGH,
627 		.algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
628 		.strength_bits = 256,
629 		.alg_bits = 256,
630 	},
631 
632 	/* Cipher 88 */
633 	{
634 		.valid = 1,
635 		.name = TLS1_TXT_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA,
636 		.id = TLS1_CK_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA,
637 		.algorithm_mkey = SSL_kDHE,
638 		.algorithm_auth = SSL_aRSA,
639 		.algorithm_enc = SSL_CAMELLIA256,
640 		.algorithm_mac = SSL_SHA1,
641 		.algorithm_ssl = SSL_TLSV1,
642 		.algo_strength = SSL_HIGH,
643 		.algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
644 		.strength_bits = 256,
645 		.alg_bits = 256,
646 	},
647 
648 	/* Cipher 89 */
649 	{
650 		.valid = 1,
651 		.name = TLS1_TXT_ADH_WITH_CAMELLIA_256_CBC_SHA,
652 		.id = TLS1_CK_ADH_WITH_CAMELLIA_256_CBC_SHA,
653 		.algorithm_mkey = SSL_kDHE,
654 		.algorithm_auth = SSL_aNULL,
655 		.algorithm_enc = SSL_CAMELLIA256,
656 		.algorithm_mac = SSL_SHA1,
657 		.algorithm_ssl = SSL_TLSV1,
658 		.algo_strength = SSL_HIGH,
659 		.algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
660 		.strength_bits = 256,
661 		.alg_bits = 256,
662 	},
663 #endif /* OPENSSL_NO_CAMELLIA */
664 
665 	/*
666 	 * GCM ciphersuites from RFC5288.
667 	 */
668 
669 	/* Cipher 9C */
670 	{
671 		.valid = 1,
672 		.name = TLS1_TXT_RSA_WITH_AES_128_GCM_SHA256,
673 		.id = TLS1_CK_RSA_WITH_AES_128_GCM_SHA256,
674 		.algorithm_mkey = SSL_kRSA,
675 		.algorithm_auth = SSL_aRSA,
676 		.algorithm_enc = SSL_AES128GCM,
677 		.algorithm_mac = SSL_AEAD,
678 		.algorithm_ssl = SSL_TLSV1_2,
679 		.algo_strength = SSL_HIGH,
680 		.algorithm2 = SSL_HANDSHAKE_MAC_SHA256|TLS1_PRF_SHA256|
681 		    FIXED_NONCE_LEN(4)|
682 		    SSL_CIPHER_ALGORITHM2_VARIABLE_NONCE_IN_RECORD,
683 		.strength_bits = 128,
684 		.alg_bits = 128,
685 	},
686 
687 	/* Cipher 9D */
688 	{
689 		.valid = 1,
690 		.name = TLS1_TXT_RSA_WITH_AES_256_GCM_SHA384,
691 		.id = TLS1_CK_RSA_WITH_AES_256_GCM_SHA384,
692 		.algorithm_mkey = SSL_kRSA,
693 		.algorithm_auth = SSL_aRSA,
694 		.algorithm_enc = SSL_AES256GCM,
695 		.algorithm_mac = SSL_AEAD,
696 		.algorithm_ssl = SSL_TLSV1_2,
697 		.algo_strength = SSL_HIGH,
698 		.algorithm2 = SSL_HANDSHAKE_MAC_SHA384|TLS1_PRF_SHA384|
699 		    FIXED_NONCE_LEN(4)|
700 		    SSL_CIPHER_ALGORITHM2_VARIABLE_NONCE_IN_RECORD,
701 		.strength_bits = 256,
702 		.alg_bits = 256,
703 	},
704 
705 	/* Cipher 9E */
706 	{
707 		.valid = 1,
708 		.name = TLS1_TXT_DHE_RSA_WITH_AES_128_GCM_SHA256,
709 		.id = TLS1_CK_DHE_RSA_WITH_AES_128_GCM_SHA256,
710 		.algorithm_mkey = SSL_kDHE,
711 		.algorithm_auth = SSL_aRSA,
712 		.algorithm_enc = SSL_AES128GCM,
713 		.algorithm_mac = SSL_AEAD,
714 		.algorithm_ssl = SSL_TLSV1_2,
715 		.algo_strength = SSL_HIGH,
716 		.algorithm2 = SSL_HANDSHAKE_MAC_SHA256|TLS1_PRF_SHA256|
717 		    FIXED_NONCE_LEN(4)|
718 		    SSL_CIPHER_ALGORITHM2_VARIABLE_NONCE_IN_RECORD,
719 		.strength_bits = 128,
720 		.alg_bits = 128,
721 	},
722 
723 	/* Cipher 9F */
724 	{
725 		.valid = 1,
726 		.name = TLS1_TXT_DHE_RSA_WITH_AES_256_GCM_SHA384,
727 		.id = TLS1_CK_DHE_RSA_WITH_AES_256_GCM_SHA384,
728 		.algorithm_mkey = SSL_kDHE,
729 		.algorithm_auth = SSL_aRSA,
730 		.algorithm_enc = SSL_AES256GCM,
731 		.algorithm_mac = SSL_AEAD,
732 		.algorithm_ssl = SSL_TLSV1_2,
733 		.algo_strength = SSL_HIGH,
734 		.algorithm2 = SSL_HANDSHAKE_MAC_SHA384|TLS1_PRF_SHA384|
735 		    FIXED_NONCE_LEN(4)|
736 		    SSL_CIPHER_ALGORITHM2_VARIABLE_NONCE_IN_RECORD,
737 		.strength_bits = 256,
738 		.alg_bits = 256,
739 	},
740 
741 	/* Cipher A6 */
742 	{
743 		.valid = 1,
744 		.name = TLS1_TXT_ADH_WITH_AES_128_GCM_SHA256,
745 		.id = TLS1_CK_ADH_WITH_AES_128_GCM_SHA256,
746 		.algorithm_mkey = SSL_kDHE,
747 		.algorithm_auth = SSL_aNULL,
748 		.algorithm_enc = SSL_AES128GCM,
749 		.algorithm_mac = SSL_AEAD,
750 		.algorithm_ssl = SSL_TLSV1_2,
751 		.algo_strength = SSL_HIGH,
752 		.algorithm2 = SSL_HANDSHAKE_MAC_SHA256|TLS1_PRF_SHA256|
753 		    FIXED_NONCE_LEN(4)|
754 		    SSL_CIPHER_ALGORITHM2_VARIABLE_NONCE_IN_RECORD,
755 		.strength_bits = 128,
756 		.alg_bits = 128,
757 	},
758 
759 	/* Cipher A7 */
760 	{
761 		.valid = 1,
762 		.name = TLS1_TXT_ADH_WITH_AES_256_GCM_SHA384,
763 		.id = TLS1_CK_ADH_WITH_AES_256_GCM_SHA384,
764 		.algorithm_mkey = SSL_kDHE,
765 		.algorithm_auth = SSL_aNULL,
766 		.algorithm_enc = SSL_AES256GCM,
767 		.algorithm_mac = SSL_AEAD,
768 		.algorithm_ssl = SSL_TLSV1_2,
769 		.algo_strength = SSL_HIGH,
770 		.algorithm2 = SSL_HANDSHAKE_MAC_SHA384|TLS1_PRF_SHA384|
771 		    FIXED_NONCE_LEN(4)|
772 		    SSL_CIPHER_ALGORITHM2_VARIABLE_NONCE_IN_RECORD,
773 		.strength_bits = 256,
774 		.alg_bits = 256,
775 	},
776 
777 #ifndef OPENSSL_NO_CAMELLIA
778 	/* TLS 1.2 Camellia SHA-256 ciphersuites from RFC5932 */
779 
780 	/* Cipher BA */
781 	{
782 		.valid = 1,
783 		.name = TLS1_TXT_RSA_WITH_CAMELLIA_128_CBC_SHA256,
784 		.id = TLS1_CK_RSA_WITH_CAMELLIA_128_CBC_SHA256,
785 		.algorithm_mkey = SSL_kRSA,
786 		.algorithm_auth = SSL_aRSA,
787 		.algorithm_enc = SSL_CAMELLIA128,
788 		.algorithm_mac = SSL_SHA256,
789 		.algorithm_ssl = SSL_TLSV1_2,
790 		.algo_strength = SSL_HIGH,
791 		.algorithm2 = SSL_HANDSHAKE_MAC_SHA256|TLS1_PRF_SHA256,
792 		.strength_bits = 128,
793 		.alg_bits = 128,
794 	},
795 
796 	/* Cipher BE */
797 	{
798 		.valid = 1,
799 		.name = TLS1_TXT_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA256,
800 		.id = TLS1_CK_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA256,
801 		.algorithm_mkey = SSL_kDHE,
802 		.algorithm_auth = SSL_aRSA,
803 		.algorithm_enc = SSL_CAMELLIA128,
804 		.algorithm_mac = SSL_SHA256,
805 		.algorithm_ssl = SSL_TLSV1_2,
806 		.algo_strength = SSL_HIGH,
807 		.algorithm2 = SSL_HANDSHAKE_MAC_SHA256|TLS1_PRF_SHA256,
808 		.strength_bits = 128,
809 		.alg_bits = 128,
810 	},
811 
812 	/* Cipher BF */
813 	{
814 		.valid = 1,
815 		.name = TLS1_TXT_ADH_WITH_CAMELLIA_128_CBC_SHA256,
816 		.id = TLS1_CK_ADH_WITH_CAMELLIA_128_CBC_SHA256,
817 		.algorithm_mkey = SSL_kDHE,
818 		.algorithm_auth = SSL_aNULL,
819 		.algorithm_enc = SSL_CAMELLIA128,
820 		.algorithm_mac = SSL_SHA256,
821 		.algorithm_ssl = SSL_TLSV1_2,
822 		.algo_strength = SSL_HIGH,
823 		.algorithm2 = SSL_HANDSHAKE_MAC_SHA256|TLS1_PRF_SHA256,
824 		.strength_bits = 128,
825 		.alg_bits = 128,
826 	},
827 
828 	/* Cipher C0 */
829 	{
830 		.valid = 1,
831 		.name = TLS1_TXT_RSA_WITH_CAMELLIA_256_CBC_SHA256,
832 		.id = TLS1_CK_RSA_WITH_CAMELLIA_256_CBC_SHA256,
833 		.algorithm_mkey = SSL_kRSA,
834 		.algorithm_auth = SSL_aRSA,
835 		.algorithm_enc = SSL_CAMELLIA256,
836 		.algorithm_mac = SSL_SHA256,
837 		.algorithm_ssl = SSL_TLSV1_2,
838 		.algo_strength = SSL_HIGH,
839 		.algorithm2 = SSL_HANDSHAKE_MAC_SHA256|TLS1_PRF_SHA256,
840 		.strength_bits = 256,
841 		.alg_bits = 256,
842 	},
843 
844 	/* Cipher C4 */
845 	{
846 		.valid = 1,
847 		.name = TLS1_TXT_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA256,
848 		.id = TLS1_CK_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA256,
849 		.algorithm_mkey = SSL_kDHE,
850 		.algorithm_auth = SSL_aRSA,
851 		.algorithm_enc = SSL_CAMELLIA256,
852 		.algorithm_mac = SSL_SHA256,
853 		.algorithm_ssl = SSL_TLSV1_2,
854 		.algo_strength = SSL_HIGH,
855 		.algorithm2 = SSL_HANDSHAKE_MAC_SHA256|TLS1_PRF_SHA256,
856 		.strength_bits = 256,
857 		.alg_bits = 256,
858 	},
859 
860 	/* Cipher C5 */
861 	{
862 		.valid = 1,
863 		.name = TLS1_TXT_ADH_WITH_CAMELLIA_256_CBC_SHA256,
864 		.id = TLS1_CK_ADH_WITH_CAMELLIA_256_CBC_SHA256,
865 		.algorithm_mkey = SSL_kDHE,
866 		.algorithm_auth = SSL_aNULL,
867 		.algorithm_enc = SSL_CAMELLIA256,
868 		.algorithm_mac = SSL_SHA256,
869 		.algorithm_ssl = SSL_TLSV1_2,
870 		.algo_strength = SSL_HIGH,
871 		.algorithm2 = SSL_HANDSHAKE_MAC_SHA256|TLS1_PRF_SHA256,
872 		.strength_bits = 256,
873 		.alg_bits = 256,
874 	},
875 #endif /* OPENSSL_NO_CAMELLIA */
876 
877 	/*
878 	 * TLSv1.3 cipher suites.
