1 /* $OpenBSD: s3_lib.c,v 1.238 2022/08/21 19:39:44 jsing Exp $ */ 2 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) 3 * All rights reserved. 4 * 5 * This package is an SSL implementation written 6 * by Eric Young (eay@cryptsoft.com). 7 * The implementation was written so as to conform with Netscapes SSL. 8 * 9 * This library is free for commercial and non-commercial use as long as 10 * the following conditions are aheared to. The following conditions 11 * apply to all code found in this distribution, be it the RC4, RSA, 12 * lhash, DES, etc., code; not just the SSL code. The SSL documentation 13 * included with this distribution is covered by the same copyright terms 14 * except that the holder is Tim Hudson (tjh@cryptsoft.com). 15 * 16 * Copyright remains Eric Young's, and as such any Copyright notices in 17 * the code are not to be removed. 18 * If this package is used in a product, Eric Young should be given attribution 19 * as the author of the parts of the library used. 20 * This can be in the form of a textual message at program startup or 21 * in documentation (online or textual) provided with the package. 22 * 23 * Redistribution and use in source and binary forms, with or without 24 * modification, are permitted provided that the following conditions 25 * are met: 26 * 1. Redistributions of source code must retain the copyright 27 * notice, this list of conditions and the following disclaimer. 28 * 2. Redistributions in binary form must reproduce the above copyright 29 * notice, this list of conditions and the following disclaimer in the 30 * documentation and/or other materials provided with the distribution. 31 * 3. All advertising materials mentioning features or use of this software 32 * must display the following acknowledgement: 33 * "This product includes cryptographic software written by 34 * Eric Young (eay@cryptsoft.com)" 35 * The word 'cryptographic' can be left out if the rouines from the library 36 * being used are not cryptographic related :-). 37 * 4. If you include any Windows specific code (or a derivative thereof) from 38 * the apps directory (application code) you must include an acknowledgement: 39 * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)" 40 * 41 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND 42 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 43 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 44 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE 45 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 46 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 47 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 48 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 49 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 50 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 51 * SUCH DAMAGE. 52 * 53 * The licence and distribution terms for any publically available version or 54 * derivative of this code cannot be changed. i.e. this code cannot simply be 55 * copied and put under another distribution licence 56 * [including the GNU Public Licence.] 57 */ 58 /* ==================================================================== 59 * Copyright (c) 1998-2007 The OpenSSL Project. All rights reserved. 60 * 61 * Redistribution and use in source and binary forms, with or without 62 * modification, are permitted provided that the following conditions 63 * are met: 64 * 65 * 1. Redistributions of source code must retain the above copyright 66 * notice, this list of conditions and the following disclaimer. 67 * 68 * 2. Redistributions in binary form must reproduce the above copyright 69 * notice, this list of conditions and the following disclaimer in 70 * the documentation and/or other materials provided with the 71 * distribution. 72 * 73 * 3. All advertising materials mentioning features or use of this 74 * software must display the following acknowledgment: 75 * "This product includes software developed by the OpenSSL Project 76 * for use in the OpenSSL Toolkit. (http://www.openssl.org/)" 77 * 78 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to 79 * endorse or promote products derived from this software without 80 * prior written permission. For written permission, please contact 81 * openssl-core@openssl.org. 82 * 83 * 5. Products derived from this software may not be called "OpenSSL" 84 * nor may "OpenSSL" appear in their names without prior written 85 * permission of the OpenSSL Project. 86 * 87 * 6. Redistributions of any form whatsoever must retain the following 88 * acknowledgment: 89 * "This product includes software developed by the OpenSSL Project 90 * for use in the OpenSSL Toolkit (http://www.openssl.org/)" 91 * 92 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY 93 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 94 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR 95 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR 96 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, 97 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT 98 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; 99 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 100 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, 101 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) 102 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED 103 * OF THE POSSIBILITY OF SUCH DAMAGE. 104 * ==================================================================== 105 * 106 * This product includes cryptographic software written by Eric Young 107 * (eay@cryptsoft.com). This product includes software written by Tim 108 * Hudson (tjh@cryptsoft.com). 109 * 110 */ 111 /* ==================================================================== 112 * Copyright 2002 Sun Microsystems, Inc. ALL RIGHTS RESERVED. 113 * 114 * Portions of the attached software ("Contribution") are developed by 115 * SUN MICROSYSTEMS, INC., and are contributed to the OpenSSL project. 116 * 117 * The Contribution is licensed pursuant to the OpenSSL open source 118 * license provided above. 119 * 120 * ECC cipher suite support in OpenSSL originally written by 121 * Vipul Gupta and Sumit Gupta of Sun Microsystems Laboratories. 122 * 123 */ 124 /* ==================================================================== 125 * Copyright 2005 Nokia. All rights reserved. 126 * 127 * The portions of the attached software ("Contribution") is developed by 128 * Nokia Corporation and is licensed pursuant to the OpenSSL open source 129 * license. 130 * 131 * The Contribution, originally written by Mika Kousa and Pasi Eronen of 132 * Nokia Corporation, consists of the "PSK" (Pre-Shared Key) ciphersuites 133 * support (see RFC 4279) to OpenSSL. 134 * 135 * No patent licenses or other rights except those expressly stated in 136 * the OpenSSL open source license shall be deemed granted or received 137 * expressly, by implication, estoppel, or otherwise. 138 * 139 * No assurances are provided by Nokia that the Contribution does not 140 * infringe the patent or other intellectual property rights of any third 141 * party or that the license provides you with all the necessary rights 142 * to make use of the Contribution. 143 * 144 * THE SOFTWARE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. IN 145 * ADDITION TO THE DISCLAIMERS INCLUDED IN THE LICENSE, NOKIA 146 * SPECIFICALLY DISCLAIMS ANY LIABILITY FOR CLAIMS BROUGHT BY YOU OR ANY 147 * OTHER ENTITY BASED ON INFRINGEMENT OF INTELLECTUAL PROPERTY RIGHTS OR 148 * OTHERWISE. 149 */ 150 151 #include <limits.h> 152 #include <stdio.h> 153 154 #include <openssl/bn.h> 155 #include <openssl/curve25519.h> 156 #include <openssl/dh.h> 157 #include <openssl/md5.h> 158 #include <openssl/objects.h> 159 #include <openssl/opensslconf.h> 160 161 #include "bytestring.h" 162 #include "dtls_locl.h" 163 #include "ssl_locl.h" 164 #include "ssl_sigalgs.h" 165 #include "ssl_tlsext.h" 166 167 #define SSL3_NUM_CIPHERS (sizeof(ssl3_ciphers) / sizeof(SSL_CIPHER)) 168 169 /* 170 * FIXED_NONCE_LEN is a macro that provides in the correct value to set the 171 * fixed nonce length in algorithms2. It is the inverse of the 172 * SSL_CIPHER_AEAD_FIXED_NONCE_LEN macro. 173 */ 174 #define FIXED_NONCE_LEN(x) (((x / 2) & 0xf) << 24) 175 176 /* list of available SSLv3 ciphers (sorted by id) */ 177 const SSL_CIPHER ssl3_ciphers[] = { 178 179 /* The RSA ciphers */ 180 /* Cipher 01 */ 181 { 182 .valid = 1, 183 .name = SSL3_TXT_RSA_NULL_MD5, 184 .id = SSL3_CK_RSA_NULL_MD5, 185 .algorithm_mkey = SSL_kRSA, 186 .algorithm_auth = SSL_aRSA, 187 .algorithm_enc = SSL_eNULL, 188 .algorithm_mac = SSL_MD5, 189 .algorithm_ssl = SSL_SSLV3, 190 .algo_strength = SSL_STRONG_NONE, 191 .