879 	 */
880 
881 #ifdef LIBRESSL_HAS_TLS1_3
882 	/* Cipher 1301 */
883 	{
884 		.valid = 1,
885 		.name = TLS1_3_RFC_AES_128_GCM_SHA256,
886 		.id = TLS1_3_CK_AES_128_GCM_SHA256,
887 		.algorithm_mkey = SSL_kTLS1_3,
888 		.algorithm_auth = SSL_aTLS1_3,
889 		.algorithm_enc = SSL_AES128GCM,
890 		.algorithm_mac = SSL_AEAD,
891 		.algorithm_ssl = SSL_TLSV1_3,
892 		.algo_strength = SSL_HIGH,
893 		.algorithm2 = SSL_HANDSHAKE_MAC_SHA256, /* XXX */
894 		.strength_bits = 128,
895 		.alg_bits = 128,
896 	},
897 
898 	/* Cipher 1302 */
899 	{
900 		.valid = 1,
901 		.name = TLS1_3_RFC_AES_256_GCM_SHA384,
902 		.id = TLS1_3_CK_AES_256_GCM_SHA384,
903 		.algorithm_mkey = SSL_kTLS1_3,
904 		.algorithm_auth = SSL_aTLS1_3,
905 		.algorithm_enc = SSL_AES256GCM,
906 		.algorithm_mac = SSL_AEAD,
907 		.algorithm_ssl = SSL_TLSV1_3,
908 		.algo_strength = SSL_HIGH,
909 		.algorithm2 = SSL_HANDSHAKE_MAC_SHA384, /* XXX */
910 		.strength_bits = 256,
911 		.alg_bits = 256,
912 	},
913 
914 	/* Cipher 1303 */
915 	{
916 		.valid = 1,
917 		.name = TLS1_3_RFC_CHACHA20_POLY1305_SHA256,
918 		.id = TLS1_3_CK_CHACHA20_POLY1305_SHA256,
919 		.algorithm_mkey = SSL_kTLS1_3,
920 		.algorithm_auth = SSL_aTLS1_3,
921 		.algorithm_enc = SSL_CHACHA20POLY1305,
922 		.algorithm_mac = SSL_AEAD,
923 		.algorithm_ssl = SSL_TLSV1_3,
924 		.algo_strength = SSL_HIGH,
925 		.algorithm2 = SSL_HANDSHAKE_MAC_SHA256, /* XXX */
926 		.strength_bits = 256,
927 		.alg_bits = 256,
928 	},
929 #endif
930 
931 	/* Cipher C006 */
932 	{
933 		.valid = 1,
934 		.name = TLS1_TXT_ECDHE_ECDSA_WITH_NULL_SHA,
935 		.id = TLS1_CK_ECDHE_ECDSA_WITH_NULL_SHA,
936 		.algorithm_mkey = SSL_kECDHE,
937 		.algorithm_auth = SSL_aECDSA,
938 		.algorithm_enc = SSL_eNULL,
939 		.algorithm_mac = SSL_SHA1,
940 		.algorithm_ssl = SSL_TLSV1,
941 		.algo_strength = SSL_STRONG_NONE,
942 		.algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
943 		.strength_bits = 0,
944 		.alg_bits = 0,
945 	},
946 
947 	/* Cipher C007 */
948 	{
949 		.valid = 1,
950 		.name = TLS1_TXT_ECDHE_ECDSA_WITH_RC4_128_SHA,
951 		.id = TLS1_CK_ECDHE_ECDSA_WITH_RC4_128_SHA,
952 		.algorithm_mkey = SSL_kECDHE,
953 		.algorithm_auth = SSL_aECDSA,
954 		.algorithm_enc = SSL_RC4,
955 		.algorithm_mac = SSL_SHA1,
956 		.algorithm_ssl = SSL_TLSV1,
957 		.algo_strength = SSL_LOW,
958 		.algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
959 		.strength_bits = 128,
960 		.alg_bits = 128,
961 	},
962 
963 	/* Cipher C008 */
964 	{
965 		.valid = 1,
966 		.name = TLS1_TXT_ECDHE_ECDSA_WITH_DES_192_CBC3_SHA,
967 		.id = TLS1_CK_ECDHE_ECDSA_WITH_DES_192_CBC3_SHA,
968 		.algorithm_mkey = SSL_kECDHE,
969 		.algorithm_auth = SSL_aECDSA,
970 		.algorithm_enc = SSL_3DES,
971 		.algorithm_mac = SSL_SHA1,
972 		.algorithm_ssl = SSL_TLSV1,
973 		.algo_strength = SSL_MEDIUM,
974 		.algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
975 		.strength_bits = 112,
976 		.alg_bits = 168,
977 	},
978 
979 	/* Cipher C009 */
980 	{
981 		.valid = 1,
982 		.name = TLS1_TXT_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,
983 		.id = TLS1_CK_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,
984 		.algorithm_mkey = SSL_kECDHE,
985 		.algorithm_auth = SSL_aECDSA,
986 		.algorithm_enc = SSL_AES128,
987 		.algorithm_mac = SSL_SHA1,
988 		.algorithm_ssl = SSL_TLSV1,
989 		.algo_strength = SSL_HIGH,
990 		.algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
991 		.strength_bits = 128,
992 		.alg_bits = 128,
993 	},
994 
995 	/* Cipher C00A */
996 	{
997 		.valid = 1,
998 		.name = TLS1_TXT_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,
999 		.id = TLS1_CK_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,
1000 		.algorithm_mkey = SSL_kECDHE,
1001 		.algorithm_auth = SSL_aECDSA,
1002 		.algorithm_enc = SSL_AES256,
1003 		.algorithm_mac = SSL_SHA1,
1004 		.algorithm_ssl = SSL_TLSV1,
1005 		.algo_strength = SSL_HIGH,
1006 		.algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
1007 		.strength_bits = 256,
1008 		.alg_bits = 256,
1009 	},
1010 
1011 	/* Cipher C010 */
1012 	{
1013 		.valid = 1,
1014 		.name = TLS1_TXT_ECDHE_RSA_WITH_NULL_SHA,
1015 		.id = TLS1_CK_ECDHE_RSA_WITH_NULL_SHA,
1016 		.algorithm_mkey = SSL_kECDHE,
1017 		.algorithm_auth = SSL_aRSA,
1018 		.algorithm_enc = SSL_eNULL,
1019 		.algorithm_mac = SSL_SHA1,
1020 		.algorithm_ssl = SSL_TLSV1,
1021 		.algo_strength = SSL_STRONG_NONE,
1022 		.algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
1023 		.strength_bits = 0,
1024 		.alg_bits = 0,
1025 	},
1026 
1027 	/* Cipher C011 */
1028 	{
1029 		.valid = 1,
1030 		.name = TLS1_TXT_ECDHE_RSA_WITH_RC4_128_SHA,
1031 		.id = TLS1_CK_ECDHE_RSA_WITH_RC4_128_SHA,
1032 		.algorithm_mkey = SSL_kECDHE,
1033 		.algorithm_auth = SSL_aRSA,
1034 		.algorithm_enc = SSL_RC4,
1035 		.algorithm_mac = SSL_SHA1,
1036 		.algorithm_ssl = SSL_TLSV1,
1037 		.algo_strength = SSL_LOW,
1038 		.algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
1039 		.strength_bits = 128,
1040 		.alg_bits = 128,
1041 	},
1042 
1043 	/* Cipher C012 */
1044 	{
1045 		.valid = 1,
1046 		.name = TLS1_TXT_ECDHE_RSA_WITH_DES_192_CBC3_SHA,
1047 		.id = TLS1_CK_ECDHE_RSA_WITH_DES_192_CBC3_SHA,
1048 		.algorithm_mkey = SSL_kECDHE,
1049 		.algorithm_auth = SSL_aRSA,
1050 		.algorithm_enc = SSL_3DES,
1051 		.algorithm_mac = SSL_SHA1,
1052 		.algorithm_ssl = SSL_TLSV1,
1053 		.algo_strength = SSL_MEDIUM,
1054 		.algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
1055 		.strength_bits = 112,
1056 		.alg_bits = 168,
1057 	},
1058 
1059 	/* Cipher C013 */
1060 	{
1061 		.valid = 1,
1062 		.name = TLS1_TXT_ECDHE_RSA_WITH_AES_128_CBC_SHA,
1063 		.id = TLS1_CK_ECDHE_RSA_WITH_AES_128_CBC_SHA,
1064 		.algorithm_mkey = SSL_kECDHE,
1065 		.algorithm_auth = SSL_aRSA,
1066 		.algorithm_enc = SSL_AES128,
1067 		.algorithm_mac = SSL_SHA1,
1068 		.algorithm_ssl = SSL_TLSV1,
1069 		.algo_strength = SSL_HIGH,
1070 		.algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
1071 		.strength_bits = 128,
1072 		.alg_bits = 128,
1073 	},
1074 
1075 	/* Cipher C014 */
1076 	{
1077 		.valid = 1,
1078 		.name = TLS1_TXT_ECDHE_RSA_WITH_AES_256_CBC_SHA,
1079 		.id = TLS1_CK_ECDHE_RSA_WITH_AES_256_CBC_SHA,
1080 		.algorithm_mkey = SSL_kECDHE,
1081 		.algorithm_auth = SSL_aRSA,
1082 		.algorithm_enc = SSL_AES256,
1083 		.algorithm_mac = SSL_SHA1,
1084 		.algorithm_ssl = SSL_TLSV1,
1085 		.algo_strength = SSL_HIGH,
1086 		.algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
1087 		.strength_bits = 256,
1088 		.alg_bits = 256,
1089 	},
1090 
1091 	/* Cipher C015 */
1092 	{
1093 		.valid = 1,
1094 		.name = TLS1_TXT_ECDH_anon_WITH_NULL_SHA,
1095 		.id = TLS1_CK_ECDH_anon_WITH_NULL_SHA,
1096 		.algorithm_mkey = SSL_kECDHE,
1097 		.algorithm_auth = SSL_aNULL,
1098 		.algorithm_enc = SSL_eNULL,
1099 		.algorithm_mac = SSL_SHA1,
1100 		.algorithm_ssl = SSL_TLSV1,
1101 		.algo_strength = SSL_STRONG_NONE,
1102 		.algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
1103 		.strength_bits = 0,
1104 		.alg_bits = 0,
1105 	},
1106 
1107 	/* Cipher C016 */
1108 	{
1109 		.valid = 1,
1110 		.name = TLS1_TXT_ECDH_anon_WITH_RC4_128_SHA,
1111 		.id = TLS1_CK_ECDH_anon_WITH_RC4_128_SHA,
1112 		.algorithm_mkey = SSL_kECDHE,
1113 		.algorithm_auth = SSL_aNULL,
1114 		.algorithm_enc = SSL_RC4,
1115 		.algorithm_mac = SSL_SHA1,
1116 		.algorithm_ssl = SSL_TLSV1,
1117 		.algo_strength = SSL_LOW,
1118 		.algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
1119 		.strength_bits = 128,
1120 		.alg_bits = 128,
1121 	},
1122 
1123 	/* Cipher C017 */
1124 	{
1125 		.valid = 1,
1126 		.name = TLS1_TXT_ECDH_anon_WITH_DES_192_CBC3_SHA,
1127 		.id = TLS1_CK_ECDH_anon_WITH_DES_192_CBC3_SHA,
1128 		.algorithm_mkey = SSL_kECDHE,
1129 		.algorithm_auth = SSL_aNULL,
1130 		.algorithm_enc = SSL_3DES,
1131 		.algorithm_mac = SSL_SHA1,
1132 		.algorithm_ssl = SSL_TLSV1,
1133 		.algo_strength = SSL_MEDIUM,
1134 		.algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
1135 		.strength_bits = 112,
1136 		.alg_bits = 168,
1137 	},
1138 
1139 	/* Cipher C018 */
1140 	{
1141 		.valid = 1,
1142 		.name = TLS1_TXT_ECDH_anon_WITH_AES_128_CBC_SHA,
1143 		.id = TLS1_CK_ECDH_anon_WITH_AES_128_CBC_SHA,
1144 		.algorithm_mkey = SSL_kECDHE,
1145 		.algorithm_auth = SSL_aNULL,
1146 		.algorithm_enc = SSL_AES128,
1147 		.algorithm_mac = SSL_SHA1,
1148 		.algorithm_ssl = SSL_TLSV1,
1149 		.algo_strength = SSL_HIGH,
1150 		.algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
1151 		.strength_bits = 128,
1152 		.alg_bits = 128,
1153 	},
1154 
1155 	/* Cipher C019 */
1156 	{
1157 		.valid = 1,
1158 		.name = TLS1_TXT_ECDH_anon_WITH_AES_256_CBC_SHA,
1159 		.id = TLS1_CK_ECDH_anon_WITH_AES_256_CBC_SHA,
1160 		.algorithm_mkey = SSL_kECDHE,
1161 		.algorithm_auth = SSL_aNULL,
1162 		.algorithm_enc = SSL_AES256,
1163 		.algorithm_mac = SSL_SHA1,
1164 		.algorithm_ssl = SSL_TLSV1,
1165 		.algo_strength = SSL_HIGH,
1166 		.algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
1167 		.strength_bits = 256,
1168 		.alg_bits = 256,
1169 	},
1170 
1171 
1172 	/* HMAC based TLS v1.2 ciphersuites from RFC5289 */
1173 
1174 	/* Cipher C023 */
1175 	{
1176 		.valid = 1,
1177 		.name = TLS1_TXT_ECDHE_ECDSA_WITH_AES_128_SHA256,
1178 		.id = TLS1_CK_ECDHE_ECDSA_WITH_AES_128_SHA256,
1179 		.algorithm_mkey = SSL_kECDHE,
1180 		.algorithm_auth = SSL_aECDSA,
1181 		.algorithm_enc = SSL_AES128,
1182 		.algorithm_mac = SSL_SHA256,
1183 		.algorithm_ssl = SSL_TLSV1_2,
1184 		.algo_strength = SSL_HIGH,
1185 		.algorithm2 = SSL_HANDSHAKE_MAC_SHA256|TLS1_PRF_SHA256,
1186 		.strength_bits = 128,
1187 		.alg_bits = 128,
1188 	},
1189 
1190 	/* Cipher C024 */
1191 	{
1192 		.valid = 1,
1193 		.name = TLS1_TXT_ECDHE_ECDSA_WITH_AES_256_SHA384,
1194 		.id = TLS1_CK_ECDHE_ECDSA_WITH_AES_256_SHA384,
1195 		.algorithm_mkey = SSL_kECDHE,
1196 		.algorithm_auth = SSL_aECDSA,
1197 		.algorithm_enc = SSL_AES256,
1198 		.algorithm_mac = SSL_SHA384,
1199 		.algorithm_ssl = SSL_TLSV1_2,
1200 		.algo_strength = SSL_HIGH,
1201 		.algorithm2 = SSL_HANDSHAKE_MAC_SHA384|TLS1_PRF_SHA384,
1202 		.strength_bits = 256,
1203 		.alg_bits = 256,
1204 	},
1205 
1206 	/* Cipher C027 */
1207 	{
1208 		.valid = 1,
1209 		.name = TLS1_TXT_ECDHE_RSA_WITH_AES_128_SHA256,
1210 		.id = TLS1_CK_ECDHE_RSA_WITH_AES_128_SHA256,
1211 		.algorithm_mkey = SSL_kECDHE,
1212 		.algorithm_auth = SSL_aRSA,
1213 		.algorithm_enc = SSL_AES128,
1214 		.algorithm_mac = SSL_SHA256,
1215 		.algorithm_ssl = SSL_TLSV1_2,
1216 		.algo_strength = SSL_HIGH,
1217 		.algorithm2 = SSL_HANDSHAKE_MAC_SHA256|TLS1_PRF_SHA256,
1218 		.strength_bits = 128,
1219 		.alg_bits = 128,
1220 	},
1221 
1222 	/* Cipher C028 */
1223 	{
1224 		.valid = 1,
1225 		.name = TLS1_TXT_ECDHE_RSA_WITH_AES_256_SHA384,
1226 		.id = TLS1_CK_ECDHE_RSA_WITH_AES_256_SHA384,
1227 		.algorithm_mkey = SSL_kECDHE,
1228 		.algorithm_auth = SSL_aRSA,
1229 		.algorithm_enc = SSL_AES256,
1230 		.algorithm_mac = SSL_SHA384,
1231 		.algorithm_ssl = SSL_TLSV1_2,
1232 		.algo_strength = SSL_HIGH,
1233 		.algorithm2 = SSL_HANDSHAKE_MAC_SHA384|TLS1_PRF_SHA384,
1234 		.strength_bits = 256,
1235 		.alg_bits = 256,
1236 	},
1237 
1238 	/* GCM based TLS v1.2 ciphersuites from RFC5289 */
1239 
1240 	/* Cipher C02B */
1241 	{
1242 		.valid = 1,
1243 		.name = TLS1_TXT_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
1244 		.id = TLS1_CK_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
1245 		.algorithm_mkey = SSL_kECDHE,
1246 		.algorithm_auth = SSL_aECDSA,
1247 		.algorithm_enc = SSL_AES128GCM,
1248 		.algorithm_mac = SSL_AEAD,
1249 		.algorithm_ssl = SSL_TLSV1_2,
1250 		.algo_strength = SSL_HIGH,
1251 		.algorithm2 = SSL_HANDSHAKE_MAC_SHA256|TLS1_PRF_SHA256|
1252 		    FIXED_NONCE_LEN(4)|
1253 		    SSL_CIPHER_ALGORITHM2_VARIABLE_NONCE_IN_RECORD,
1254 		.strength_bits = 128,
1255 		.alg_bits = 128,
1256 	},
1257 
1258 	/* Cipher C02C */
1259 	{
1260 		.valid = 1,
1261 		.name = TLS1_TXT_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
1262 		.id = TLS1_CK_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
1263 		.algorithm_mkey = SSL_kECDHE,
1264 		.algorithm_auth = SSL_aECDSA,
1265 		.algorithm_enc = SSL_AES256GCM,
1266 		.algorithm_mac = SSL_AEAD,
1267 		.algorithm_ssl = SSL_TLSV1_2,
1268 		.algo_strength = SSL_HIGH,
1269 		.algorithm2 = SSL_HANDSHAKE_MAC_SHA384|TLS1_PRF_SHA384|
1270 		    FIXED_NONCE_LEN(4)|
1271 		    SSL_CIPHER_ALGORITHM2_VARIABLE_NONCE_IN_RECORD,
1272 		.strength_bits = 256,
1273 		.alg_bits = 256,
1274 	},
1275 
1276 	/* Cipher C02F */
1277 	{
1278 		.valid = 1,
1279 		.name = TLS1_TXT_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
1280 		.id = TLS1_CK_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
1281 		.algorithm_mkey = SSL_kECDHE,
1282 		.algorithm_auth = SSL_aRSA,
1283 		.algorithm_enc = SSL_AES128GCM,
1284 		.algorithm_mac = SSL_AEAD,
1285 		.algorithm_ssl = SSL_TLSV1_2,
1286 		.algo_strength = SSL_HIGH,
1287 		.algorithm2 = SSL_HANDSHAKE_MAC_SHA256|TLS1_PRF_SHA256|
1288 		    FIXED_NONCE_LEN(4)|
1289 		    SSL_CIPHER_ALGORITHM2_VARIABLE_NONCE_IN_RECORD,
1290 		.strength_bits = 128,
1291 		.alg_bits = 128,
1292 	},
1293 
1294 	/* Cipher C030 */
1295 	{
1296 		.valid = 1,
1297 		.name = TLS1_TXT_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
1298 		.id = TLS1_CK_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
1299 		.algorithm_mkey = SSL_kECDHE,
1300 		.algorithm_auth = SSL_aRSA,
1301 		.algorithm_enc = SSL_AES256GCM,
1302 		.algorithm_mac = SSL_AEAD,
1303 		.algorithm_ssl = SSL_TLSV1_2,
1304 		.algo_strength = SSL_HIGH,
1305 		.algorithm2 = SSL_HANDSHAKE_MAC_SHA384|TLS1_PRF_SHA384|
1306 		    FIXED_NONCE_LEN(4)|
1307 		    SSL_CIPHER_ALGORITHM2_VARIABLE_NONCE_IN_RECORD,
1308 		.strength_bits = 256,
1309 		.alg_bits = 256,
1310 	},
1311 
1312 	/* Cipher CCA8 */
1313 	{
1314 		.valid = 1,
1315 		.name = TLS1_TXT_ECDHE_RSA_WITH_CHACHA20_POLY1305,
1316 		.id = TLS1_CK_ECDHE_RSA_CHACHA20_POLY1305,
1317 		.algorithm_mkey = SSL_kECDHE,
1318 		.algorithm_auth = SSL_aRSA,
1319 		.algorithm_enc = SSL_CHACHA20POLY1305,
1320 		.algorithm_mac = SSL_AEAD,
1321 		.algorithm_ssl = SSL_TLSV1_2,