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF, 192 .strength_bits = 0, 193 .alg_bits = 0, 194 }, 195 196 /* Cipher 02 */ 197 { 198 .valid = 1, 199 .name = SSL3_TXT_RSA_NULL_SHA, 200 .id = SSL3_CK_RSA_NULL_SHA, 201 .algorithm_mkey = SSL_kRSA, 202 .algorithm_auth = SSL_aRSA, 203 .algorithm_enc = SSL_eNULL, 204 .algorithm_mac = SSL_SHA1, 205 .algorithm_ssl = SSL_SSLV3, 206 .algo_strength = SSL_STRONG_NONE, 207 .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF, 208 .strength_bits = 0, 209 .alg_bits = 0, 210 }, 211 212 /* Cipher 04 */ 213 { 214 .valid = 1, 215 .name = SSL3_TXT_RSA_RC4_128_MD5, 216 .id = SSL3_CK_RSA_RC4_128_MD5, 217 .algorithm_mkey = SSL_kRSA, 218 .algorithm_auth = SSL_aRSA, 219 .algorithm_enc = SSL_RC4, 220 .algorithm_mac = SSL_MD5, 221 .algorithm_ssl = SSL_SSLV3, 222 .algo_strength = SSL_LOW, 223 .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF, 224 .strength_bits = 128, 225 .alg_bits = 128, 226 }, 227 228 /* Cipher 05 */ 229 { 230 .valid = 1, 231 .name = SSL3_TXT_RSA_RC4_128_SHA, 232 .id = SSL3_CK_RSA_RC4_128_SHA, 233 .algorithm_mkey = SSL_kRSA, 234 .algorithm_auth = SSL_aRSA, 235 .algorithm_enc = SSL_RC4, 236 .algorithm_mac = SSL_SHA1, 237 .algorithm_ssl = SSL_SSLV3, 238 .algo_strength = SSL_LOW, 239 .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF, 240 .strength_bits = 128, 241 .alg_bits = 128, 242 }, 243 244 /* Cipher 0A */ 245 { 246 .valid = 1, 247 .name = SSL3_TXT_RSA_DES_192_CBC3_SHA, 248 .id = SSL3_CK_RSA_DES_192_CBC3_SHA, 249 .algorithm_mkey = SSL_kRSA, 250 .algorithm_auth = SSL_aRSA, 251 .algorithm_enc = SSL_3DES, 252 .algorithm_mac = SSL_SHA1, 253 .algorithm_ssl = SSL_SSLV3, 254 .algo_strength = SSL_MEDIUM, 255 .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF, 256 .strength_bits = 112, 257 .alg_bits = 168, 258 }, 259 260 /* 261 * Ephemeral DH (DHE) ciphers. 262 */ 263 264 /* Cipher 16 */ 265 { 266 .valid = 1, 267 .name = SSL3_TXT_EDH_RSA_DES_192_CBC3_SHA, 268 .id = SSL3_CK_EDH_RSA_DES_192_CBC3_SHA, 269 .algorithm_mkey = SSL_kDHE, 270 .algorithm_auth = SSL_aRSA, 271 .algorithm_enc = SSL_3DES, 272 .algorithm_mac = SSL_SHA1, 273 .algorithm_ssl = SSL_SSLV3, 274 .algo_strength = SSL_MEDIUM, 275 .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF, 276 .strength_bits = 112, 277 .alg_bits = 168, 278 }, 279 280 /* Cipher 18 */ 281 { 282 .valid = 1, 283 .name = SSL3_TXT_ADH_RC4_128_MD5, 284 .id = SSL3_CK_ADH_RC4_128_MD5, 285 .algorithm_mkey = SSL_kDHE, 286 .algorithm_auth = SSL_aNULL, 287 .algorithm_enc = SSL_RC4, 288 .algorithm_mac = SSL_MD5, 289 .algorithm_ssl = SSL_SSLV3, 290 .algo_strength = SSL_LOW, 291 .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF, 292 .strength_bits = 128, 293 .alg_bits = 128, 294 }, 295 296 /* Cipher 1B */ 297 { 298 .valid = 1, 299 .name = SSL3_TXT_ADH_DES_192_CBC_SHA, 300 .id = SSL3_CK_ADH_DES_192_CBC_SHA, 301 .algorithm_mkey = SSL_kDHE, 302 .algorithm_auth = SSL_aNULL, 303 .algorithm_enc = SSL_3DES, 304 .algorithm_mac = SSL_SHA1, 305 .algorithm_ssl = SSL_SSLV3, 306 .algo_strength = SSL_MEDIUM, 307 .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF, 308 .strength_bits = 112, 309 .alg_bits = 168, 310 }, 311 312 /* 313 * AES ciphersuites. 314 */ 315 316 /* Cipher 2F */ 317 { 318 .valid = 1, 319 .name = TLS1_TXT_RSA_WITH_AES_128_SHA, 320 .id = TLS1_CK_RSA_WITH_AES_128_SHA, 321 .algorithm_mkey = SSL_kRSA, 322 .algorithm_auth = SSL_aRSA, 323 .algorithm_enc = SSL_AES128, 324 .algorithm_mac = SSL_SHA1, 325 .algorithm_ssl = SSL_TLSV1, 326 .algo_strength = SSL_HIGH, 327 .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF, 328 .strength_bits = 128, 329 .alg_bits = 128, 330 }, 331 332 /* Cipher 33 */ 333 { 334 .valid = 1, 335 .name = TLS1_TXT_DHE_RSA_WITH_AES_128_SHA, 336 .id = TLS1_CK_DHE_RSA_WITH_AES_128_SHA, 337 .algorithm_mkey = SSL_kDHE, 338 .algorithm_auth = SSL_aRSA, 339 .algorithm_enc = SSL_AES128, 340 .algorithm_mac = SSL_SHA1, 341 .algorithm_ssl = SSL_TLSV1, 342 .algo_strength = SSL_HIGH, 343 .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF, 344 .strength_bits = 128, 345 .alg_bits = 128, 346 }, 347 348 /* Cipher 34 */ 349 { 350 .valid = 1, 351 .name = TLS1_TXT_ADH_WITH_AES_128_SHA, 352 .id = TLS1_CK_ADH_WITH_AES_128_SHA, 353 .algorithm_mkey = SSL_kDHE, 354 .algorithm_auth = SSL_aNULL, 355 .algorithm_enc = SSL_AES128, 356 .algorithm_mac = SSL_SHA1, 357 .algorithm_ssl = SSL_TLSV1, 358 .algo_strength = SSL_HIGH, 359 .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF, 360 .strength_bits = 128, 361 .alg_bits = 128, 362 }, 363 364 /* Cipher 35 */ 365 { 366 .valid = 1, 367 .name = TLS1_TXT_RSA_WITH_AES_256_SHA, 368 .id = TLS1_CK_RSA_WITH_AES_256_SHA, 369 .algorithm_mkey = SSL_kRSA, 370 .algorithm_auth = SSL_aRSA, 371 .algorithm_enc = SSL_AES256, 372 .algorithm_mac = SSL_SHA1, 373 .algorithm_ssl = SSL_TLSV1, 374 .algo_strength = SSL_HIGH, 375 .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF, 376 .strength_bits = 256, 377 .alg_bits = 256, 378 }, 379 380 /* Cipher 39 */ 381 { 382 .valid = 1, 383 .name = TLS1_TXT_DHE_RSA_WITH_AES_256_SHA, 384 .id = TLS1_CK_DHE_RSA_WITH_AES_256_SHA, 385 .algorithm_mkey = SSL_kDHE, 386 .algorithm_auth = SSL_aRSA, 387 .algorithm_enc = SSL_AES256, 388 .algorithm_mac = SSL_SHA1, 389 .algorithm_ssl = SSL_TLSV1, 390 .algo_strength = SSL_HIGH, 391 .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF, 392 .strength_bits = 256, 393 .alg_bits = 256, 394 }, 395 396 /* Cipher 3A */ 397 { 398 .valid = 1, 399 .name = TLS1_TXT_ADH_WITH_AES_256_SHA, 400 .id = TLS1_CK_ADH_WITH_AES_256_SHA, 401 .algorithm_mkey = SSL_kDHE, 402 .algorithm_auth = SSL_aNULL, 403 .algorithm_enc = SSL_AES256, 404 .algorithm_mac = SSL_SHA1, 405 .algorithm_ssl = SSL_TLSV1, 406 .algo_strength = SSL_HIGH, 407 .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF, 408 .strength_bits = 256, 409 .alg_bits = 256, 410 }, 411 412 /* TLS v1.2 ciphersuites */ 413 /* Cipher 3B */ 414 { 415 .valid = 1, 416 .name = TLS1_TXT_RSA_WITH_NULL_SHA256, 417 .id = TLS1_CK_RSA_WITH_NULL_SHA256, 418 .algorithm_mkey = SSL_kRSA, 419 .algorithm_auth = SSL_aRSA, 420 .algorithm_enc = SSL_eNULL, 421 .algorithm_mac = SSL_SHA256, 422 .algorithm_ssl = SSL_TLSV1_2, 423 .algo_strength = SSL_STRONG_NONE, 424 .algorithm2 = SSL_HANDSHAKE_MAC_SHA256|TLS1_PRF_SHA256, 425 .strength_bits = 0, 426 .alg_bits = 0, 427 }, 428 429 /* Cipher 3C */ 430 { 431 .valid = 1, 432 .name = TLS1_TXT_RSA_WITH_AES_128_SHA256, 433 .id = TLS1_CK_RSA_WITH_AES_128_SHA256, 434 .algorithm_mkey = SSL_kRSA, 435 .algorithm_auth = SSL_aRSA, 436 .algorithm_enc = SSL_AES128, 437 .algorithm_mac = SSL_SHA256, 438 .algorithm_ssl = SSL_TLSV1_2, 439 .algo_strength = SSL_HIGH, 440 .algorithm2 = SSL_HANDSHAKE_MAC_SHA256|TLS1_PRF_SHA256, 441 .strength_bits = 128, 442 .alg_bits = 128, 443 }, 444 445 /* Cipher 3D */ 446 { 447 .valid = 1, 448 .name = TLS1_TXT_RSA_WITH_AES_256_SHA256, 449 .id = TLS1_CK_RSA_WITH_AES_256_SHA256, 450 .algorithm_mkey = SSL_kRSA, 451 .algorithm_auth = SSL_aRSA, 452 .algorithm_enc = SSL_AES256, 453 .algorithm_mac = SSL_SHA256, 454 .algorithm_ssl = SSL_TLSV1_2, 455 .algo_strength = SSL_HIGH, 456 .algorithm2 = SSL_HANDSHAKE_MAC_SHA256|TLS1_PRF_SHA256, 457 .strength_bits = 256, 458 .alg_bits = 256, 459 }, 460 461 #ifndef OPENSSL_NO_CAMELLIA 462 /* Camellia ciphersuites from RFC4132 (128-bit portion) */ 463 464 /* Cipher 41 */ 465 { 466 .valid = 1, 467 .name = TLS1_TXT_RSA_WITH_CAMELLIA_128_CBC_SHA, 468 .id = TLS1_CK_RSA_WITH_CAMELLIA_128_CBC_SHA, 469 .algorithm_mkey = SSL_kRSA, 470 .algorithm_auth = SSL_aRSA, 471 .algorithm_enc = SSL_CAMELLIA128, 472 .algorithm_mac = SSL_SHA1, 473 .algorithm_ssl = SSL_TLSV1, 474 .algo_strength = SSL_HIGH, 475 .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF, 476 .strength_bits = 128, 477 .alg_bits = 128, 478 }, 479 480 /* Cipher 45 */ 481 { 482 .valid = 1, 483 .name = TLS1_TXT_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA, 484 .id = TLS1_CK_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA, 485 .algorithm_mkey = SSL_kDHE, 486 .algorithm_auth = SSL_aRSA, 487 .algorithm_enc = SSL_CAMELLIA128, 488 .algorithm_mac = SSL_SHA1, 489 .algorithm_ssl = SSL_TLSV1, 490 .algo_strength = SSL_HIGH, 491 .