1322 		.algo_strength = SSL_HIGH,
1323 		.algorithm2 = SSL_HANDSHAKE_MAC_SHA256|TLS1_PRF_SHA256|
1324 		    FIXED_NONCE_LEN(12),
1325 		.strength_bits = 256,
1326 		.alg_bits = 256,
1327 	},
1328 
1329 	/* Cipher CCA9 */
1330 	{
1331 		.valid = 1,
1332 		.name = TLS1_TXT_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,
1333 		.id = TLS1_CK_ECDHE_ECDSA_CHACHA20_POLY1305,
1334 		.algorithm_mkey = SSL_kECDHE,
1335 		.algorithm_auth = SSL_aECDSA,
1336 		.algorithm_enc = SSL_CHACHA20POLY1305,
1337 		.algorithm_mac = SSL_AEAD,
1338 		.algorithm_ssl = SSL_TLSV1_2,
1339 		.algo_strength = SSL_HIGH,
1340 		.algorithm2 = SSL_HANDSHAKE_MAC_SHA256|TLS1_PRF_SHA256|
1341 		    FIXED_NONCE_LEN(12),
1342 		.strength_bits = 256,
1343 		.alg_bits = 256,
1344 	},
1345 
1346 	/* Cipher CCAA */
1347 	{
1348 		.valid = 1,
1349 		.name = TLS1_TXT_DHE_RSA_WITH_CHACHA20_POLY1305,
1350 		.id = TLS1_CK_DHE_RSA_CHACHA20_POLY1305,
1351 		.algorithm_mkey = SSL_kDHE,
1352 		.algorithm_auth = SSL_aRSA,
1353 		.algorithm_enc = SSL_CHACHA20POLY1305,
1354 		.algorithm_mac = SSL_AEAD,
1355 		.algorithm_ssl = SSL_TLSV1_2,
1356 		.algo_strength = SSL_HIGH,
1357 		.algorithm2 = SSL_HANDSHAKE_MAC_SHA256|TLS1_PRF_SHA256|
1358 		    FIXED_NONCE_LEN(12),
1359 		.strength_bits = 256,
1360 		.alg_bits = 256,
1361 	},
1362 
1363 	/* Cipher FF85 FIXME IANA */
1364 	{
1365 		.valid = 1,
1366 		.name = "GOST2012256-GOST89-GOST89",
1367 		.id = 0x300ff85, /* FIXME IANA */
1368 		.algorithm_mkey = SSL_kGOST,
1369 		.algorithm_auth = SSL_aGOST01,
1370 		.algorithm_enc = SSL_eGOST2814789CNT,
1371 		.algorithm_mac = SSL_GOST89MAC,
1372 		.algorithm_ssl = SSL_TLSV1,
1373 		.algo_strength = SSL_HIGH,
1374 		.algorithm2 = SSL_HANDSHAKE_MAC_STREEBOG256|TLS1_PRF_STREEBOG256|
1375 		    TLS1_STREAM_MAC,
1376 		.strength_bits = 256,
1377 		.alg_bits = 256
1378 	},
1379 
1380 	/* Cipher FF87 FIXME IANA */
1381 	{
1382 		.valid = 1,
1383 		.name = "GOST2012256-NULL-STREEBOG256",
1384 		.id = 0x300ff87, /* FIXME IANA */
1385 		.algorithm_mkey = SSL_kGOST,
1386 		.algorithm_auth = SSL_aGOST01,
1387 		.algorithm_enc = SSL_eNULL,
1388 		.algorithm_mac = SSL_STREEBOG256,
1389 		.algorithm_ssl = SSL_TLSV1,
1390 		.algo_strength = SSL_STRONG_NONE,
1391 		.algorithm2 = SSL_HANDSHAKE_MAC_STREEBOG256|TLS1_PRF_STREEBOG256,
1392 		.strength_bits = 0,
1393 		.alg_bits = 0
1394 	},
1395 
1396 
1397 	/* end of list */
1398 };
1399 
1400 int
1401 ssl3_num_ciphers(void)
1402 {
1403 	return (SSL3_NUM_CIPHERS);
1404 }
1405 
1406 const SSL_CIPHER *
1407 ssl3_get_cipher(unsigned int u)
1408 {
1409 	if (u < SSL3_NUM_CIPHERS)
1410 		return (&(ssl3_ciphers[SSL3_NUM_CIPHERS - 1 - u]));
1411 	else
1412 		return (NULL);
1413 }
1414 
1415 const SSL_CIPHER *
1416 ssl3_get_cipher_by_id(unsigned int id)
1417 {
1418 	const SSL_CIPHER *cp;
1419 	SSL_CIPHER c;
1420 
1421 	c.id = id;
1422 	cp = OBJ_bsearch_ssl_cipher_id(&c, ssl3_ciphers, SSL3_NUM_CIPHERS);
1423 	if (cp != NULL && cp->valid == 1)
1424 		return (cp);
1425 
1426 	return (NULL);
1427 }
1428 
1429 const SSL_CIPHER *
1430 ssl3_get_cipher_by_value(uint16_t value)
1431 {
1432 	return ssl3_get_cipher_by_id(SSL3_CK_ID | value);
1433 }
1434 
1435 uint16_t
1436 ssl3_cipher_get_value(const SSL_CIPHER *c)
1437 {
1438 	return (c->id & SSL3_CK_VALUE_MASK);
1439 }
1440 
1441 int
1442 ssl3_pending(const SSL *s)
1443 {
1444 	if (s->internal->rstate == SSL_ST_READ_BODY)
1445 		return 0;
1446 
1447 	return (s->s3->rrec.type == SSL3_RT_APPLICATION_DATA) ?
1448 	    s->s3->rrec.length : 0;
1449 }
1450 
1451 int
1452 ssl3_handshake_msg_hdr_len(SSL *s)
1453 {
1454 	return (SSL_is_dtls(s) ? DTLS1_HM_HEADER_LENGTH :
1455             SSL3_HM_HEADER_LENGTH);
1456 }
1457 
1458 int
1459 ssl3_handshake_msg_start(SSL *s, CBB *handshake, CBB *body, uint8_t msg_type)
1460 {
1461 	int ret = 0;
1462 
1463 	if (!CBB_init(handshake, SSL3_RT_MAX_PLAIN_LENGTH))
1464 		goto err;
1465 	if (!CBB_add_u8(handshake, msg_type))
1466 		goto err;
1467 	if (SSL_is_dtls(s)) {
1468 		unsigned char *data;
1469 
1470 		if (!CBB_add_space(handshake, &data, DTLS1_HM_HEADER_LENGTH -
1471 		    SSL3_HM_HEADER_LENGTH))
1472 			goto err;
1473 	}
1474 	if (!CBB_add_u24_length_prefixed(handshake, body))
1475 		goto err;
1476 
1477 	ret = 1;
1478 
1479  err:
1480 	return (ret);
1481 }
1482 
1483 int
1484 ssl3_handshake_msg_finish(SSL *s, CBB *handshake)
1485 {
1486 	unsigned char *data = NULL;
1487 	size_t outlen;
1488 	int ret = 0;
1489 
1490 	if (!CBB_finish(handshake, &data, &outlen))
1491 		goto err;
1492 
1493 	if (outlen > INT_MAX)
1494 		goto err;
1495 
1496 	if (!BUF_MEM_grow_clean(s->internal->init_buf, outlen))
1497 		goto err;
1498 
1499 	memcpy(s->internal->init_buf->data, data, outlen);
1500 
1501 	s->internal->init_num = (int)outlen;
1502 	s->internal->init_off = 0;
1503 
1504 	if (SSL_is_dtls(s)) {
1505 		unsigned long len;
1506 		uint8_t msg_type;
1507 		CBS cbs;
1508 
1509 		CBS_init(&cbs, data, outlen);
1510 		if (!CBS_get_u8(&cbs, &msg_type))
1511 			goto err;
1512 
1513 		len = outlen - ssl3_handshake_msg_hdr_len(s);
1514 
1515 		dtls1_set_message_header(s, msg_type, len, 0, len);
1516 		dtls1_buffer_message(s, 0);
1517 	}
1518 
1519 	ret = 1;
1520 
1521  err:
1522 	free(data);
1523 
1524 	return (ret);
1525 }
1526 
1527 int
1528 ssl3_handshake_write(SSL *s)
1529 {
1530 	return ssl3_record_write(s, SSL3_RT_HANDSHAKE);
1531 }
1532 
1533 int
1534 ssl3_record_write(SSL *s, int type)
1535 {
1536 	if (SSL_is_dtls(s))
1537 		return dtls1_do_write(s, type);
1538 
1539 	return ssl3_do_write(s, type);
1540 }
1541 
1542 int
1543 ssl3_new(SSL *s)
1544 {
1545 	if ((s->s3 = calloc(1, sizeof(*s->s3))) == NULL)
1546 		return (0);
1547 
1548 	s->method->ssl_clear(s);
1549 
1550 	return (1);
1551 }
1552 
1553 void
1554 ssl3_free(SSL *s)
1555 {
1556 	if (s == NULL)
1557 		return;
1558 
1559 	tls1_cleanup_key_block(s);
1560 	ssl3_release_read_buffer(s);
1561 	ssl3_release_write_buffer(s);
1562 
1563 	freezero(s->s3->hs.sigalgs, s->s3->hs.sigalgs_len);
1564 	sk_X509_pop_free(s->s3->hs.peer_certs, X509_free);
1565 	sk_X509_pop_free(s->s3->hs.peer_certs_no_leaf, X509_free);
1566 	tls_key_share_free(s->s3->hs.key_share);
1567 
1568 	tls13_secrets_destroy(s->s3->hs.tls13.secrets);
1569 	freezero(s->s3->hs.tls13.cookie, s->s3->hs.tls13.cookie_len);
1570 	tls13_clienthello_hash_clear(&s->s3->hs.tls13);
1571 
1572 	tls_buffer_free(s->s3->hs.tls13.quic_read_buffer);
1573 
1574 	sk_X509_NAME_pop_free(s->s3->hs.tls12.ca_names, X509_NAME_free);
1575 	sk_X509_pop_free(s->internal->verified_chain, X509_free);
1576 
1577 	tls1_transcript_free(s);
1578 	tls1_transcript_hash_free(s);
1579 
1580 	free(s->s3->alpn_selected);
1581 
1582 	freezero(s->s3->peer_quic_transport_params,
1583 	    s->s3->peer_quic_transport_params_len);
1584 
1585 	freezero(s->s3, sizeof(*s->s3));
1586 
1587 	s->s3 = NULL;
1588 }
1589 
1590 void
1591 ssl3_clear(SSL *s)
1592 {
1593 	unsigned char *rp, *wp;
1594 	size_t rlen, wlen;
1595 
1596 	tls1_cleanup_key_block(s);
1597 	sk_X509_NAME_pop_free(s->s3->hs.tls12.ca_names, X509_NAME_free);