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF, 492 .strength_bits = 128, 493 .alg_bits = 128, 494 }, 495 496 /* Cipher 46 */ 497 { 498 .valid = 1, 499 .name = TLS1_TXT_ADH_WITH_CAMELLIA_128_CBC_SHA, 500 .id = TLS1_CK_ADH_WITH_CAMELLIA_128_CBC_SHA, 501 .algorithm_mkey = SSL_kDHE, 502 .algorithm_auth = SSL_aNULL, 503 .algorithm_enc = SSL_CAMELLIA128, 504 .algorithm_mac = SSL_SHA1, 505 .algorithm_ssl = SSL_TLSV1, 506 .algo_strength = SSL_HIGH, 507 .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF, 508 .strength_bits = 128, 509 .alg_bits = 128, 510 }, 511 #endif /* OPENSSL_NO_CAMELLIA */ 512 513 /* TLS v1.2 ciphersuites */ 514 /* Cipher 67 */ 515 { 516 .valid = 1, 517 .name = TLS1_TXT_DHE_RSA_WITH_AES_128_SHA256, 518 .id = TLS1_CK_DHE_RSA_WITH_AES_128_SHA256, 519 .algorithm_mkey = SSL_kDHE, 520 .algorithm_auth = SSL_aRSA, 521 .algorithm_enc = SSL_AES128, 522 .algorithm_mac = SSL_SHA256, 523 .algorithm_ssl = SSL_TLSV1_2, 524 .algo_strength = SSL_HIGH, 525 .algorithm2 = SSL_HANDSHAKE_MAC_SHA256|TLS1_PRF_SHA256, 526 .strength_bits = 128, 527 .alg_bits = 128, 528 }, 529 530 /* Cipher 6B */ 531 { 532 .valid = 1, 533 .name = TLS1_TXT_DHE_RSA_WITH_AES_256_SHA256, 534 .id = TLS1_CK_DHE_RSA_WITH_AES_256_SHA256, 535 .algorithm_mkey = SSL_kDHE, 536 .algorithm_auth = SSL_aRSA, 537 .algorithm_enc = SSL_AES256, 538 .algorithm_mac = SSL_SHA256, 539 .algorithm_ssl = SSL_TLSV1_2, 540 .algo_strength = SSL_HIGH, 541 .algorithm2 = SSL_HANDSHAKE_MAC_SHA256|TLS1_PRF_SHA256, 542 .strength_bits = 256, 543 .alg_bits = 256, 544 }, 545 546 /* Cipher 6C */ 547 { 548 .valid = 1, 549 .name = TLS1_TXT_ADH_WITH_AES_128_SHA256, 550 .id = TLS1_CK_ADH_WITH_AES_128_SHA256, 551 .algorithm_mkey = SSL_kDHE, 552 .algorithm_auth = SSL_aNULL, 553 .algorithm_enc = SSL_AES128, 554 .algorithm_mac = SSL_SHA256, 555 .algorithm_ssl = SSL_TLSV1_2, 556 .algo_strength = SSL_HIGH, 557 .algorithm2 = SSL_HANDSHAKE_MAC_SHA256|TLS1_PRF_SHA256, 558 .strength_bits = 128, 559 .alg_bits = 128, 560 }, 561 562 /* Cipher 6D */ 563 { 564 .valid = 1, 565 .name = TLS1_TXT_ADH_WITH_AES_256_SHA256, 566 .id = TLS1_CK_ADH_WITH_AES_256_SHA256, 567 .algorithm_mkey = SSL_kDHE, 568 .algorithm_auth = SSL_aNULL, 569 .algorithm_enc = SSL_AES256, 570 .algorithm_mac = SSL_SHA256, 571 .algorithm_ssl = SSL_TLSV1_2, 572 .algo_strength = SSL_HIGH, 573 .algorithm2 = SSL_HANDSHAKE_MAC_SHA256|TLS1_PRF_SHA256, 574 .strength_bits = 256, 575 .alg_bits = 256, 576 }, 577 578 /* GOST Ciphersuites */ 579 580 /* Cipher 81 */ 581 { 582 .valid = 1, 583 .name = "GOST2001-GOST89-GOST89", 584 .id = 0x3000081, 585 .algorithm_mkey = SSL_kGOST, 586 .algorithm_auth = SSL_aGOST01, 587 .algorithm_enc = SSL_eGOST2814789CNT, 588 .algorithm_mac = SSL_GOST89MAC, 589 .algorithm_ssl = SSL_TLSV1, 590 .algo_strength = SSL_HIGH, 591 .algorithm2 = SSL_HANDSHAKE_MAC_GOST94|TLS1_PRF_GOST94| 592 TLS1_STREAM_MAC, 593 .strength_bits = 256, 594 .alg_bits = 256 595 }, 596 597 /* Cipher 83 */ 598 { 599 .valid = 1, 600 .name = "GOST2001-NULL-GOST94", 601 .id = 0x3000083, 602 .algorithm_mkey = SSL_kGOST, 603 .algorithm_auth = SSL_aGOST01, 604 .algorithm_enc = SSL_eNULL, 605 .algorithm_mac = SSL_GOST94, 606 .algorithm_ssl = SSL_TLSV1, 607 .algo_strength = SSL_STRONG_NONE, 608 .algorithm2 = SSL_HANDSHAKE_MAC_GOST94|TLS1_PRF_GOST94, 609 .strength_bits = 0, 610 .alg_bits = 0 611 }, 612 613 #ifndef OPENSSL_NO_CAMELLIA 614 /* Camellia ciphersuites from RFC4132 (256-bit portion) */ 615 616 /* Cipher 84 */ 617 { 618 .valid = 1, 619 .name = TLS1_TXT_RSA_WITH_CAMELLIA_256_CBC_SHA, 620 .id = TLS1_CK_RSA_WITH_CAMELLIA_256_CBC_SHA, 621 .algorithm_mkey = SSL_kRSA, 622 .algorithm_auth = SSL_aRSA, 623 .algorithm_enc = SSL_CAMELLIA256, 624 .algorithm_mac = SSL_SHA1, 625 .algorithm_ssl = SSL_TLSV1, 626 .algo_strength = SSL_HIGH, 627 .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF, 628 .strength_bits = 256, 629 .alg_bits = 256, 630 }, 631 632 /* Cipher 88 */ 633 { 634 .valid = 1, 635 .name = TLS1_TXT_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA, 636 .id = TLS1_CK_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA, 637 .algorithm_mkey = SSL_kDHE, 638 .algorithm_auth = SSL_aRSA, 639 .algorithm_enc = SSL_CAMELLIA256, 640 .algorithm_mac = SSL_SHA1, 641 .algorithm_ssl = SSL_TLSV1, 642 .algo_strength = SSL_HIGH, 643 .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF, 644 .strength_bits = 256, 645 .alg_bits = 256, 646 }, 647 648 /* Cipher 89 */ 649 { 650 .valid = 1, 651 .name = TLS1_TXT_ADH_WITH_CAMELLIA_256_CBC_SHA, 652 .id = TLS1_CK_ADH_WITH_CAMELLIA_256_CBC_SHA, 653 .algorithm_mkey = SSL_kDHE, 654 .algorithm_auth = SSL_aNULL, 655 .algorithm_enc = SSL_CAMELLIA256, 656 .algorithm_mac = SSL_SHA1, 657 .algorithm_ssl = SSL_TLSV1, 658 .algo_strength = SSL_HIGH, 659 .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF, 660 .strength_bits = 256, 661 .alg_bits = 256, 662 }, 663 #endif /* OPENSSL_NO_CAMELLIA */ 664 665 /* 666 * GCM ciphersuites from RFC5288. 667 */ 668 669 /* Cipher 9C */ 670 { 671 .valid = 1, 672 .name = TLS1_TXT_RSA_WITH_AES_128_GCM_SHA256, 673 .id = TLS1_CK_RSA_WITH_AES_128_GCM_SHA256, 674 .algorithm_mkey = SSL_kRSA, 675 .algorithm_auth = SSL_aRSA, 676 .algorithm_enc = SSL_AES128GCM, 677 .algorithm_mac = SSL_AEAD, 678 .algorithm_ssl = SSL_TLSV1_2, 679 .algo_strength = SSL_HIGH, 680 .algorithm2 = SSL_HANDSHAKE_MAC_SHA256|TLS1_PRF_SHA256| 681 FIXED_NONCE_LEN(4)| 682 SSL_CIPHER_ALGORITHM2_VARIABLE_NONCE_IN_RECORD, 683 .strength_bits = 128, 684 .alg_bits = 128, 685 }, 686 687 /* Cipher 9D */ 688 { 689 .valid = 1, 690 .name = TLS1_TXT_RSA_WITH_AES_256_GCM_SHA384, 691 .id = TLS1_CK_RSA_WITH_AES_256_GCM_SHA384, 692 .algorithm_mkey = SSL_kRSA, 693 .algorithm_auth = SSL_aRSA, 694 .algorithm_enc = SSL_AES256GCM, 695 .algorithm_mac = SSL_AEAD, 696 .algorithm_ssl = SSL_TLSV1_2, 697 .algo_strength = SSL_HIGH, 698 .algorithm2 = SSL_HANDSHAKE_MAC_SHA384|TLS1_PRF_SHA384| 699 FIXED_NONCE_LEN(4)| 700 SSL_CIPHER_ALGORITHM2_VARIABLE_NONCE_IN_RECORD, 701 .strength_bits = 256, 702 .alg_bits = 256, 703 }, 704 705 /* Cipher 9E */ 706 { 707 .valid = 1, 708 .name = TLS1_TXT_DHE_RSA_WITH_AES_128_GCM_SHA256, 709 .id = TLS1_CK_DHE_RSA_WITH_AES_128_GCM_SHA256, 710 .algorithm_mkey = SSL_kDHE, 711 .algorithm_auth = SSL_aRSA, 712 .algorithm_enc = SSL_AES128GCM, 713 .algorithm_mac = SSL_AEAD, 714 .algorithm_ssl = SSL_TLSV1_2, 715 .algo_strength = SSL_HIGH, 716 .algorithm2 = SSL_HANDSHAKE_MAC_SHA256|TLS1_PRF_SHA256| 717 FIXED_NONCE_LEN(4)| 718 SSL_CIPHER_ALGORITHM2_VARIABLE_NONCE_IN_RECORD, 719 .strength_bits = 128, 720 .alg_bits = 128, 721 }, 722 723 /* Cipher 9F */ 724 { 725 .valid = 1, 726 .name = TLS1_TXT_DHE_RSA_WITH_AES_256_GCM_SHA384, 727 .id = TLS1_CK_DHE_RSA_WITH_AES_256_GCM_SHA384, 728 .algorithm_mkey = SSL_kDHE, 729 .algorithm_auth = SSL_aRSA, 730 .algorithm_enc = SSL_AES256GCM, 731 .algorithm_mac = SSL_AEAD, 732 .algorithm_ssl = SSL_TLSV1_2, 733 .algo_strength = SSL_HIGH, 734 .algorithm2 = SSL_HANDSHAKE_MAC_SHA384|TLS1_PRF_SHA384| 735 FIXED_NONCE_LEN(4)| 736 SSL_CIPHER_ALGORITHM2_VARIABLE_NONCE_IN_RECORD, 737 .strength_bits = 256, 738 .alg_bits = 256, 739 }, 740 741 /* Cipher A6 */ 742 { 743 .valid = 1, 744 .name = TLS1_TXT_ADH_WITH_AES_128_GCM_SHA256, 745 .id = TLS1_CK_ADH_WITH_AES_128_GCM_SHA256, 746 .algorithm_mkey = SSL_kDHE, 747 .algorithm_auth = SSL_aNULL, 748 .algorithm_enc = SSL_AES128GCM, 749 .algorithm_mac = SSL_AEAD, 750 .algorithm_ssl = SSL_TLSV1_2, 751 .algo_strength = SSL_HIGH, 752 .algorithm2 = SSL_HANDSHAKE_MAC_SHA256|TLS1_PRF_SHA256| 753 FIXED_NONCE_LEN(4)| 754 SSL_CIPHER_ALGORITHM2_VARIABLE_NONCE_IN_RECORD, 755 .strength_bits = 128, 756 .alg_bits = 128, 757 }, 758 759 /* Cipher A7 */ 760 { 761 .valid = 1, 762 .name = TLS1_TXT_ADH_WITH_AES_256_GCM_SHA384, 763 .id = TLS1_CK_ADH_WITH_AES_256_GCM_SHA384, 764 .algorithm_mkey = SSL_kDHE, 765 .algorithm_auth = SSL_aNULL, 766 .algorithm_enc = SSL_AES256GCM, 767 .algorithm_mac = SSL_AEAD, 768 .algorithm_ssl = SSL_TLSV1_2, 769 .algo_strength = SSL_HIGH, 770 .algorithm2 = SSL_HANDSHAKE_MAC_SHA384|TLS1_PRF_SHA384| 771 FIXED_NONCE_LEN(4)| 772 SSL_CIPHER_ALGORITHM2_VARIABLE_NONCE_IN_RECORD, 773 .strength_bits = 256, 774 .alg_bits = 256, 775 }, 776 777 #ifndef OPENSSL_NO_CAMELLIA 778 /* TLS 1.2 Camellia SHA-256 ciphersuites from RFC5932 */ 779 780 /* Cipher BA */ 781 { 782 .valid = 1, 783 .name = TLS1_TXT_RSA_WITH_CAMELLIA_128_CBC_SHA256, 784 .id = TLS1_CK_RSA_WITH_CAMELLIA_128_CBC_SHA256, 785 .algorithm_mkey = SSL_kRSA, 786 .algorithm_auth = SSL_aRSA, 787 .algorithm_enc = SSL_CAMELLIA128, 788 .algorithm_mac = SSL_SHA256, 789 .algorithm_ssl = SSL_TLSV1_2, 790 .algo_strength = SSL_HIGH, 791 .algorithm2 = SSL_HANDSHAKE_MAC_SHA256|TLS1_PRF_SHA256, 792 .strength_bits = 128, 793 .alg_bits = 128, 794 }, 795 796 /* Cipher BE */ 797 { 798 .valid = 1, 799 .name = TLS1_TXT_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA256, 800 .id = TLS1_CK_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA256, 801 .algorithm_mkey = SSL_kDHE, 802 .algorithm_auth = SSL_aRSA, 803 .algorithm_enc = SSL_CAMELLIA128, 804 .algorithm_mac = SSL_SHA256, 805 .algorithm_ssl = SSL_TLSV1_2, 806 .algo_strength = SSL_HIGH, 807 .algorithm2 = SSL_HANDSHAKE_MAC_SHA256|TLS1_PRF_SHA256, 808 .strength_bits = 128, 809 .alg_bits = 128, 810 }, 811 812 /* Cipher BF */ 813 { 814 .valid = 1, 815 .name = TLS1_TXT_ADH_WITH_CAMELLIA_128_CBC_SHA256, 816 .id = TLS1_CK_ADH_WITH_CAMELLIA_128_CBC_SHA256, 817 .algorithm_mkey = SSL_kDHE, 818 .algorithm_auth = SSL_aNULL, 819 .algorithm_enc = SSL_CAMELLIA128, 820 .algorithm_mac = SSL_SHA256, 821 .algorithm_ssl = SSL_TLSV1_2, 822 .algo_strength = SSL_HIGH, 823 .algorithm2 = SSL_HANDSHAKE_MAC_SHA256|TLS1_PRF_SHA256, 824 .strength_bits = 128, 825 .alg_bits = 128, 826 }, 827 828 /* Cipher C0 */ 829 { 830 .valid = 1, 831 .name = TLS1_TXT_RSA_WITH_CAMELLIA_256_CBC_SHA256, 832 .id = TLS1_CK_RSA_WITH_CAMELLIA_256_CBC_SHA256, 833 .algorithm_mkey = SSL_kRSA, 834 .algorithm_auth = SSL_aRSA, 835 .algorithm_enc = SSL_CAMELLIA256, 836 .algorithm_mac = SSL_SHA256, 837 .algorithm_ssl = SSL_TLSV1_2, 838 .algo_strength = SSL_HIGH, 839 .algorithm2 = SSL_HANDSHAKE_MAC_SHA256|TLS1_PRF_SHA256, 840 .strength_bits = 256, 841 .alg_bits = 256, 842 }, 843 844 /* Cipher C4 */ 845 { 846 .valid = 1, 847 .name = TLS1_TXT_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA256, 848 .id = TLS1_CK_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA256, 849 .algorithm_mkey = SSL_kDHE, 850 .algorithm_auth = SSL_aRSA, 851 .algorithm_enc = SSL_CAMELLIA256, 852 .algorithm_mac = SSL_SHA256, 853 .algorithm_ssl = SSL_TLSV1_2, 854 .algo_strength = SSL_HIGH, 855 .algorithm2 = SSL_HANDSHAKE_MAC_SHA256|TLS1_PRF_SHA256, 856 .strength_bits = 256, 857 .alg_bits = 256, 858 }, 859 860 /* Cipher C5 */ 861 { 862 .valid = 1, 863 .name = TLS1_TXT_ADH_WITH_CAMELLIA_256_CBC_SHA256, 864 .id = TLS1_CK_ADH_WITH_CAMELLIA_256_CBC_SHA256, 865 .algorithm_mkey = SSL_kDHE, 866 .algorithm_auth = SSL_aNULL, 867 .algorithm_enc = SSL_CAMELLIA256, 868 .algorithm_mac = SSL_SHA256, 869 .algorithm_ssl = SSL_TLSV1_2, 870 .algo_strength = SSL_HIGH, 871 .algorithm2 = SSL_HANDSHAKE_MAC_SHA256|TLS1_PRF_SHA256, 872 .strength_bits = 256, 873 .alg_bits = 256, 874 }, 875 #endif /* OPENSSL_NO_CAMELLIA */ 876 877 /* 878 * TLSv1.3 cipher suites. 879 */ 880 881 #ifdef LIBRESSL_HAS_TLS1_3 882 /* Cipher 1301 */ 883 { 884 .valid = 1, 885 .name = TLS1_3_RFC_AES_128_GCM_SHA256, 886 .id = TLS1_3_CK_AES_128_GCM_SHA256, 887 .algorithm_mkey = SSL_kTLS1_3, 888 .algorithm_auth = SSL_aTLS1_3, 889 .algorithm_enc = SSL_AES128GCM, 890 .algorithm_mac = SSL_AEAD, 891 .algorithm_ssl = SSL_TLSV1_3, 892 .algo_strength = SSL_HIGH, 893 .algorithm2 = SSL_HANDSHAKE_MAC_SHA256, /* XXX */ 894 .strength_bits = 128, 895 .alg_bits = 128, 896 }, 897 898 /* Cipher 1302 */ 899 { 900 .valid = 1, 901 .name = TLS1_3_RFC_AES_256_GCM_SHA384, 902 .id = TLS1_3_CK_AES_256_GCM_SHA384, 903 .algorithm_mkey = SSL_kTLS1_3, 904 .algorithm_auth = SSL_aTLS1_3, 905 .algorithm_enc = SSL_AES256GCM, 906 .algorithm_mac = SSL_AEAD, 907 .algorithm_ssl = SSL_TLSV1_3, 908 .algo_strength = SSL_HIGH, 909 .algorithm2 = SSL_HANDSHAKE_MAC_SHA384, /* XXX */ 910 .strength_bits = 256, 911 .alg_bits = 256, 912 }, 913 914 /* Cipher 1303 */ 915 { 916 .valid = 1, 917 .name = TLS1_3_RFC_CHACHA20_POLY1305_SHA256, 918 .id = TLS1_3_CK_CHACHA20_POLY1305_SHA256, 919 .algorithm_mkey = SSL_kTLS1_3, 920 .algorithm_auth = SSL_aTLS1_3, 921 .algorithm_enc = SSL_CHACHA20POLY1305, 922 .algorithm_mac = SSL_AEAD, 923 .algorithm_ssl = SSL_TLSV1_3, 924 .algo_strength = SSL_HIGH, 925 .algorithm2 = SSL_HANDSHAKE_MAC_SHA256, /* XXX */ 926 .strength_bits = 256, 927 .alg_bits = 256, 928 }, 929 #endif 930 931 /* Cipher C006 */ 932 { 933 .valid = 1, 934 .name = TLS1_TXT_ECDHE_ECDSA_WITH_NULL_SHA, 935 .id = TLS1_CK_ECDHE_ECDSA_WITH_NULL_SHA, 936 .algorithm_mkey = SSL_kECDHE, 937 .algorithm_auth = SSL_aECDSA, 938 .algorithm_enc = SSL_eNULL, 939 .algorithm_mac = SSL_SHA1, 940 .algorithm_ssl = SSL_TLSV1, 941 .algo_strength = SSL_STRONG_NONE, 942 .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF, 943 .strength_bits = 0, 944 .alg_bits = 0, 945 }, 946 947 /* Cipher C007 */ 948 { 949 .valid = 1, 950 .name = TLS1_TXT_ECDHE_ECDSA_WITH_RC4_128_SHA, 951 .id = TLS1_CK_ECDHE_ECDSA_WITH_RC4_128_SHA, 952 .algorithm_mkey = SSL_kECDHE, 953 .algorithm_auth = SSL_aECDSA, 954 .algorithm_enc = SSL_RC4, 955 .algorithm_mac = SSL_SHA1, 956 .algorithm_ssl = SSL_TLSV1, 957 .algo_strength = SSL_LOW, 958 .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF, 959 .strength_bits = 128, 960 .alg_bits = 128, 961 }, 962 963 /* Cipher C008 */ 964 { 965 .valid = 1, 966 .name = TLS1_TXT_ECDHE_ECDSA_WITH_DES_192_CBC3_SHA, 967 .id = TLS1_CK_ECDHE_ECDSA_WITH_DES_192_CBC3_SHA, 968 .algorithm_mkey = SSL_kECDHE, 969 .algorithm_auth = SSL_aECDSA, 970 .algorithm_enc = SSL_3DES, 971 .algorithm_mac = SSL_SHA1, 972 .algorithm_ssl = SSL_TLSV1, 973 .algo_strength = SSL_MEDIUM, 974 .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF, 975 .strength_bits = 112, 976 .alg_bits = 168, 977 }, 978 979 /* Cipher C009 */ 980 { 981 .valid = 1, 982 .name = TLS1_TXT_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, 983 .id = TLS1_CK_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, 984 .algorithm_mkey = SSL_kECDHE, 985 .algorithm_auth = SSL_aECDSA, 986 .algorithm_enc = SSL_AES128, 987 .algorithm_mac = SSL_SHA1, 988 .algorithm_ssl = SSL_TLSV1, 989 .algo_strength = SSL_HIGH, 990 .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF, 991 .strength_bits = 128, 992 .alg_bits = 128, 993 }, 994 995 /* Cipher C00A */ 996 { 997 .valid = 1, 998 .name = TLS1_TXT_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, 999 .id = TLS1_CK_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, 1000 .algorithm_mkey = SSL_kECDHE, 1001 .algorithm_auth = SSL_aECDSA, 1002 .algorithm_enc = SSL_AES256, 1003 .algorithm_mac = SSL_SHA1, 1004 .algorithm_ssl = SSL_TLSV1, 1005 .algo_strength = SSL_HIGH, 1006 .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF, 1007 .strength_bits = 256, 1008 .alg_bits = 256, 1009 }, 1010 1011 /* Cipher C010 */ 1012 { 1013 .valid = 1, 1014 .name = TLS1_TXT_ECDHE_RSA_WITH_NULL_SHA, 1015 .id = TLS1_CK_ECDHE_RSA_WITH_NULL_SHA, 1016 .algorithm_mkey = SSL_kECDHE, 1017 .algorithm_auth = SSL_aRSA, 1018 .algorithm_enc = SSL_eNULL, 1019 .algorithm_mac = SSL_SHA1, 1020 .algorithm_ssl = SSL_TLSV1, 1021 .algo_strength = SSL_STRONG_NONE, 1022 .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF, 1023 .strength_bits = 0, 1024 .alg_bits = 0, 1025 }, 1026 1027 /* Cipher C011 */ 1028 { 1029 .valid = 1, 1030 .name = TLS1_TXT_ECDHE_RSA_WITH_RC4_128_SHA, 1031 .id = TLS1_CK_ECDHE_RSA_WITH_RC4_128_SHA, 1032 .algorithm_mkey = SSL_kECDHE, 1033 .algorithm_auth = SSL_aRSA, 1034 .algorithm_enc = SSL_RC4, 1035 .algorithm_mac = SSL_SHA1, 1036 .algorithm_ssl = SSL_TLSV1, 1037 .algo_strength = SSL_LOW, 1038 .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF, 1039 .strength_bits = 128, 1040 .alg_bits = 128, 1041 }, 1042 1043 /* Cipher C012 */ 1044 { 1045 .valid = 1, 1046 .name = TLS1_TXT_ECDHE_RSA_WITH_DES_192_CBC3_SHA, 1047 .id = TLS1_CK_ECDHE_RSA_WITH_DES_192_CBC3_SHA, 1048 .algorithm_mkey = SSL_kECDHE, 1049 .algorithm_auth = SSL_aRSA, 1050 .algorithm_enc = SSL_3DES, 1051 .algorithm_mac = SSL_SHA1, 1052 .algorithm_ssl = SSL_TLSV1, 1053 .algo_strength = SSL_MEDIUM, 1054 .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF, 1055 .strength_bits = 112, 1056 .alg_bits = 168, 1057 }, 1058 1059 /* Cipher C013 */ 1060 { 1061 .valid = 1, 1062 .name = TLS1_TXT_ECDHE_RSA_WITH_AES_128_CBC_SHA, 1063 .id = TLS1_CK_ECDHE_RSA_WITH_AES_128_CBC_SHA, 1064 .algorithm_mkey = SSL_kECDHE, 1065 .algorithm_auth = SSL_aRSA, 1066 .algorithm_enc = SSL_AES128, 1067 .algorithm_mac = SSL_SHA1, 1068 .algorithm_ssl = SSL_TLSV1, 1069 .algo_strength = SSL_HIGH, 1070 .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF, 1071 .strength_bits = 128, 1072 .alg_bits = 128, 1073 }, 1074 1075 /* Cipher C014 */ 1076 { 1077 .valid = 1, 1078 .name = TLS1_TXT_ECDHE_RSA_WITH_AES_256_CBC_SHA, 1079 .id = TLS1_CK_ECDHE_RSA_WITH_AES_256_CBC_SHA, 1080 .algorithm_mkey = SSL_kECDHE, 1081 .algorithm_auth = SSL_aRSA, 1082 .algorithm_enc = SSL_AES256, 1083 .algorithm_mac = SSL_SHA1, 1084 .algorithm_ssl = SSL_TLSV1, 1085 .algo_strength = SSL_HIGH, 1086 .