1598 	sk_X509_pop_free(s->internal->verified_chain, X509_free);
1599 	s->internal->verified_chain = NULL;
1600 
1601 	freezero(s->s3->hs.sigalgs, s->s3->hs.sigalgs_len);
1602 	s->s3->hs.sigalgs = NULL;
1603 	s->s3->hs.sigalgs_len = 0;
1604 
1605 	sk_X509_pop_free(s->s3->hs.peer_certs, X509_free);
1606 	s->s3->hs.peer_certs = NULL;
1607 	sk_X509_pop_free(s->s3->hs.peer_certs_no_leaf, X509_free);
1608 	s->s3->hs.peer_certs_no_leaf = NULL;
1609 
1610 	tls_key_share_free(s->s3->hs.key_share);
1611 	s->s3->hs.key_share = NULL;
1612 
1613 	tls13_secrets_destroy(s->s3->hs.tls13.secrets);
1614 	s->s3->hs.tls13.secrets = NULL;
1615 	freezero(s->s3->hs.tls13.cookie, s->s3->hs.tls13.cookie_len);
1616 	s->s3->hs.tls13.cookie = NULL;
1617 	s->s3->hs.tls13.cookie_len = 0;
1618 	tls13_clienthello_hash_clear(&s->s3->hs.tls13);
1619 
1620 	tls_buffer_free(s->s3->hs.tls13.quic_read_buffer);
1621 	s->s3->hs.tls13.quic_read_buffer = NULL;
1622 	s->s3->hs.tls13.quic_read_level = ssl_encryption_initial;
1623 	s->s3->hs.tls13.quic_write_level = ssl_encryption_initial;
1624 
1625 	s->s3->hs.extensions_seen = 0;
1626 
1627 	rp = s->s3->rbuf.buf;
1628 	wp = s->s3->wbuf.buf;
1629 	rlen = s->s3->rbuf.len;
1630 	wlen = s->s3->wbuf.len;
1631 
1632 	tls1_transcript_free(s);
1633 	tls1_transcript_hash_free(s);
1634 
1635 	free(s->s3->alpn_selected);
1636 	s->s3->alpn_selected = NULL;
1637 	s->s3->alpn_selected_len = 0;
1638 
1639 	freezero(s->s3->peer_quic_transport_params,
1640 	    s->s3->peer_quic_transport_params_len);
1641 	s->s3->peer_quic_transport_params = NULL;
1642 	s->s3->peer_quic_transport_params_len = 0;
1643 
1644 	memset(s->s3, 0, sizeof(*s->s3));
1645 
1646 	s->s3->rbuf.buf = rp;
1647 	s->s3->wbuf.buf = wp;
1648 	s->s3->rbuf.len = rlen;
1649 	s->s3->wbuf.len = wlen;
1650 
1651 	ssl_free_wbio_buffer(s);
1652 
1653 	/* Not needed... */
1654 	s->s3->renegotiate = 0;
1655 	s->s3->total_renegotiations = 0;
1656 	s->s3->num_renegotiations = 0;
1657 	s->s3->in_read_app_data = 0;
1658 
1659 	s->internal->packet_length = 0;
1660 	s->version = TLS1_VERSION;
1661 
1662 	s->s3->hs.state = SSL_ST_BEFORE|((s->server) ? SSL_ST_ACCEPT : SSL_ST_CONNECT);
1663 }
1664 
1665 long
1666 _SSL_get_shared_group(SSL *s, long n)
1667 {
1668 	size_t count;
1669 	int nid;
1670 
1671 	/* OpenSSL document that they return -1 for clients. They return 0. */
1672 	if (!s->server)
1673 		return 0;
1674 
1675 	if (n == -1) {
1676 		if (!tls1_count_shared_groups(s, &count))
1677 			return 0;
1678 
1679 		if (count > LONG_MAX)
1680 			count = LONG_MAX;
1681 
1682 		return count;
1683 	}
1684 
1685 	/* Undocumented special case added for Suite B profile support. */
1686 	if (n == -2)
1687 		n = 0;
1688 
1689 	if (n < 0)
1690 		return 0;
1691 
1692 	if (!tls1_get_shared_group_by_index(s, n, &nid))
1693 		return NID_undef;
1694 
1695 	return nid;
1696 }
1697 
1698 long
1699 _SSL_get_peer_tmp_key(SSL *s, EVP_PKEY **key)
1700 {
1701 	EVP_PKEY *pkey = NULL;
1702 	int ret = 0;
1703 
1704 	*key = NULL;
1705 
1706 	if (s->s3->hs.key_share == NULL)
1707 		goto err;
1708 
1709 	if ((pkey = EVP_PKEY_new()) == NULL)
1710 		goto err;
1711 	if (!tls_key_share_peer_pkey(s->s3->hs.key_share, pkey))
1712 		goto err;
1713 
1714 	*key = pkey;
1715 	pkey = NULL;
1716 
1717 	ret = 1;
1718 
1719  err:
1720 	EVP_PKEY_free(pkey);
1721 
1722 	return (ret);
1723 }
1724 
1725 static int
1726 _SSL_session_reused(SSL *s)
1727 {
1728 	return s->internal->hit;
1729 }
1730 
1731 static int
1732 _SSL_num_renegotiations(SSL *s)
1733 {
1734 	return s->s3->num_renegotiations;
1735 }
1736 
1737 static int
1738 _SSL_clear_num_renegotiations(SSL *s)
1739 {
1740 	int renegs;
1741 
1742 	renegs = s->s3->num_renegotiations;
1743 	s->s3->num_renegotiations = 0;
1744 
1745 	return renegs;
1746 }
1747 
1748 static int
1749 _SSL_total_renegotiations(SSL *s)
1750 {
1751 	return s->s3->total_renegotiations;
1752 }
1753 
1754 static int
1755 _SSL_set_tmp_dh(SSL *s, DH *dh)
1756 {
1757 	DH *dhe_params;
1758 
1759 	if (dh == NULL) {
1760 		SSLerror(s, ERR_R_PASSED_NULL_PARAMETER);
1761 		return 0;
1762 	}
1763 
1764 	if (!ssl_security_dh(s, dh)) {
1765 		SSLerror(s, SSL_R_DH_KEY_TOO_SMALL);
1766 		return 0;
1767 	}
1768 
1769 	if ((dhe_params = DHparams_dup(dh)) == NULL) {
1770 		SSLerror(s, ERR_R_DH_LIB);
1771 		return 0;
1772 	}
1773 
1774 	DH_free(s->cert->dhe_params);
1775 	s->cert->dhe_params = dhe_params;
1776 
1777 	return 1;
1778 }
1779 
1780 static int
1781 _SSL_set_dh_auto(SSL *s, int state)
1782 {
1783 	s->cert->dhe_params_auto = state;
1784 	return 1;
1785 }
1786 
1787 static int
1788 _SSL_set_tmp_ecdh(SSL *s, EC_KEY *ecdh)
1789 {
1790 	const EC_GROUP *group;
1791 	int nid;
1792 
1793 	if (ecdh == NULL)
1794 		return 0;
1795 	if ((group = EC_KEY_get0_group(ecdh)) == NULL)
1796 		return 0;
1797 
1798 	nid = EC_GROUP_get_curve_name(group);
1799 	return SSL_set1_groups(s, &nid, 1);
1800 }
1801 
1802 static int
1803 _SSL_set_ecdh_auto(SSL *s, int state)
1804 {
1805 	return 1;
1806 }
1807 
1808 static int
1809 _SSL_set_tlsext_host_name(SSL *s, const char *name)
1810 {
1811 	int is_ip;
1812 	CBS cbs;
1813 
1814 	free(s->tlsext_hostname);
1815 	s->tlsext_hostname = NULL;
1816 
1817 	if (name == NULL)
1818 		return 1;
1819 
1820 	CBS_init(&cbs, name, strlen(name));
1821 
1822 	if (!tlsext_sni_is_valid_hostname(&cbs, &is_ip)) {
1823 		SSLerror(s, SSL_R_SSL3_EXT_INVALID_SERVERNAME);
1824 		return 0;
1825 	}
1826 	if ((s->tlsext_hostname = strdup(name)) == NULL) {
1827 		SSLerror(s, ERR_R_INTERNAL_ERROR);
1828 		return 0;
1829 	}
1830 
1831 	return 1;
1832 }
1833 
1834 static int
1835 _SSL_set_tlsext_debug_arg(SSL *s, void *arg)
1836 {
1837 	s->internal->tlsext_debug_arg = arg;
1838 	return 1;
1839 }
1840 
1841 static int
1842 _SSL_get_tlsext_status_type(SSL *s)
1843 {
1844 	return s->tlsext_status_type;
1845 }
1846 
1847 static int
1848 _SSL_set_tlsext_status_type(SSL *s, int type)
1849 {
1850 	s->tlsext_status_type = type;
1851 	return 1;
1852 }
1853 
1854 static int
1855 _SSL_get_tlsext_status_exts(SSL *s, STACK_OF(X509_EXTENSION) **exts)
1856 {
1857 	*exts = s->internal->tlsext_ocsp_exts;
1858 	return 1;
1859 }
1860 
1861 static int
1862 _SSL_set_tlsext_status_exts(SSL *s, STACK_OF(X509_EXTENSION) *exts)
1863 {
1864 	/* XXX - leak... */
1865 	s->internal->tlsext_ocsp_exts = exts;
1866 	return 1;
1867 }
1868 
1869 static int
1870 _SSL_get_tlsext_status_ids(SSL *s, STACK_OF(OCSP_RESPID) **ids)
1871 {
1872 	*ids = s->internal->tlsext_ocsp_ids;
1873 	return 1;
1874 }
1875 
1876 static int
1877 _SSL_set_tlsext_status_ids(SSL *s, STACK_OF(OCSP_RESPID) *ids)
1878 {
1879 	/* XXX - leak... */
1880 	s->internal->tlsext_ocsp_ids = ids;
1881 	return 1;
1882 }
1883 
1884 static int
1885 _SSL_get_tlsext_status_ocsp_resp(SSL *s, unsigned char **resp)
1886 {
1887 	if (s->internal->tlsext_ocsp_resp != NULL &&
1888 	    s->internal->tlsext_ocsp_resp_len < INT_MAX) {
1889 		*resp = s->internal->tlsext_ocsp_resp;
1890 		return (int)s->internal->tlsext_ocsp_resp_len;
1891 	}
1892 
1893 	*resp = NULL;
1894 
1895 	return -1;