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF, 1087 .strength_bits = 256, 1088 .alg_bits = 256, 1089 }, 1090 1091 /* Cipher C015 */ 1092 { 1093 .valid = 1, 1094 .name = TLS1_TXT_ECDH_anon_WITH_NULL_SHA, 1095 .id = TLS1_CK_ECDH_anon_WITH_NULL_SHA, 1096 .algorithm_mkey = SSL_kECDHE, 1097 .algorithm_auth = SSL_aNULL, 1098 .algorithm_enc = SSL_eNULL, 1099 .algorithm_mac = SSL_SHA1, 1100 .algorithm_ssl = SSL_TLSV1, 1101 .algo_strength = SSL_STRONG_NONE, 1102 .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF, 1103 .strength_bits = 0, 1104 .alg_bits = 0, 1105 }, 1106 1107 /* Cipher C016 */ 1108 { 1109 .valid = 1, 1110 .name = TLS1_TXT_ECDH_anon_WITH_RC4_128_SHA, 1111 .id = TLS1_CK_ECDH_anon_WITH_RC4_128_SHA, 1112 .algorithm_mkey = SSL_kECDHE, 1113 .algorithm_auth = SSL_aNULL, 1114 .algorithm_enc = SSL_RC4, 1115 .algorithm_mac = SSL_SHA1, 1116 .algorithm_ssl = SSL_TLSV1, 1117 .algo_strength = SSL_LOW, 1118 .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF, 1119 .strength_bits = 128, 1120 .alg_bits = 128, 1121 }, 1122 1123 /* Cipher C017 */ 1124 { 1125 .valid = 1, 1126 .name = TLS1_TXT_ECDH_anon_WITH_DES_192_CBC3_SHA, 1127 .id = TLS1_CK_ECDH_anon_WITH_DES_192_CBC3_SHA, 1128 .algorithm_mkey = SSL_kECDHE, 1129 .algorithm_auth = SSL_aNULL, 1130 .algorithm_enc = SSL_3DES, 1131 .algorithm_mac = SSL_SHA1, 1132 .algorithm_ssl = SSL_TLSV1, 1133 .algo_strength = SSL_MEDIUM, 1134 .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF, 1135 .strength_bits = 112, 1136 .alg_bits = 168, 1137 }, 1138 1139 /* Cipher C018 */ 1140 { 1141 .valid = 1, 1142 .name = TLS1_TXT_ECDH_anon_WITH_AES_128_CBC_SHA, 1143 .id = TLS1_CK_ECDH_anon_WITH_AES_128_CBC_SHA, 1144 .algorithm_mkey = SSL_kECDHE, 1145 .algorithm_auth = SSL_aNULL, 1146 .algorithm_enc = SSL_AES128, 1147 .algorithm_mac = SSL_SHA1, 1148 .algorithm_ssl = SSL_TLSV1, 1149 .algo_strength = SSL_HIGH, 1150 .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF, 1151 .strength_bits = 128, 1152 .alg_bits = 128, 1153 }, 1154 1155 /* Cipher C019 */ 1156 { 1157 .valid = 1, 1158 .name = TLS1_TXT_ECDH_anon_WITH_AES_256_CBC_SHA, 1159 .id = TLS1_CK_ECDH_anon_WITH_AES_256_CBC_SHA, 1160 .algorithm_mkey = SSL_kECDHE, 1161 .algorithm_auth = SSL_aNULL, 1162 .algorithm_enc = SSL_AES256, 1163 .algorithm_mac = SSL_SHA1, 1164 .algorithm_ssl = SSL_TLSV1, 1165 .algo_strength = SSL_HIGH, 1166 .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF, 1167 .strength_bits = 256, 1168 .alg_bits = 256, 1169 }, 1170 1171 1172 /* HMAC based TLS v1.2 ciphersuites from RFC5289 */ 1173 1174 /* Cipher C023 */ 1175 { 1176 .valid = 1, 1177 .name = TLS1_TXT_ECDHE_ECDSA_WITH_AES_128_SHA256, 1178 .id = TLS1_CK_ECDHE_ECDSA_WITH_AES_128_SHA256, 1179 .algorithm_mkey = SSL_kECDHE, 1180 .algorithm_auth = SSL_aECDSA, 1181 .algorithm_enc = SSL_AES128, 1182 .algorithm_mac = SSL_SHA256, 1183 .algorithm_ssl = SSL_TLSV1_2, 1184 .algo_strength = SSL_HIGH, 1185 .algorithm2 = SSL_HANDSHAKE_MAC_SHA256|TLS1_PRF_SHA256, 1186 .strength_bits = 128, 1187 .alg_bits = 128, 1188 }, 1189 1190 /* Cipher C024 */ 1191 { 1192 .valid = 1, 1193 .name = TLS1_TXT_ECDHE_ECDSA_WITH_AES_256_SHA384, 1194 .id = TLS1_CK_ECDHE_ECDSA_WITH_AES_256_SHA384, 1195 .algorithm_mkey = SSL_kECDHE, 1196 .algorithm_auth = SSL_aECDSA, 1197 .algorithm_enc = SSL_AES256, 1198 .algorithm_mac = SSL_SHA384, 1199 .algorithm_ssl = SSL_TLSV1_2, 1200 .algo_strength = SSL_HIGH, 1201 .algorithm2 = SSL_HANDSHAKE_MAC_SHA384|TLS1_PRF_SHA384, 1202 .strength_bits = 256, 1203 .alg_bits = 256, 1204 }, 1205 1206 /* Cipher C027 */ 1207 { 1208 .valid = 1, 1209 .name = TLS1_TXT_ECDHE_RSA_WITH_AES_128_SHA256, 1210 .id = TLS1_CK_ECDHE_RSA_WITH_AES_128_SHA256, 1211 .algorithm_mkey = SSL_kECDHE, 1212 .algorithm_auth = SSL_aRSA, 1213 .algorithm_enc = SSL_AES128, 1214 .algorithm_mac = SSL_SHA256, 1215 .algorithm_ssl = SSL_TLSV1_2, 1216 .algo_strength = SSL_HIGH, 1217 .algorithm2 = SSL_HANDSHAKE_MAC_SHA256|TLS1_PRF_SHA256, 1218 .strength_bits = 128, 1219 .alg_bits = 128, 1220 }, 1221 1222 /* Cipher C028 */ 1223 { 1224 .valid = 1, 1225 .name = TLS1_TXT_ECDHE_RSA_WITH_AES_256_SHA384, 1226 .id = TLS1_CK_ECDHE_RSA_WITH_AES_256_SHA384, 1227 .algorithm_mkey = SSL_kECDHE, 1228 .algorithm_auth = SSL_aRSA, 1229 .algorithm_enc = SSL_AES256, 1230 .algorithm_mac = SSL_SHA384, 1231 .algorithm_ssl = SSL_TLSV1_2, 1232 .algo_strength = SSL_HIGH, 1233 .algorithm2 = SSL_HANDSHAKE_MAC_SHA384|TLS1_PRF_SHA384, 1234 .strength_bits = 256, 1235 .alg_bits = 256, 1236 }, 1237 1238 /* GCM based TLS v1.2 ciphersuites from RFC5289 */ 1239 1240 /* Cipher C02B */ 1241 { 1242 .valid = 1, 1243 .name = TLS1_TXT_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, 1244 .id = TLS1_CK_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, 1245 .algorithm_mkey = SSL_kECDHE, 1246 .algorithm_auth = SSL_aECDSA, 1247 .algorithm_enc = SSL_AES128GCM, 1248 .algorithm_mac = SSL_AEAD, 1249 .algorithm_ssl = SSL_TLSV1_2, 1250 .algo_strength = SSL_HIGH, 1251 .algorithm2 = SSL_HANDSHAKE_MAC_SHA256|TLS1_PRF_SHA256| 1252 FIXED_NONCE_LEN(4)| 1253 SSL_CIPHER_ALGORITHM2_VARIABLE_NONCE_IN_RECORD, 1254 .strength_bits = 128, 1255 .alg_bits = 128, 1256 }, 1257 1258 /* Cipher C02C */ 1259 { 1260 .valid = 1, 1261 .name = TLS1_TXT_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, 1262 .id = TLS1_CK_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, 1263 .algorithm_mkey = SSL_kECDHE, 1264 .algorithm_auth = SSL_aECDSA, 1265 .algorithm_enc = SSL_AES256GCM, 1266 .algorithm_mac = SSL_AEAD, 1267 .algorithm_ssl = SSL_TLSV1_2, 1268 .algo_strength = SSL_HIGH, 1269 .algorithm2 = SSL_HANDSHAKE_MAC_SHA384|TLS1_PRF_SHA384| 1270 FIXED_NONCE_LEN(4)| 1271 SSL_CIPHER_ALGORITHM2_VARIABLE_NONCE_IN_RECORD, 1272 .strength_bits = 256, 1273 .alg_bits = 256, 1274 }, 1275 1276 /* Cipher C02F */ 1277 { 1278 .valid = 1, 1279 .name = TLS1_TXT_ECDHE_RSA_WITH_AES_128_GCM_SHA256, 1280 .id = TLS1_CK_ECDHE_RSA_WITH_AES_128_GCM_SHA256, 1281 .algorithm_mkey = SSL_kECDHE, 1282 .algorithm_auth = SSL_aRSA, 1283 .algorithm_enc = SSL_AES128GCM, 1284 .algorithm_mac = SSL_AEAD, 1285 .algorithm_ssl = SSL_TLSV1_2, 1286 .algo_strength = SSL_HIGH, 1287 .algorithm2 = SSL_HANDSHAKE_MAC_SHA256|TLS1_PRF_SHA256| 1288 FIXED_NONCE_LEN(4)| 1289 SSL_CIPHER_ALGORITHM2_VARIABLE_NONCE_IN_RECORD, 1290 .strength_bits = 128, 1291 .alg_bits = 128, 1292 }, 1293 1294 /* Cipher C030 */ 1295 { 1296 .valid = 1, 1297 .name = TLS1_TXT_ECDHE_RSA_WITH_AES_256_GCM_SHA384, 1298 .id = TLS1_CK_ECDHE_RSA_WITH_AES_256_GCM_SHA384, 1299 .algorithm_mkey = SSL_kECDHE, 1300 .algorithm_auth = SSL_aRSA, 1301 .algorithm_enc = SSL_AES256GCM, 1302 .algorithm_mac = SSL_AEAD, 1303 .algorithm_ssl = SSL_TLSV1_2, 1304 .algo_strength = SSL_HIGH, 1305 .algorithm2 = SSL_HANDSHAKE_MAC_SHA384|TLS1_PRF_SHA384| 1306 FIXED_NONCE_LEN(4)| 1307 SSL_CIPHER_ALGORITHM2_VARIABLE_NONCE_IN_RECORD, 1308 .strength_bits = 256, 1309 .alg_bits = 256, 1310 }, 1311 1312 /* Cipher CCA8 */ 1313 { 1314 .valid = 1, 1315 .name = TLS1_TXT_ECDHE_RSA_WITH_CHACHA20_POLY1305, 1316 .id = TLS1_CK_ECDHE_RSA_CHACHA20_POLY1305, 1317 .algorithm_mkey = SSL_kECDHE, 1318 .algorithm_auth = SSL_aRSA, 1319 .algorithm_enc = SSL_CHACHA20POLY1305, 1320 .algorithm_mac = SSL_AEAD, 1321 .algorithm_ssl = SSL_TLSV1_2, 1322 .algo_strength = SSL_HIGH, 1323 .algorithm2 = SSL_HANDSHAKE_MAC_SHA256|TLS1_PRF_SHA256| 1324 FIXED_NONCE_LEN(12), 1325 .strength_bits = 256, 1326 .alg_bits = 256, 1327 }, 1328 1329 /* Cipher CCA9 */ 1330 { 1331 .valid = 1, 1332 .name = TLS1_TXT_ECDHE_ECDSA_WITH_CHACHA20_POLY1305, 1333 .id = TLS1_CK_ECDHE_ECDSA_CHACHA20_POLY1305, 1334 .algorithm_mkey = SSL_kECDHE, 1335 .algorithm_auth = SSL_aECDSA, 1336 .algorithm_enc = SSL_CHACHA20POLY1305, 1337 .algorithm_mac = SSL_AEAD, 1338 .algorithm_ssl = SSL_TLSV1_2, 1339 .algo_strength = SSL_HIGH, 1340 .algorithm2 = SSL_HANDSHAKE_MAC_SHA256|TLS1_PRF_SHA256| 1341 FIXED_NONCE_LEN(12), 1342 .strength_bits = 256, 1343 .alg_bits = 256, 1344 }, 1345 1346 /* Cipher CCAA */ 1347 { 1348 .valid = 1, 1349 .name = TLS1_TXT_DHE_RSA_WITH_CHACHA20_POLY1305, 1350 .id = TLS1_CK_DHE_RSA_CHACHA20_POLY1305, 1351 .algorithm_mkey = SSL_kDHE, 1352 .algorithm_auth = SSL_aRSA, 1353 .algorithm_enc = SSL_CHACHA20POLY1305, 1354 .algorithm_mac = SSL_AEAD, 1355 .algorithm_ssl = SSL_TLSV1_2, 1356 .algo_strength = SSL_HIGH, 1357 .algorithm2 = SSL_HANDSHAKE_MAC_SHA256|TLS1_PRF_SHA256| 1358 FIXED_NONCE_LEN(12), 1359 .strength_bits = 256, 1360 .alg_bits = 256, 1361 }, 1362 1363 /* Cipher FF85 FIXME IANA */ 1364 { 1365 .valid = 1, 1366 .name = "GOST2012256-GOST89-GOST89", 1367 .id = 0x300ff85, /* FIXME IANA */ 1368 .algorithm_mkey = SSL_kGOST, 1369 .algorithm_auth = SSL_aGOST01, 1370 .algorithm_enc = SSL_eGOST2814789CNT, 1371 .algorithm_mac = SSL_GOST89MAC, 1372 .algorithm_ssl = SSL_TLSV1, 1373 .algo_strength = SSL_HIGH, 1374 .algorithm2 = SSL_HANDSHAKE_MAC_STREEBOG256|TLS1_PRF_STREEBOG256| 1375 TLS1_STREAM_MAC, 1376 .strength_bits = 256, 1377 .alg_bits = 256 1378 }, 1379 1380 /* Cipher FF87 FIXME IANA */ 1381 { 1382 .valid = 1, 1383 .name = "GOST2012256-NULL-STREEBOG256", 1384 .id = 0x300ff87, /* FIXME IANA */ 1385 .algorithm_mkey = SSL_kGOST, 1386 .algorithm_auth = SSL_aGOST01, 1387 .algorithm_enc = SSL_eNULL, 1388 .algorithm_mac = SSL_STREEBOG256, 1389 .algorithm_ssl = SSL_TLSV1, 1390 .algo_strength = SSL_STRONG_NONE, 1391 .algorithm2 = SSL_HANDSHAKE_MAC_STREEBOG256|TLS1_PRF_STREEBOG256, 1392 .strength_bits = 0, 1393 .alg_bits = 0 1394 }, 1395 1396 1397 /* end of list */ 1398 }; 1399 1400 int 1401 ssl3_num_ciphers(void) 1402 { 1403 return (SSL3_NUM_CIPHERS); 1404 } 1405 1406 const SSL_CIPHER * 1407 ssl3_get_cipher(unsigned int u) 1408 { 1409 if (u < SSL3_NUM_CIPHERS) 1410 return (&(ssl3_ciphers[SSL3_NUM_CIPHERS - 1 - u])); 1411 else 1412 return (NULL); 1413 } 1414 1415 const SSL_CIPHER * 1416 ssl3_get_cipher_by_id(unsigned int id) 1417 { 1418 const SSL_CIPHER *cp; 1419 SSL_CIPHER c; 1420 1421 c.id = id; 1422 cp = OBJ_bsearch_ssl_cipher_id(&c, ssl3_ciphers, SSL3_NUM_CIPHERS); 1423 if (cp != NULL && cp->valid == 1) 1424 return (cp); 1425 1426 return (NULL); 1427 } 1428 1429 const SSL_CIPHER * 1430 ssl3_get_cipher_by_value(uint16_t value) 1431 { 1432 return ssl3_get_cipher_by_id(SSL3_CK_ID | value); 1433 } 1434 1435 uint16_t 1436 ssl3_cipher_get_value(const SSL_CIPHER *c) 1437 { 1438 return (c->id & SSL3_CK_VALUE_MASK); 1439 } 1440 1441 int 1442 ssl3_pending(const SSL *s) 1443 { 1444 if (s->internal->rstate == SSL_ST_READ_BODY) 1445 return 0; 1446 1447 return (s->s3->rrec.type == SSL3_RT_APPLICATION_DATA) ? 1448 s->s3->rrec.length : 0; 1449 } 1450 1451 int 1452 ssl3_handshake_msg_hdr_len(SSL *s) 1453 { 1454 return (SSL_is_dtls(s) ? DTLS1_HM_HEADER_LENGTH : 1455 SSL3_HM_HEADER_LENGTH); 1456 } 1457 1458 int 1459 ssl3_handshake_msg_start(SSL *s, CBB *handshake, CBB *body, uint8_t msg_type) 1460 { 1461 int ret = 0; 1462 1463 if (!CBB_init(handshake, SSL3_RT_MAX_PLAIN_LENGTH)) 1464 goto err; 1465 if (!CBB_add_u8(handshake, msg_type)) 1466 goto err; 1467 if (SSL_is_dtls(s)) { 1468 unsigned char *data; 1469 1470 if (!CBB_add_space(handshake, &data, DTLS1_HM_HEADER_LENGTH - 1471 SSL3_HM_HEADER_LENGTH)) 1472 goto err; 1473 } 1474 if (!CBB_add_u24_length_prefixed(handshake, body)) 1475 goto err; 1476 1477 ret = 1; 1478 1479 err: 1480 return (ret); 1481 } 1482 1483 int 1484 ssl3_handshake_msg_finish(SSL *s, CBB *handshake) 1485 { 1486 unsigned char *data = NULL; 1487 size_t outlen; 1488 int ret = 0; 1489 1490 if (!CBB_finish(handshake, &data, &outlen)) 1491 goto err; 1492 1493 if (outlen > INT_MAX) 1494 goto err; 1495 1496 if (!BUF_MEM_grow_clean(s->internal->init_buf, outlen)) 1497 goto err; 1498 1499 memcpy(s->internal->init_buf->data, data, outlen); 1500 1501 s->internal->init_num = (int)outlen; 1502 s->internal->init_off = 0; 1503 1504 if (SSL_is_dtls(s)) { 1505 unsigned long len; 1506 uint8_t msg_type; 1507 CBS cbs; 1508 1509 CBS_init(&cbs, data, outlen); 1510 if (!CBS_get_u8(&cbs, &msg_type)) 1511 goto err; 1512 1513 len = outlen - ssl3_handshake_msg_hdr_len(s); 1514 1515 dtls1_set_message_header(s, msg_type, len, 0, len); 1516 dtls1_buffer_message(s, 0); 1517 } 1518 1519 ret = 1; 1520 1521 err: 1522 free(data); 1523 1524 return (ret); 1525 } 1526 1527 int 1528 ssl3_handshake_write(SSL *s) 1529 { 1530 return ssl3_record_write(s, SSL3_RT_HANDSHAKE); 1531 } 1532 1533 int 1534 ssl3_record_write(SSL *s, int type) 1535 { 1536 if (SSL_is_dtls(s)) 1537 return dtls1_do_write(s, type); 1538 1539 return ssl3_do_write(s, type); 1540 } 1541 1542 int 1543 ssl3_new(SSL *s) 1544 { 1545 if ((s->s3 = calloc(1, sizeof(*s->s3))) == NULL) 1546 return (0); 1547 1548 s->method->ssl_clear(s); 1549 1550 return (1); 1551 } 1552 1553 void 1554 ssl3_free(SSL *s) 1555 { 1556 if (s == NULL) 1557 return; 1558 1559 tls1_cleanup_key_block(s); 1560 ssl3_release_read_buffer(s); 1561 ssl3_release_write_buffer(s); 1562 1563 freezero(s->s3->hs.sigalgs, s->s3->hs.sigalgs_len); 1564 sk_X509_pop_free(s->s3->hs.peer_certs, X509_free); 1565 sk_X509_pop_free(s->s3->hs.peer_certs_no_leaf, X509_free); 1566 tls_key_share_free(s->s3->hs.key_share); 1567 1568 tls13_secrets_destroy(s->s3->hs.tls13.secrets); 1569 freezero(s->s3->hs.tls13.cookie, s->s3->hs.tls13.cookie_len); 1570 tls13_clienthello_hash_clear(&s->s3->hs.tls13); 1571 1572 tls_buffer_free(s->s3->hs.tls13.quic_read_buffer); 1573 1574 sk_X509_NAME_pop_free(s->s3->hs.tls12.ca_names, X509_NAME_free); 1575 sk_X509_pop_free(s->internal->verified_chain, X509_free); 1576 1577 tls1_transcript_free(s); 1578 tls1_transcript_hash_free(s); 1579 1580 free(s->s3->alpn_selected); 1581 1582 freezero(s->s3->peer_quic_transport_params, 1583 s->s3->peer_quic_transport_params_len); 1584 1585 freezero(s->s3, sizeof(*s->s3)); 1586 1587 s->s3 = NULL; 1588 } 1589 1590 void 1591 ssl3_clear(SSL *s) 1592 { 1593 unsigned char *rp, *wp; 1594 size_t rlen, wlen; 1595 1596 tls1_cleanup_key_block(s); 1597 sk_X509_NAME_pop_free(s->s3->hs.tls12.ca_names, X509_NAME_free); 1598 sk_X509_pop_free(s->internal->verified_chain, X509_free); 1599 s->internal->verified_chain = NULL; 1600 1601 freezero(s->s3->hs.sigalgs, s->s3->hs.sigalgs_len); 1602 s->s3->hs.sigalgs = NULL; 1603 s->s3->hs.sigalgs_len = 0; 1604 1605 sk_X509_pop_free(s->s3->hs.peer_certs, X509_free); 1606 s->s3->hs.peer_certs = NULL; 1607 sk_X509_pop_free(s->s3->hs.peer_certs_no_leaf, X509_free); 1608 s->s3->hs.peer_certs_no_leaf = NULL; 1609 1610 tls_key_share_free(s->s3->hs.key_share); 1611 s->s3->hs.key_share = NULL; 1612 1613 tls13_secrets_destroy(s->s3->hs.tls13.secrets); 1614 s->s3->hs.tls13.secrets = NULL; 1615 freezero(s->s3->hs.tls13.cookie, s->s3->hs.tls13.cookie_len); 1616 s->s3->hs.tls13.cookie = NULL; 1617 s->s3->hs.tls13.cookie_len = 0; 1618 tls13_clienthello_hash_clear(&s->s3->hs.tls13); 1619 1620 tls_buffer_free(s->s3->hs.tls13.quic_read_buffer); 1621 s->s3->hs.tls13.quic_read_buffer = NULL; 1622 s->s3->hs.tls13.quic_read_level = ssl_encryption_initial; 1623 s->s3->hs.tls13.quic_write_level = ssl_encryption_initial; 1624 1625 s->s3->hs.extensions_seen = 0; 1626 1627 rp = s->s3->rbuf.buf; 1628 wp = s->s3->wbuf.buf; 1629 rlen = s->s3->rbuf.len; 1630 wlen = s->s3->wbuf.len; 1631 1632 tls1_transcript_free(s); 1633 tls1_transcript_hash_free(s); 1634 1635 free(s->s3->alpn_selected); 1636 s->s3->alpn_selected = NULL; 1637 s->s3->alpn_selected_len = 0; 1638 1639 freezero(s->s3->peer_quic_transport_params, 1640 s->s3->peer_quic_transport_params_len); 1641 s->s3->peer_quic_transport_params = NULL; 1642 s->s3->peer_quic_transport_params_len = 0; 1643 1644 memset(s->s3, 0, sizeof(*s->s3)); 1645 1646 s->s3->rbuf.buf = rp; 1647 s->s3->wbuf.buf = wp; 1648 s->s3->rbuf.len = rlen; 1649 s->s3->wbuf.len = wlen; 1650 1651 ssl_free_wbio_buffer(s); 1652 1653 /* Not needed... */ 1654 s->s3->renegotiate = 0; 1655 s->s3->total_renegotiations = 0; 1656 s->s3->num_renegotiations = 0; 1657 s->s3->in_read_app_data = 0; 1658 1659 s->internal->packet_length = 0; 1660 s->version = TLS1_VERSION; 1661 1662 s->s3->hs.state = SSL_ST_BEFORE|((s->server) ? SSL_ST_ACCEPT : SSL_ST_CONNECT); 1663 } 1664 1665 long 1666 _SSL_get_shared_group(SSL *s, long n) 1667 { 1668 size_t count; 1669 int nid; 1670 1671 /* OpenSSL document that they return -1 for clients. They return 0. */ 1672 if (!s->server) 1673 return 0; 1674 1675 if (n == -1) { 1676 if (!tls1_count_shared_groups(s, &count)) 1677 return 0; 1678 1679 if (count > LONG_MAX) 1680 count = LONG_MAX; 1681 1682 return count; 1683 } 1684 1685 /* Undocumented special case added for Suite B profile support. */ 1686 if (n == -2) 1687 n = 0; 1688 1689 if (n < 0) 1690 return 0; 1691 1692 if (!tls1_get_shared_group_by_index(s, n, &nid)) 1693 return NID_undef; 1694 1695 return nid; 1696 } 1697 1698 long 1699 _SSL_get_peer_tmp_key(SSL *s, EVP_PKEY **key) 1700 { 1701 EVP_PKEY *pkey = NULL; 1702 int