1896 }
1897 
1898 static int
1899 _SSL_set_tlsext_status_ocsp_resp(SSL *s, unsigned char *resp, int resp_len)
1900 {
1901 	free(s->internal->tlsext_ocsp_resp);
1902 	s->internal->tlsext_ocsp_resp = NULL;
1903 	s->internal->tlsext_ocsp_resp_len = 0;
1904 
1905 	if (resp_len < 0)
1906 		return 0;
1907 
1908 	s->internal->tlsext_ocsp_resp = resp;
1909 	s->internal->tlsext_ocsp_resp_len = (size_t)resp_len;
1910 
1911 	return 1;
1912 }
1913 
1914 int
1915 SSL_set0_chain(SSL *ssl, STACK_OF(X509) *chain)
1916 {
1917 	return ssl_cert_set0_chain(NULL, ssl, chain);
1918 }
1919 
1920 int
1921 SSL_set1_chain(SSL *ssl, STACK_OF(X509) *chain)
1922 {
1923 	return ssl_cert_set1_chain(NULL, ssl, chain);
1924 }
1925 
1926 int
1927 SSL_add0_chain_cert(SSL *ssl, X509 *x509)
1928 {
1929 	return ssl_cert_add0_chain_cert(NULL, ssl, x509);
1930 }
1931 
1932 int
1933 SSL_add1_chain_cert(SSL *ssl, X509 *x509)
1934 {
1935 	return ssl_cert_add1_chain_cert(NULL, ssl, x509);
1936 }
1937 
1938 int
1939 SSL_get0_chain_certs(const SSL *ssl, STACK_OF(X509) **out_chain)
1940 {
1941 	*out_chain = NULL;
1942 
1943 	if (ssl->cert->key != NULL)
1944 		*out_chain = ssl->cert->key->chain;
1945 
1946 	return 1;
1947 }
1948 
1949 int
1950 SSL_clear_chain_certs(SSL *ssl)
1951 {
1952 	return ssl_cert_set0_chain(NULL, ssl, NULL);
1953 }
1954 
1955 int
1956 SSL_set1_groups(SSL *s, const int *groups, size_t groups_len)
1957 {
1958 	return tls1_set_groups(&s->internal->tlsext_supportedgroups,
1959 	    &s->internal->tlsext_supportedgroups_length, groups, groups_len);
1960 }
1961 
1962 int
1963 SSL_set1_groups_list(SSL *s, const char *groups)
1964 {
1965 	return tls1_set_group_list(&s->internal->tlsext_supportedgroups,
1966 	    &s->internal->tlsext_supportedgroups_length, groups);
1967 }
1968 
1969 static int
1970 _SSL_get_signature_nid(SSL *s, int *nid)
1971 {
1972 	const struct ssl_sigalg *sigalg;
1973 
1974 	if ((sigalg = s->s3->hs.our_sigalg) == NULL)
1975 		return 0;
1976 
1977 	*nid = EVP_MD_type(sigalg->md());
1978 
1979 	return 1;
1980 }
1981 
1982 static int
1983 _SSL_get_peer_signature_nid(SSL *s, int *nid)
1984 {
1985 	const struct ssl_sigalg *sigalg;
1986 
1987 	if ((sigalg = s->s3->hs.peer_sigalg) == NULL)
1988 		return 0;
1989 
1990 	*nid = EVP_MD_type(sigalg->md());
1991 
1992 	return 1;
1993 }
1994 
1995 int
1996 SSL_get_signature_type_nid(const SSL *s, int *nid)
1997 {
1998 	const struct ssl_sigalg *sigalg;
1999 
2000 	if ((sigalg = s->s3->hs.our_sigalg) == NULL)
2001 		return 0;
2002 
2003 	*nid = sigalg->key_type;
2004 	if (sigalg->key_type == EVP_PKEY_RSA &&
2005 	    (sigalg->flags & SIGALG_FLAG_RSA_PSS))
2006 		*nid = EVP_PKEY_RSA_PSS;
2007 
2008 	return 1;
2009 }
2010 
2011 int
2012 SSL_get_peer_signature_type_nid(const SSL *s, int *nid)
2013 {
2014 	const struct ssl_sigalg *sigalg;
2015 
2016 	if ((sigalg = s->s3->hs.peer_sigalg) == NULL)
2017 		return 0;
2018 
2019 	*nid = sigalg->key_type;
2020 	if (sigalg->key_type == EVP_PKEY_RSA &&
2021 	    (sigalg->flags & SIGALG_FLAG_RSA_PSS))
2022 		*nid = EVP_PKEY_RSA_PSS;
2023 
2024 	return 1;
2025 }
2026 
2027 long
2028 ssl3_ctrl(SSL *s, int cmd, long larg, void *parg)
2029 {
2030 	switch (cmd) {
2031 	case SSL_CTRL_GET_SESSION_REUSED:
2032 		return _SSL_session_reused(s);
2033 
2034 	case SSL_CTRL_GET_NUM_RENEGOTIATIONS:
2035 		return _SSL_num_renegotiations(s);
2036 
2037 	case SSL_CTRL_CLEAR_NUM_RENEGOTIATIONS:
2038 		return _SSL_clear_num_renegotiations(s);
2039 
2040 	case SSL_CTRL_GET_TOTAL_RENEGOTIATIONS:
2041 		return _SSL_total_renegotiations(s);
2042 
2043 	case SSL_CTRL_SET_TMP_DH:
2044 		return _SSL_set_tmp_dh(s, parg);
2045 
2046 	case SSL_CTRL_SET_TMP_DH_CB:
2047 		SSLerror(s, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
2048 		return 0;
2049 
2050 	case SSL_CTRL_SET_DH_AUTO:
2051 		return _SSL_set_dh_auto(s, larg);
2052 
2053 	case SSL_CTRL_SET_TMP_ECDH:
2054 		return _SSL_set_tmp_ecdh(s, parg);
2055 
2056 	case SSL_CTRL_SET_TMP_ECDH_CB:
2057 		SSLerror(s, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
2058 		return 0;
2059 
2060 	case SSL_CTRL_SET_ECDH_AUTO:
2061 		return _SSL_set_ecdh_auto(s, larg);
2062 
2063 	case SSL_CTRL_SET_TLSEXT_HOSTNAME:
2064 		if (larg != TLSEXT_NAMETYPE_host_name) {
2065 			SSLerror(s, SSL_R_SSL3_EXT_INVALID_SERVERNAME_TYPE);
2066 			return 0;
2067 		}
2068 		return _SSL_set_tlsext_host_name(s, parg);
2069 
2070 	case SSL_CTRL_SET_TLSEXT_DEBUG_ARG:
2071 		return _SSL_set_tlsext_debug_arg(s, parg);
2072 
2073 	case SSL_CTRL_GET_TLSEXT_STATUS_REQ_TYPE:
2074 		return _SSL_get_tlsext_status_type(s);
2075 
2076 	case SSL_CTRL_SET_TLSEXT_STATUS_REQ_TYPE:
2077 		return _SSL_set_tlsext_status_type(s, larg);
2078 
2079 	case SSL_CTRL_GET_TLSEXT_STATUS_REQ_EXTS:
2080 		return _SSL_get_tlsext_status_exts(s, parg);
2081 
2082 	case SSL_CTRL_SET_TLSEXT_STATUS_REQ_EXTS:
2083 		return _SSL_set_tlsext_status_exts(s, parg);
2084 
2085 	case SSL_CTRL_GET_TLSEXT_STATUS_REQ_IDS:
2086 		return _SSL_get_tlsext_status_ids(s, parg);
2087 
2088 	case SSL_CTRL_SET_TLSEXT_STATUS_REQ_IDS:
2089 		return _SSL_set_tlsext_status_ids(s, parg);
2090 
2091 	case SSL_CTRL_GET_TLSEXT_STATUS_REQ_OCSP_RESP:
2092 		return _SSL_get_tlsext_status_ocsp_resp(s, parg);
2093 
2094 	case SSL_CTRL_SET_TLSEXT_STATUS_REQ_OCSP_RESP:
2095 		return _SSL_set_tlsext_status_ocsp_resp(s, parg, larg);
2096 
2097 	case SSL_CTRL_CHAIN:
2098 		if (larg == 0)
2099 			return SSL_set0_chain(s, (STACK_OF(X509) *)parg);
2100 		else
2101 			return SSL_set1_chain(s, (STACK_OF(X509) *)parg);
2102 
2103 	case SSL_CTRL_CHAIN_CERT:
2104 		if (larg == 0)
2105 			return SSL_add0_chain_cert(s, (X509 *)parg);
2106 		else
2107 			return SSL_add1_chain_cert(s, (X509 *)parg);
2108 
2109 	case SSL_CTRL_GET_CHAIN_CERTS:
2110 		return SSL_get0_chain_certs(s, (STACK_OF(X509) **)parg);
2111 
2112 	case SSL_CTRL_SET_GROUPS:
2113 		return SSL_set1_groups(s, parg, larg);
2114 
2115 	case SSL_CTRL_SET_GROUPS_LIST:
2116 		return SSL_set1_groups_list(s, parg);
2117 
2118 	case SSL_CTRL_GET_SHARED_GROUP:
2119 		return _SSL_get_shared_group(s, larg);
2120 
2121 	/* XXX - rename to SSL_CTRL_GET_PEER_TMP_KEY and remove server check. */
2122 	case SSL_CTRL_GET_SERVER_TMP_KEY:
2123 		if (s->server != 0)
2124 			return 0;
2125 		return _SSL_get_peer_tmp_key(s, parg);
2126 
2127 	case SSL_CTRL_GET_MIN_PROTO_VERSION:
2128 		return SSL_get_min_proto_version(s);
2129 
2130 	case SSL_CTRL_GET_MAX_PROTO_VERSION:
2131 		return SSL_get_max_proto_version(s);
2132 
2133 	case SSL_CTRL_SET_MIN_PROTO_VERSION:
2134 		if (larg < 0 || larg > UINT16_MAX)
2135 			return 0;
2136 		return SSL_set_min_proto_version(s, larg);
2137 
2138 	case SSL_CTRL_SET_MAX_PROTO_VERSION:
2139 		if (larg < 0 || larg > UINT16_MAX)
2140 			return 0;
2141 		return SSL_set_max_proto_version(s, larg);
2142 
2143 	case SSL_CTRL_GET_SIGNATURE_NID:
2144 		return _SSL_get_signature_nid(s, parg);
2145 
2146 	case SSL_CTRL_GET_PEER_SIGNATURE_NID:
2147 		return _SSL_get_peer_signature_nid(s, parg);
2148 
2149 	/*
2150 	 * Legacy controls that should eventually be removed.
2151 	 */
2152 	case SSL_CTRL_GET_CLIENT_CERT_REQUEST:
2153 		return 0;
2154 
2155 	case SSL_CTRL_GET_FLAGS:
2156 		return (int)(s->s3->flags);
2157 
2158 	case SSL_CTRL_NEED_TMP_RSA:
2159 		return 0;
2160 
2161 	case SSL_CTRL_SET_TMP_RSA:
2162 	case SSL_CTRL_SET_TMP_RSA_CB:
2163 		SSLerror(s, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
2164 		return 0;
2165 	}
2166 
2167 	return 0;
2168 }
2169 
2170 long
2171 ssl3_callback_ctrl(SSL *s, int cmd, void (*fp)(void))
2172 {
2173 	switch (cmd) {
2174 	case SSL_CTRL_SET_TMP_RSA_CB:
2175 		SSLerror(s, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
2176 		return 0;
2177 
2178 	case SSL_CTRL_SET_TMP_DH_CB:
2179 		s->cert->dhe_params_cb = (DH *(*)(SSL *, int, int))fp;
2180 		return 1;
2181 
2182 	case SSL_CTRL_SET_TMP_ECDH_CB:
2183 		return 1;
2184 
2185 	case SSL_CTRL_SET_TLSEXT_DEBUG_CB:
2186 		s->internal->tlsext_debug_cb = (void (*)(SSL *, int , int,
2187 		    unsigned char *, int, void *))fp;
2188 		return 1;
2189 	}
2190 
2191 	return 0;
2192 }
2193 
2194 static int
2195 _SSL_CTX_set_tmp_dh(SSL_CTX *ctx, DH *dh)
2196 {
2197 	DH *dhe_params;
2198 
2199 	if (dh == NULL) {
2200 		SSLerrorx(ERR_R_PASSED_NULL_PARAMETER);
2201 		return 0;
2202 	}
2203 
2204 	if (!ssl_ctx_security_dh(ctx, dh)) {
2205 		SSLerrorx(SSL_R_DH_KEY_TOO_SMALL);
2206 		return 0;
2207 	}
2208 
2209 	if ((dhe_params = DHparams_dup(dh)) == NULL) {
2210 		SSLerrorx(ERR_R_DH_LIB);
2211 		return 0;
2212 	}
2213 
2214 	DH_free(ctx->internal->cert->dhe_params);
2215 	ctx->internal->cert->dhe_params = dhe_params;
2216 
2217 	return 1;
2218 }
2219 
2220 static int
2221 _SSL_CTX_set_dh_auto(SSL_CTX *ctx, int state)
2222 {
2223 	ctx->internal->cert->dhe_params_auto = state;
2224 	return 1;
2225 }
2226 
2227 static int
2228 _SSL_CTX_set_tmp_ecdh(SSL_CTX *ctx, EC_KEY *ecdh)
2229 {
2230 	const EC_GROUP *group;
2231 	int nid;
2232 
2233 	if (ecdh == NULL)
2234 		return 0;
2235 	if ((group = EC_KEY_get0_group(ecdh)) == NULL)
2236 		return 0;
2237 
2238 	nid = EC_GROUP_get_curve_name(group);
2239 	return SSL_CTX_set1_groups(ctx, &nid, 1);
2240 }
2241 
2242 static int
2243 _SSL_CTX_set_ecdh_auto(SSL_CTX *ctx, int state)
2244 {
2245 	return 1;
2246 }
2247 
2248 static int
2249 _SSL_CTX_set_tlsext_servername_arg(SSL_CTX *ctx, void *arg)
2250 {
2251 	ctx->internal->tlsext_servername_arg = arg;
2252 	return 1;
2253 }
2254 
2255 static int
2256 _SSL_CTX_get_tlsext_ticket_keys(SSL_CTX *ctx, unsigned char *keys, int keys_len)
2257 {
2258 	if (keys == NULL)
2259 		return 48;
2260 
2261 	if (keys_len != 48) {
2262 		SSLerrorx(SSL_R_INVALID_TICKET_KEYS_LENGTH);
2263 		return 0;
2264 	}
2265 
2266 	memcpy(keys, ctx->internal->tlsext_tick_key_name, 16);
2267 	memcpy(keys + 16, ctx->internal->tlsext_tick_hmac_key, 16);
2268 	memcpy(keys + 32, ctx->internal->tlsext_tick_aes_key, 16);
2269 
2270 	return 1;
2271 }
2272 
2273 static int
2274 _SSL_CTX_set_tlsext_ticket_keys(SSL_CTX *ctx, unsigned char *keys, int keys_len)
2275 {
2276 	if (keys == NULL)
2277 		return 48;
2278 
2279 	if (keys_len != 48) {
2280 		SSLerrorx(SSL_R_INVALID_TICKET_KEYS_LENGTH);
2281 		return 0;
2282 	}
2283 
2284 	memcpy(ctx->internal->tlsext_tick_key_name, keys, 16);
2285 	memcpy(ctx->internal->tlsext_tick_hmac_key, keys + 16, 16);
2286 	memcpy(ctx->internal->tlsext_tick_aes_key, keys + 32, 16);
2287 
2288 	return 1;
2289 }
2290 
2291 static int
2292 _SSL_CTX_get_tlsext_status_arg(SSL_CTX *ctx, void **arg)
2293 {
2294 	*arg = ctx->internal->tlsext_status_arg;
2295 	return 1;
2296 }
2297 
2298 static int
2299 _SSL_CTX_set_tlsext_status_arg(SSL_CTX *ctx, void *arg)
2300 {
2301 	ctx->internal->tlsext_status_arg = arg;
2302 	return 1;
2303 }
2304 
2305 int
2306 SSL_CTX_set0_chain(SSL_CTX *ctx, STACK_OF(X509) *chain)
2307 {
2308 	return ssl_cert_set0_chain(ctx, NULL, chain);
2309 }
2310 
2311 int
2312 SSL_CTX_set1_chain(SSL_CTX *ctx, STACK_OF(X509) *chain)
2313 {
2314 	return ssl_cert_set1_chain(ctx, NULL, chain);
2315 }
2316 
2317 int
2318 SSL_CTX_add0_chain_cert(SSL_CTX *ctx, X509 *x509)
2319 {
2320 	return ssl_cert_add0_chain_cert(ctx, NULL, x509);
2321 }
2322 
2323 int
2324 SSL_CTX_add1_chain_cert(SSL_CTX *ctx, X509 *x509)
2325 {
2326 	return ssl_cert_add1_chain_cert(ctx, NULL, x509);
2327 }
2328 
2329 int
2330 SSL_CTX_get0_chain_certs(const SSL_CTX *ctx, STACK_OF(X509) **out_chain)
2331 {
2332 	*out_chain = NULL;
2333 
2334 	if (ctx->internal->cert->key != NULL)
2335 		*out_chain = ctx->internal->cert->key->chain;
2336 
2337 	return 1;
2338 }
2339 
2340 int
2341 SSL_CTX_clear_chain_certs(SSL_CTX *ctx)
2342 {
2343 	return ssl_cert_set0_chain(ctx, NULL, NULL);
2344 }
2345 
2346 static int
2347 _SSL_CTX_add_extra_chain_cert(SSL_CTX *ctx, X509 *cert)
2348 {
2349 	if (ctx->extra_certs == NULL) {
2350 		if ((ctx->extra_certs = sk_X509_new_null()) == NULL)
2351 			return 0;
2352 	}
2353 	if (sk_X509_push(ctx->extra_certs, cert) == 0)
2354 		return 0;
2355 
2356 	return 1;
2357 }
2358 
2359 static int
2360 _SSL_CTX_get_extra_chain_certs(SSL_CTX *ctx, STACK_OF(X509) **certs)
2361 {
2362 	*certs = ctx->extra_certs;
2363 	if (*certs == NULL)
2364 		*certs = ctx->internal->cert->key->chain;
2365 
2366 	return 1;
2367 }
2368 
2369 static int
2370 _SSL_CTX_get_extra_chain_certs_only(SSL_CTX *ctx, STACK_OF(X509) **certs)
2371 {
2372 	*certs = ctx->extra_certs;
2373 	return 1;
2374 }
2375 
2376 static int
2377 _SSL_CTX_clear_extra_chain_certs(SSL_CTX *ctx)
2378 {
2379 	sk_X509_pop_free(ctx->extra_certs, X509_free);
2380 	ctx->extra_certs = NULL;
2381 	return 1;
2382 }
2383 
2384 int
2385 SSL_CTX_set1_groups(SSL_CTX *ctx, const int *groups, size_t groups_len)
2386 {
2387 	return tls1_set_groups(&ctx->internal->tlsext_supportedgroups,
2388 	    &ctx->internal->tlsext_supportedgroups_length, groups, groups_len);
2389 }
2390 
2391 int
2392 SSL_CTX_set1_groups_list(SSL_CTX *ctx, const char *groups)
2393 {
2394 	return tls1_set_group_list(&ctx->internal->tlsext_supportedgroups,
2395 	    &ctx->internal->tlsext_supportedgroups_length, groups);
2396 }
2397 
2398 long
2399 ssl3_ctx_ctrl(SSL_CTX *ctx, int cmd, long larg, void *parg)
2400 {
2401 	switch (cmd) {
2402 	case SSL_CTRL_SET_TMP_DH:
2403 		return _SSL_CTX_set_tmp_dh(ctx, parg);
2404 
2405 	case SSL_CTRL_SET_TMP_DH_CB:
2406 		SSLerrorx(ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
2407 		return 0;
2408 
2409 	case SSL_CTRL_SET_DH_AUTO:
2410 		return _SSL_CTX_set_dh_auto(ctx, larg);
2411 
2412 	case SSL_CTRL_SET_TMP_ECDH:
2413 		return _SSL_CTX_set_tmp_ecdh(ctx, parg);
2414 
2415 	case SSL_CTRL_SET_TMP_ECDH_CB:
2416 		SSLerrorx(ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
2417 		return 0;
2418 
2419 	case SSL_CTRL_SET_ECDH_AUTO:
2420 		return _SSL_CTX_set_ecdh_auto(ctx, larg);
2421 
2422 	case SSL_CTRL_SET_TLSEXT_SERVERNAME_ARG:
2423 		return _SSL_CTX_set_tlsext_servername_arg(ctx, parg);
2424 
2425 	case SSL_CTRL_GET_TLSEXT_TICKET_KEYS:
2426 		return _SSL_CTX_get_tlsext_ticket_keys(ctx, parg, larg);
2427 
2428 	case SSL_CTRL_SET_TLSEXT_TICKET_KEYS:
2429 		return _SSL_CTX_set_tlsext_ticket_keys(ctx, parg, larg);
2430 
2431 	case SSL_CTRL_GET_TLSEXT_STATUS_REQ_CB_ARG:
2432 		return _SSL_CTX_get_tlsext_status_arg(ctx, parg);
2433 
2434 	case SSL_CTRL_SET_TLSEXT_STATUS_REQ_CB_ARG:
2435 		return _SSL_CTX_set_tlsext_status_arg(ctx, parg);
2436 
2437 	case SSL_CTRL_CHAIN:
2438 		if (larg == 0)
2439 			return SSL_CTX_set0_chain(ctx, (STACK_OF(X509) *)parg);
2440 		else
2441 			return SSL_CTX_set1_chain(ctx, (STACK_OF(X509) *)parg);
2442 
2443 	case SSL_CTRL_CHAIN_CERT:
2444 		if (larg == 0)
2445 			return SSL_CTX_add0_chain_cert(ctx, (X509 *)parg);
2446 		else
2447 			return SSL_CTX_add1_chain_cert(ctx, (X509 *)parg);
2448 
2449 	case SSL_CTRL_GET_CHAIN_CERTS:
2450 		return SSL_CTX_get0_chain_certs(ctx, (STACK_OF(X509) **)parg);
2451 
2452 	case SSL_CTRL_EXTRA_CHAIN_CERT:
2453 		return _SSL_CTX_add_extra_chain_cert(ctx, parg);
2454 
2455 	case SSL_CTRL_GET_EXTRA_CHAIN_CERTS:
2456 		if (larg == 0)
2457 			return _SSL_CTX_get_extra_chain_certs(ctx, parg);
2458 		else
2459 			return _SSL_CTX_get_extra_chain_certs_only(ctx, parg);
2460 
2461 	case SSL_CTRL_CLEAR_EXTRA_CHAIN_CERTS:
2462 		return _SSL_CTX_clear_extra_chain_certs(ctx);
2463 
2464 	case SSL_CTRL_SET_GROUPS:
2465 		return SSL_CTX_set1_groups(ctx, parg, larg);
2466 
2467 	case SSL_CTRL_SET_GROUPS_LIST:
2468 		return SSL_CTX_set1_groups_list(ctx, parg);
2469 
2470 	case SSL_CTRL_GET_MIN_PROTO_VERSION:
2471 		return SSL_CTX_get_min_proto_version(ctx);
2472 
2473 	case SSL_CTRL_GET_MAX_PROTO_VERSION:
2474 		return SSL_CTX_get_max_proto_version(ctx);
2475 
2476 	case SSL_CTRL_SET_MIN_PROTO_VERSION:
2477 		if (larg < 0 || larg > UINT16_MAX)
2478 			return 0;
2479 		return SSL_CTX_set_min_proto_version(ctx, larg);
2480 
2481 	case SSL_CTRL_SET_MAX_PROTO_VERSION:
2482 		if (larg < 0 || larg > UINT16_MAX)
2483 			return 0;
2484 		return SSL_CTX_set_max_proto_version(ctx, larg);
2485 
2486 	/*
2487 	 * Legacy controls that should eventually be removed.