ret = 0; 1703 1704 *key = NULL; 1705 1706 if (s->s3->hs.key_share == NULL) 1707 goto err; 1708 1709 if ((pkey = EVP_PKEY_new()) == NULL) 1710 goto err; 1711 if (!tls_key_share_peer_pkey(s->s3->hs.key_share, pkey)) 1712 goto err; 1713 1714 *key = pkey; 1715 pkey = NULL; 1716 1717 ret = 1; 1718 1719 err: 1720 EVP_PKEY_free(pkey); 1721 1722 return (ret); 1723 } 1724 1725 static int 1726 _SSL_session_reused(SSL *s) 1727 { 1728 return s->internal->hit; 1729 } 1730 1731 static int 1732 _SSL_num_renegotiations(SSL *s) 1733 { 1734 return s->s3->num_renegotiations; 1735 } 1736 1737 static int 1738 _SSL_clear_num_renegotiations(SSL *s) 1739 { 1740 int renegs; 1741 1742 renegs = s->s3->num_renegotiations; 1743 s->s3->num_renegotiations = 0; 1744 1745 return renegs; 1746 } 1747 1748 static int 1749 _SSL_total_renegotiations(SSL *s) 1750 { 1751 return s->s3->total_renegotiations; 1752 } 1753 1754 static int 1755 _SSL_set_tmp_dh(SSL *s, DH *dh) 1756 { 1757 DH *dhe_params; 1758 1759 if (dh == NULL) { 1760 SSLerror(s, ERR_R_PASSED_NULL_PARAMETER); 1761 return 0; 1762 } 1763 1764 if (!ssl_security_dh(s, dh)) { 1765 SSLerror(s, SSL_R_DH_KEY_TOO_SMALL); 1766 return 0; 1767 } 1768 1769 if ((dhe_params = DHparams_dup(dh)) == NULL) { 1770 SSLerror(s, ERR_R_DH_LIB); 1771 return 0; 1772 } 1773 1774 DH_free(s->cert->dhe_params); 1775 s->cert->dhe_params = dhe_params; 1776 1777 return 1; 1778 } 1779 1780 static int 1781 _SSL_set_dh_auto(SSL *s, int state) 1782 { 1783 s->cert->dhe_params_auto = state; 1784 return 1; 1785 } 1786 1787 static int 1788 _SSL_set_tmp_ecdh(SSL *s, EC_KEY *ecdh) 1789 { 1790 const EC_GROUP *group; 1791 int nid; 1792 1793 if (ecdh == NULL) 1794 return 0; 1795 if ((group = EC_KEY_get0_group(ecdh)) == NULL) 1796 return 0; 1797 1798 nid = EC_GROUP_get_curve_name(group); 1799 return SSL_set1_groups(s, &nid, 1); 1800 } 1801 1802 static int 1803 _SSL_set_ecdh_auto(SSL *s, int state) 1804 { 1805 return 1; 1806 } 1807 1808 static int 1809 _SSL_set_tlsext_host_name(SSL *s, const char *name) 1810 { 1811 int is_ip; 1812 CBS cbs; 1813 1814 free(s->tlsext_hostname); 1815 s->tlsext_hostname = NULL; 1816 1817 if (name == NULL) 1818 return 1; 1819 1820 CBS_init(&cbs, name, strlen(name)); 1821 1822 if (!tlsext_sni_is_valid_hostname(&cbs, &is_ip)) { 1823 SSLerror(s, SSL_R_SSL3_EXT_INVALID_SERVERNAME); 1824 return 0; 1825 } 1826 if ((s->tlsext_hostname = strdup(name)) == NULL) { 1827 SSLerror(s, ERR_R_INTERNAL_ERROR); 1828 return 0; 1829 } 1830 1831 return 1; 1832 } 1833 1834 static int 1835 _SSL_set_tlsext_debug_arg(SSL *s, void *arg) 1836 { 1837 s->internal->tlsext_debug_arg = arg; 1838 return 1; 1839 } 1840 1841 static int 1842 _SSL_get_tlsext_status_type(SSL *s) 1843 { 1844 return s->tlsext_status_type; 1845 } 1846 1847 static int 1848 _SSL_set_tlsext_status_type(SSL *s, int type) 1849 { 1850 s->tlsext_status_type = type; 1851 return 1; 1852 } 1853 1854 static int 1855 _SSL_get_tlsext_status_exts(SSL *s, STACK_OF(X509_EXTENSION) **exts) 1856 { 1857 *exts = s->internal->tlsext_ocsp_exts; 1858 return 1; 1859 } 1860 1861 static int 1862 _SSL_set_tlsext_status_exts(SSL *s, STACK_OF(X509_EXTENSION) *exts) 1863 { 1864 /* XXX - leak... */ 1865 s->internal->tlsext_ocsp_exts = exts; 1866 return 1; 1867 } 1868 1869 static int 1870 _SSL_get_tlsext_status_ids(SSL *s, STACK_OF(OCSP_RESPID) **ids) 1871 { 1872 *ids = s->internal->tlsext_ocsp_ids; 1873 return 1; 1874 } 1875 1876 static int 1877 _SSL_set_tlsext_status_ids(SSL *s, STACK_OF(OCSP_RESPID) *ids) 1878 { 1879 /* XXX - leak... */ 1880 s->internal->tlsext_ocsp_ids = ids; 1881 return 1; 1882 } 1883 1884 static int 1885 _SSL_get_tlsext_status_ocsp_resp(SSL *s, unsigned char **resp) 1886 { 1887 if (s->internal->tlsext_ocsp_resp != NULL && 1888 s->internal->tlsext_ocsp_resp_len < INT_MAX) { 1889 *resp = s->internal->tlsext_ocsp_resp; 1890 return (int)s->internal->tlsext_ocsp_resp_len; 1891 } 1892 1893 *resp = NULL; 1894 1895 return -1; 1896 } 1897 1898 static int 1899 _SSL_set_tlsext_status_ocsp_resp(SSL *s, unsigned char *resp, int resp_len) 1900 { 1901 free(s->internal->tlsext_ocsp_resp); 1902 s->internal->tlsext_ocsp_resp = NULL; 1903 s->internal->tlsext_ocsp_resp_len = 0; 1904 1905 if (resp_len < 0) 1906 return 0; 1907 1908 s->internal->tlsext_ocsp_resp = resp; 1909 s->internal->tlsext_ocsp_resp_len = (size_t)resp_len; 1910 1911 return 1; 1912 } 1913 1914 int 1915 SSL_set0_chain(SSL *ssl, STACK_OF(X509) *chain) 1916 { 1917 return ssl_cert_set0_chain(NULL, ssl, chain); 1918 } 1919 1920 int 1921 SSL_set1_chain(SSL *ssl, STACK_OF(X509) *chain) 1922 { 1923 return ssl_cert_set1_chain(NULL, ssl, chain); 1924 } 1925 1926 int 1927 SSL_add0_chain_cert(SSL *ssl, X509 *x509) 1928 { 1929 return ssl_cert_add0_chain_cert(NULL, ssl, x509); 1930 } 1931 1932 int 1933 SSL_add1_chain_cert(SSL *ssl, X509 *x509) 1934 { 1935 return ssl_cert_add1_chain_cert(NULL, ssl, x509); 1936 } 1937 1938 int 1939 SSL_get0_chain_certs(const SSL *ssl, STACK_OF(X509) **out_chain) 1940 { 1941 *out_chain = NULL; 1942 1943 if (ssl->cert->key != NULL) 1944 *out_chain = ssl->cert->key->chain; 1945 1946 return 1; 1947 } 1948 1949 int 1950 SSL_clear_chain_certs(SSL *ssl) 1951 { 1952 return ssl_cert_set0_chain(NULL, ssl, NULL); 1953 } 1954 1955 int 1956 SSL_set1_groups(SSL *s, const int *groups, size_t groups_len) 1957 { 1958 return tls1_set_groups(&s->internal->tlsext_supportedgroups, 1959 &s->internal->tlsext_supportedgroups_length, groups, groups_len); 1960 } 1961 1962 int 1963 SSL_set1_groups_list(SSL *s, const char *groups) 1964 { 1965 return tls1_set_group_list(&s->internal->tlsext_supportedgroups, 1966 &s->internal->tlsext_supportedgroups_length, groups); 1967 } 1968 1969 static int 1970 _SSL_get_signature_nid(SSL *s, int *nid) 1971 { 1972 const struct ssl_sigalg *sigalg; 1973 1974 if ((sigalg = s->s3->hs.our_sigalg) == NULL) 1975 return 0; 1976 1977 *nid = EVP_MD_type(sigalg->md()); 1978 1979 return 1; 1980 } 1981 1982 static int 1983 _SSL_get_peer_signature_nid(SSL *s, int *nid) 1984 { 1985 const struct ssl_sigalg *sigalg; 1986 1987 if ((sigalg = s->s3->hs.peer_sigalg) == NULL) 1988 return 0; 1989 1990 *nid = EVP_MD_type(sigalg->md()); 1991 1992 return 1; 1993 } 1994 1995 int 1996 SSL_get_signature_type_nid(const SSL *s, int *nid) 1997 { 1998 const struct ssl_sigalg *sigalg; 1999 2000 if ((sigalg = s->s3->hs.our_sigalg) == NULL) 2001 return 0; 2002 2003 *nid = sigalg->key_type; 2004 if (sigalg->key_type == EVP_PKEY_RSA && 2005 (sigalg->flags & SIGALG_FLAG_RSA_PSS)) 2006 *nid = EVP_PKEY_RSA_PSS; 2007 2008 return 1; 2009 } 2010 2011 int 2012 SSL_get_peer_signature_type_nid(const SSL *s, int *nid) 2013 { 2014 const struct ssl_sigalg *sigalg; 2015 2016 if ((sigalg = s->s3->hs.peer_sigalg) == NULL) 2017 return 0; 2018 2019 *nid = sigalg->key_type; 2020 if (sigalg->key_type == EVP_PKEY_RSA && 2021 (sigalg->flags & SIGALG_FLAG_RSA_PSS)) 2022 *nid = EVP_PKEY_RSA_PSS; 2023 2024 return 1; 2025 } 2026 2027 long 2028 ssl3_ctrl(SSL *s, int cmd, long larg, void *parg) 2029 { 2030 switch (cmd) { 2031 case SSL_CTRL_GET_SESSION_REUSED: 2032 return _SSL_session_reused(s); 2033 2034 case SSL_CTRL_GET_NUM_RENEGOTIATIONS: 2035 return _SSL_num_renegotiations(s); 2036 2037 case SSL_CTRL_CLEAR_NUM_RENEGOTIATIONS: 2038 return _SSL_clear_num_renegotiations(s); 2039 2040 case SSL_CTRL_GET_TOTAL_RENEGOTIATIONS: 2041 return _SSL_total_renegotiations(s); 2042 2043 case SSL_CTRL_SET_TMP_DH: 2044 return _SSL_set_tmp_dh(s, parg); 2045 2046 case SSL_CTRL_SET_TMP_DH_CB: 2047 SSLerror(s, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED); 2048 return 0; 2049 2050 case SSL_CTRL_SET_DH_AUTO: 2051 return _SSL_set_dh_auto(s, larg); 2052 2053 case SSL_CTRL_SET_TMP_ECDH: 2054 return _SSL_set_tmp_ecdh(s, parg); 2055 2056 case SSL_CTRL_SET_TMP_ECDH_CB: 2057 SSLerror(s, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED); 2058 return 0; 2059 2060 case SSL_CTRL_SET_ECDH_AUTO: 2061 return _SSL_set_ecdh_auto(s, larg); 2062 2063 case SSL_CTRL_SET_TLSEXT_HOSTNAME: 2064 if (larg != TLSEXT_NAMETYPE_host_name) { 2065 SSLerror(s, SSL_R_SSL3_EXT_INVALID_SERVERNAME_TYPE); 2066 return 0; 2067 } 2068 return _SSL_set_tlsext_host_name(s, parg); 2069 2070 case SSL_CTRL_SET_TLSEXT_DEBUG_ARG: 2071 return _SSL_set_tlsext_debug_arg(s, parg); 2072 2073 case SSL_CTRL_GET_TLSEXT_STATUS_REQ_TYPE: 2074 return _SSL_get_tlsext_status_type(s); 2075 2076 case SSL_CTRL_SET_TLSEXT_STATUS_REQ_TYPE: 2077 return _SSL_set_tlsext_status_type(s, larg); 2078 2079 case SSL_CTRL_GET_TLSEXT_STATUS_REQ_EXTS: 