2488 	 */
2489 	case SSL_CTRL_NEED_TMP_RSA:
2490 		return 0;
2491 
2492 	case SSL_CTRL_SET_TMP_RSA:
2493 	case SSL_CTRL_SET_TMP_RSA_CB:
2494 		SSLerrorx(ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
2495 		return 0;
2496 	}
2497 
2498 	return 0;
2499 }
2500 
2501 long
2502 ssl3_ctx_callback_ctrl(SSL_CTX *ctx, int cmd, void (*fp)(void))
2503 {
2504 	switch (cmd) {
2505 	case SSL_CTRL_SET_TMP_RSA_CB:
2506 		SSLerrorx(ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
2507 		return 0;
2508 
2509 	case SSL_CTRL_SET_TMP_DH_CB:
2510 		ctx->internal->cert->dhe_params_cb =
2511 		    (DH *(*)(SSL *, int, int))fp;
2512 		return 1;
2513 
2514 	case SSL_CTRL_SET_TMP_ECDH_CB:
2515 		return 1;
2516 
2517 	case SSL_CTRL_SET_TLSEXT_SERVERNAME_CB:
2518 		ctx->internal->tlsext_servername_callback =
2519 		    (int (*)(SSL *, int *, void *))fp;
2520 		return 1;
2521 
2522 	case SSL_CTRL_GET_TLSEXT_STATUS_REQ_CB:
2523 		*(int (**)(SSL *, void *))fp = ctx->internal->tlsext_status_cb;
2524 		return 1;
2525 
2526 	case SSL_CTRL_SET_TLSEXT_STATUS_REQ_CB:
2527 		ctx->internal->tlsext_status_cb = (int (*)(SSL *, void *))fp;
2528 		return 1;
2529 
2530 	case SSL_CTRL_SET_TLSEXT_TICKET_KEY_CB:
2531 		ctx->internal->tlsext_ticket_key_cb = (int (*)(SSL *, unsigned char  *,
2532 		    unsigned char *, EVP_CIPHER_CTX *, HMAC_CTX *, int))fp;
2533 		return 1;
2534 	}
2535 
2536 	return 0;
2537 }
2538 
2539 SSL_CIPHER *
2540 ssl3_choose_cipher(SSL *s, STACK_OF(SSL_CIPHER) *clnt,
2541     STACK_OF(SSL_CIPHER) *srvr)
2542 {
2543 	unsigned long alg_k, alg_a, mask_k, mask_a;
2544 	STACK_OF(SSL_CIPHER) *prio, *allow;
2545 	SSL_CIPHER *c, *ret = NULL;
2546 	int can_use_ecc;
2547 	int i, ii, nid, ok;
2548 	SSL_CERT *cert;
2549 
2550 	/* Let's see which ciphers we can support */
2551 	cert = s->cert;
2552 
2553 	can_use_ecc = tls1_get_supported_group(s, &nid);
2554 
2555 	/*
2556 	 * Do not set the compare functions, because this may lead to a
2557 	 * reordering by "id". We want to keep the original ordering.
2558 	 * We may pay a price in performance during sk_SSL_CIPHER_find(),
2559 	 * but would have to pay with the price of sk_SSL_CIPHER_dup().
2560 	 */
2561 
2562 	if (s->internal->options & SSL_OP_CIPHER_SERVER_PREFERENCE) {
2563 		prio = srvr;
2564 		allow = clnt;
2565 	} else {
2566 		prio = clnt;
2567 		allow = srvr;
2568 	}
2569 
2570 	for (i = 0; i < sk_SSL_CIPHER_num(prio); i++) {
2571 		c = sk_SSL_CIPHER_value(prio, i);
2572 
2573 		/* Skip TLS v1.2 only ciphersuites if not supported. */
2574 		if ((c->algorithm_ssl & SSL_TLSV1_2) &&
2575 		    !SSL_USE_TLS1_2_CIPHERS(s))
2576 			continue;
2577 
2578 		/* Skip TLS v1.3 only ciphersuites if not supported. */
2579 		if ((c->algorithm_ssl & SSL_TLSV1_3) &&
2580 		    !SSL_USE_TLS1_3_CIPHERS(s))
2581 			continue;
2582 
2583 		/* If TLS v1.3, only allow TLS v1.3 ciphersuites. */
2584 		if (SSL_USE_TLS1_3_CIPHERS(s) &&
2585 		    !(c->algorithm_ssl & SSL_TLSV1_3))
2586 			continue;
2587 
2588 		if (!ssl_security_shared_cipher(s, c))
2589 			continue;
2590 
2591 		ssl_set_cert_masks(cert, c);
2592 		mask_k = cert->mask_k;
2593 		mask_a = cert->mask_a;
2594 
2595 		alg_k = c->algorithm_mkey;
2596 		alg_a = c->algorithm_auth;
2597 
2598 		ok = (alg_k & mask_k) && (alg_a & mask_a);
2599 
2600 		/*
2601 		 * If we are considering an ECC cipher suite that uses our
2602 		 * certificate check it.
2603 		 */
2604 		if (alg_a & SSL_aECDSA)
2605 			ok = ok && tls1_check_ec_server_key(s);
2606 		/*
2607 		 * If we are considering an ECC cipher suite that uses
2608 		 * an ephemeral EC key check it.
2609 		 */
2610 		if (alg_k & SSL_kECDHE)
2611 			ok = ok && can_use_ecc;
2612 
2613 		if (!ok)
2614 			continue;
2615 		ii = sk_SSL_CIPHER_find(allow, c);
2616 		if (ii >= 0) {
2617 			ret = sk_SSL_CIPHER_value(allow, ii);
2618 			break;
2619 		}
2620 	}
2621 	return (ret);
2622 }
2623 
2624 int
2625 ssl3_get_req_cert_types(SSL *s, CBB *cbb)
2626 {
2627 	unsigned long alg_k;
2628 
2629 	alg_k = s->s3->hs.cipher->algorithm_mkey;
2630 
2631 #ifndef OPENSSL_NO_GOST
2632 	if ((alg_k & SSL_kGOST) != 0) {
2633 		if (!CBB_add_u8(cbb, TLS_CT_GOST01_SIGN))
2634 			return 0;
2635 		if (!CBB_add_u8(cbb, TLS_CT_GOST12_256_SIGN))
2636 			return 0;
2637 		if (!CBB_add_u8(cbb, TLS_CT_GOST12_512_SIGN))
2638 			return 0;
2639 		if (!CBB_add_u8(cbb, TLS_CT_GOST12_256_SIGN_COMPAT))
2640 			return 0;
2641 		if (!CBB_add_u8(cbb, TLS_CT_GOST12_512_SIGN_COMPAT))
2642 			return 0;
2643 	}
2644 #endif
2645 
2646 	if ((alg_k & SSL_kDHE) != 0) {
2647 		if (!CBB_add_u8(cbb, SSL3_CT_RSA_FIXED_DH))
2648 			return 0;
2649 	}
2650 
2651 	if (!CBB_add_u8(cbb, SSL3_CT_RSA_SIGN))
2652 		return 0;
2653 
2654 	/*
2655 	 * ECDSA certs can be used with RSA cipher suites as well
2656 	 * so we don't need to check for SSL_kECDH or SSL_kECDHE.
2657 	 */
2658 	if (!CBB_add_u8(cbb, TLS_CT_ECDSA_SIGN))
2659 		return 0;
2660 
2661 	return 1;
2662 }
2663 
2664 int
2665 ssl3_shutdown(SSL *s)
2666 {
2667 	int	ret;
2668 
2669 	/*
2670 	 * Don't do anything much if we have not done the handshake or
2671 	 * we don't want to send messages :-)
2672 	 */
2673 	if ((s->internal->quiet_shutdown) || (s->s3->hs.state == SSL_ST_BEFORE)) {
2674 		s->internal->shutdown = (SSL_SENT_SHUTDOWN|SSL_RECEIVED_SHUTDOWN);
2675 		return (1);
2676 	}
2677 
2678 	if (!(s->internal->shutdown & SSL_SENT_SHUTDOWN)) {
2679 		s->internal->shutdown|=SSL_SENT_SHUTDOWN;
2680 		ssl3_send_alert(s, SSL3_AL_WARNING, SSL_AD_CLOSE_NOTIFY);
2681 		/*
2682 		 * Our shutdown alert has been sent now, and if it still needs
2683 		 * to be written, s->s3->alert_dispatch will be true
2684 		 */
2685 		if (s->s3->alert_dispatch)
2686 			return (-1);	/* return WANT_WRITE */
2687 	} else if (s->s3->alert_dispatch) {
2688 		/* resend it if not sent */
2689 		ret = ssl3_dispatch_alert(s);
2690 		if (ret == -1) {
2691 			/*
2692 			 * We only get to return -1 here the 2nd/Nth
2693 			 * invocation, we must  have already signalled
2694 			 * return 0 upon a previous invoation,
2695 			 * return WANT_WRITE
2696 			 */
2697 			return (ret);
2698 		}
2699 	} else if (!(s->internal->shutdown & SSL_RECEIVED_SHUTDOWN)) {
2700 		/* If we are waiting for a close from our peer, we are closed */
2701 		s->method->ssl_read_bytes(s, 0, NULL, 0, 0);
2702 		if (!(s->internal->shutdown & SSL_RECEIVED_SHUTDOWN)) {
2703 			return (-1);	/* return WANT_READ */
2704 		}
2705 	}
2706 
2707 	if ((s->internal->shutdown == (SSL_SENT_SHUTDOWN|SSL_RECEIVED_SHUTDOWN)) &&
2708 	    !s->s3->alert_dispatch)
2709 		return (1);
2710 	else
2711 		return (0);
2712 }
2713 
2714 int
2715 ssl3_write(SSL *s, const void *buf, int len)
2716 {
2717 	errno = 0;
2718 
2719 	if (s->s3->renegotiate)
2720 		ssl3_renegotiate_check(s);
2721 
2722 	return s->method->ssl_write_bytes(s, SSL3_RT_APPLICATION_DATA,
2723 	    buf, len);
2724 }
2725 
2726 static int
2727 ssl3_read_internal(SSL *s, void *buf, int len, int peek)
2728 {
2729 	int	ret;
2730 
2731 	errno = 0;
2732 	if (s->s3->renegotiate)
2733 		ssl3_renegotiate_check(s);
2734 	s->s3->in_read_app_data = 1;
2735 
2736 	ret = s->method->ssl_read_bytes(s, SSL3_RT_APPLICATION_DATA, buf, len,
2737 	    peek);
2738 	if ((ret == -1) && (s->s3->in_read_app_data == 2)) {
2739 		/*
2740 		 * ssl3_read_bytes decided to call s->internal->handshake_func,
2741 		 * which called ssl3_read_bytes to read handshake data.
2742 		 * However, ssl3_read_bytes actually found application data
2743 		 * and thinks that application data makes sense here; so disable
2744 		 * handshake processing and try to read application data again.
2745 		 */
2746 		s->internal->in_handshake++;
2747 		ret = s->method->ssl_read_bytes(s, SSL3_RT_APPLICATION_DATA,
2748 		    buf, len, peek);
2749 		s->internal->in_handshake--;
2750 	} else
2751 		s->s3->in_read_app_data = 0;
2752 
2753 	return (ret);
2754 }
2755 
2756 int
2757 ssl3_read(SSL *s, void *buf, int len)
2758 {
2759 	return ssl3_read_internal(s, buf, len, 0);
2760 }
2761 
2762 int
2763 ssl3_peek(SSL *s, void *buf, int len)
2764 {
2765 	return ssl3_read_internal(s, buf, len, 1);
2766 }
2767 
2768 int
2769 ssl3_renegotiate(SSL *s)
2770 {
2771 	if (s->internal->handshake_func == NULL)
2772 		return 1;
2773 
2774 	if (s->s3->flags & SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS)
2775 		return 0;
2776 
2777 	s->s3->renegotiate = 1;
2778 
2779 	return 1;
2780 }
2781 
2782 int
2783 ssl3_renegotiate_check(SSL *s)
2784 {
2785 	if (!s->s3->renegotiate)
2786 		return 0;
2787 	if (SSL_in_init(s) || s->s3->rbuf.left != 0 || s->s3->wbuf.left != 0)
2788 		return 0;
2789 
2790 	s->s3->hs.state = SSL_ST_RENEGOTIATE;
2791 	s->s3->renegotiate = 0;
2792 	s->s3->num_renegotiations++;
2793 	s->s3->total_renegotiations++;
2794 
2795 	return 1;
2796 }
2797