2080 return _SSL_get_tlsext_status_exts(s, parg); 2081 2082 case SSL_CTRL_SET_TLSEXT_STATUS_REQ_EXTS: 2083 return _SSL_set_tlsext_status_exts(s, parg); 2084 2085 case SSL_CTRL_GET_TLSEXT_STATUS_REQ_IDS: 2086 return _SSL_get_tlsext_status_ids(s, parg); 2087 2088 case SSL_CTRL_SET_TLSEXT_STATUS_REQ_IDS: 2089 return _SSL_set_tlsext_status_ids(s, parg); 2090 2091 case SSL_CTRL_GET_TLSEXT_STATUS_REQ_OCSP_RESP: 2092 return _SSL_get_tlsext_status_ocsp_resp(s, parg); 2093 2094 case SSL_CTRL_SET_TLSEXT_STATUS_REQ_OCSP_RESP: 2095 return _SSL_set_tlsext_status_ocsp_resp(s, parg, larg); 2096 2097 case SSL_CTRL_CHAIN: 2098 if (larg == 0) 2099 return SSL_set0_chain(s, (STACK_OF(X509) *)parg); 2100 else 2101 return SSL_set1_chain(s, (STACK_OF(X509) *)parg); 2102 2103 case SSL_CTRL_CHAIN_CERT: 2104 if (larg == 0) 2105 return SSL_add0_chain_cert(s, (X509 *)parg); 2106 else 2107 return SSL_add1_chain_cert(s, (X509 *)parg); 2108 2109 case SSL_CTRL_GET_CHAIN_CERTS: 2110 return SSL_get0_chain_certs(s, (STACK_OF(X509) **)parg); 2111 2112 case SSL_CTRL_SET_GROUPS: 2113 return SSL_set1_groups(s, parg, larg); 2114 2115 case SSL_CTRL_SET_GROUPS_LIST: 2116 return SSL_set1_groups_list(s, parg); 2117 2118 case SSL_CTRL_GET_SHARED_GROUP: 2119 return _SSL_get_shared_group(s, larg); 2120 2121 /* XXX - rename to SSL_CTRL_GET_PEER_TMP_KEY and remove server check. */ 2122 case SSL_CTRL_GET_SERVER_TMP_KEY: 2123 if (s->server != 0) 2124 return 0; 2125 return _SSL_get_peer_tmp_key(s, parg); 2126 2127 case SSL_CTRL_GET_MIN_PROTO_VERSION: 2128 return SSL_get_min_proto_version(s); 2129 2130 case SSL_CTRL_GET_MAX_PROTO_VERSION: 2131 return SSL_get_max_proto_version(s); 2132 2133 case SSL_CTRL_SET_MIN_PROTO_VERSION: 2134 if (larg < 0 || larg > UINT16_MAX) 2135 return 0; 2136 return SSL_set_min_proto_version(s, larg); 2137 2138 case SSL_CTRL_SET_MAX_PROTO_VERSION: 2139 if (larg < 0 || larg > UINT16_MAX) 2140 return 0; 2141 return SSL_set_max_proto_version(s, larg); 2142 2143 case SSL_CTRL_GET_SIGNATURE_NID: 2144 return _SSL_get_signature_nid(s, parg); 2145 2146 case SSL_CTRL_GET_PEER_SIGNATURE_NID: 2147 return _SSL_get_peer_signature_nid(s, parg); 2148 2149 /* 2150 * Legacy controls that should eventually be removed. 2151 */ 2152 case SSL_CTRL_GET_CLIENT_CERT_REQUEST: 2153 return 0; 2154 2155 case SSL_CTRL_GET_FLAGS: 2156 return (int)(s->s3->flags); 2157 2158 case SSL_CTRL_NEED_TMP_RSA: 2159 return 0; 2160 2161 case SSL_CTRL_SET_TMP_RSA: 2162 case SSL_CTRL_SET_TMP_RSA_CB: 2163 SSLerror(s, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED); 2164 return 0; 2165 } 2166 2167 return 0; 2168 } 2169 2170 long 2171 ssl3_callback_ctrl(SSL *s, int cmd, void (*fp)(void)) 2172 { 2173 switch (cmd) { 2174 case SSL_CTRL_SET_TMP_RSA_CB: 2175 SSLerror(s, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED); 2176 return 0; 2177 2178 case SSL_CTRL_SET_TMP_DH_CB: 2179 s->cert->dhe_params_cb = (DH *(*)(SSL *, int, int))fp; 2180 return 1; 2181 2182 case SSL_CTRL_SET_TMP_ECDH_CB: 2183 return 1; 2184 2185 case SSL_CTRL_SET_TLSEXT_DEBUG_CB: 2186 s->internal->tlsext_debug_cb = (void (*)(SSL *, int , int, 2187 unsigned char *, int, void *))fp; 2188 return 1; 2189 } 2190 2191 return 0; 2192 } 2193 2194 static int 2195 _SSL_CTX_set_tmp_dh(SSL_CTX *ctx, DH *dh) 2196 { 2197 DH *dhe_params; 2198 2199 if (dh == NULL) { 2200 SSLerrorx(ERR_R_PASSED_NULL_PARAMETER); 2201 return 0; 2202 } 2203 2204 if (!ssl_ctx_security_dh(ctx, dh)) { 2205 SSLerrorx(SSL_R_DH_KEY_TOO_SMALL); 2206 return 0; 2207 } 2208 2209 if ((dhe_params = DHparams_dup(dh)) == NULL) { 2210 SSLerrorx(ERR_R_DH_LIB); 2211 return 0; 2212 } 2213 2214 DH_free(ctx->internal->cert->dhe_params); 2215 ctx->internal->cert->dhe_params = dhe_params; 2216 2217 return 1; 2218 } 2219 2220 static int 2221 _SSL_CTX_set_dh_auto(SSL_CTX *ctx, int state) 2222 { 2223 ctx->internal->cert->dhe_params_auto = state; 2224 return 1; 2225 } 2226 2227 static int 2228 _SSL_CTX_set_tmp_ecdh(SSL_CTX *ctx, EC_KEY *ecdh) 2229 { 2230 const EC_GROUP *group; 2231 int nid; 2232 2233 if (ecdh == NULL) 2234 return 0; 2235 if ((group = EC_KEY_get0_group(ecdh)) == NULL) 2236 return 0; 2237 2238 nid = EC_GROUP_get_curve_name(group); 2239 return SSL_CTX_set1_groups(ctx, &nid, 1); 2240 } 2241 2242 static int 2243 _SSL_CTX_set_ecdh_auto(SSL_CTX *ctx, int state) 2244 { 2245 return 1; 2246 } 2247 2248 static int 2249 _SSL_CTX_set_tlsext_servername_arg(SSL_CTX *ctx, void *arg) 2250 { 2251 ctx->internal->tlsext_servername_arg = arg; 2252 return 1; 2253 } 2254 2255 static int 2256 _SSL_CTX_get_tlsext_ticket_keys(SSL_CTX *ctx, unsigned char *keys, int keys_len) 2257 { 2258 if (keys == NULL) 2259 return 48; 2260 2261 if (keys_len != 48) { 2262 SSLerrorx(SSL_R_INVALID_TICKET_KEYS_LENGTH); 2263 return 0; 2264 } 2265 2266 memcpy(keys, ctx->internal->tlsext_tick_key_name, 16); 2267 memcpy(keys + 16, ctx->internal->tlsext_tick_hmac_key, 16); 2268 memcpy(keys + 32, ctx->internal->tlsext_tick_aes_key, 16); 2269 2270 return 1; 2271 } 2272 2273 static int 2274 _SSL_CTX_set_tlsext_ticket_keys(SSL_CTX *ctx, unsigned char *keys, int keys_len) 2275 { 2276 if (keys == NULL) 2277 return 48; 2278 2279 if (keys_len != 48) { 2280 SSLerrorx(SSL_R_INVALID_TICKET_KEYS_LENGTH); 2281 return 0; 2282 } 2283 2284 memcpy(ctx->internal->tlsext_tick_key_name, keys, 16); 2285 memcpy(ctx->internal->tlsext_tick_hmac_key, keys + 16, 16); 2286 memcpy(ctx->internal->tlsext_tick_aes_key, keys + 32, 16); 2287 2288 return 1; 2289 } 2290 2291 static int 2292 _SSL_CTX_get_tlsext_status_arg(SSL_CTX *ctx, void **arg) 2293 { 2294 *arg = ctx->internal->tlsext_status_arg; 2295 return 1; 2296 } 2297 2298 static int 2299 _SSL_CTX_set_tlsext_status_arg(SSL_CTX *ctx, void *arg) 2300 { 2301 ctx->internal->tlsext_status_arg = arg; 2302 return 1; 2303 } 2304 2305 int 2306 SSL_CTX_set0_chain(SSL_CTX *ctx, STACK_OF(X509) *chain) 2307 { 2308 return ssl_cert_set0_chain(ctx, NULL, chain); 2309 } 2310 2311 int 2312 SSL_CTX_set1_chain(SSL_CTX *ctx, STACK_OF(X509) *chain) 2313 { 2314 return ssl_cert_set1_chain(ctx, NULL, chain); 2315 } 2316 2317 int 2318 SSL_CTX_add0_chain_cert(SSL_CTX *ctx, X509 *x509) 2319 { 2320 return ssl_cert_add0_chain_cert(ctx, NULL, x509); 2321 } 2322 2323 int 2324 SSL_CTX_add1_chain_cert(SSL_CTX *ctx, X509 *x509) 2325 { 2326 return ssl_cert_add1_chain_cert(ctx, NULL, x509); 2327 } 2328 2329 int 2330 SSL_CTX_get0_chain_certs(const SSL_CTX *ctx, STACK_OF(X509) **out_chain) 2331 { 2332 *out_chain = NULL; 2333 2334 if (ctx->internal->cert->key != NULL) 2335 *out_chain = ctx->internal->cert->key->chain; 2336 2337 return 1; 2338 } 2339 2340 int 2341 SSL_CTX_clear_chain_certs(SSL_CTX *ctx) 2342 { 2343 return ssl_cert_set0_chain(ctx, NULL, NULL); 2344 } 2345 2346 static int 2347 _SSL_CTX_add_extra_chain_cert(SSL_CTX *ctx, X509 *cert) 2348 { 2349 if (ctx->extra_certs == NULL) { 2350 if ((ctx->extra_certs = sk_X509_new_null()) == NULL) 2351 return 0; 2352 } 2353 if (sk_X509_push(ctx->extra_certs, cert) == 0) 2354 return 0; 2355 2356 return 1; 2357 } 2358 2359 static int 2360 _SSL_CTX_get_extra_chain_certs(SSL_CTX *ctx, STACK_OF(X509) **certs) 2361 { 2362 *certs = ctx->extra_certs; 2363 if (*certs == NULL) 2364 *certs = ctx->internal->cert->key->chain; 2365 2366 return 1; 2367 } 2368 2369 static int 2370 _SSL_CTX_get_extra_chain_certs_only(SSL_CTX *ctx, STACK_OF(X509) **certs) 2371 { 2372 *certs = ctx->extra_certs; 2373 return 1; 2374 } 2375 2376 static int 2377 _SSL_CTX_clear_extra_chain_certs(SSL_CTX *ctx) 2378 { 2379 sk_X509_pop_free(ctx->extra_certs, X509_free); 2380 ctx->extra_certs = NULL; 2381 return 1; 2382 } 2383 2384 int 2385 SSL_CTX_set1_groups(SSL_CTX *ctx, const int *groups, size_t groups_len) 2386 { 2387 return tls1_set_groups(&ctx->internal->tlsext_supportedgroups, 2388 &ctx->internal->tlsext_supportedgroups_length, groups, groups_len); 2389 } 2390 2391 int 2392 SSL_CTX_set1_groups_list(SSL_CTX *ctx, const char *groups) 2393 { 2394 return tls1_set_group_list(&ctx->internal->tlsext_supportedgroups, 2395 &ctx->internal->tlsext_supportedgroups_length, groups); 2396 } 2397 2398 long 2399 ssl3_ctx_ctrl(SSL_CTX *ctx, int cmd, long larg, void *parg) 2400 { 2401 switch (cmd) { 2402 case SSL_CTRL_SET_TMP_DH: 2403 return _SSL_CTX_set_tmp_dh(ctx, parg); 2404 2405 case SSL_CTRL_SET_TMP_DH_CB: 2406 SSLerrorx(ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED); 2407 return 0; 2408 2409 case SSL_CTRL_SET_DH_AUTO: 2410 return _SSL_CTX_set_dh_auto(ctx, larg); 2411 2412 case SSL_CTRL_SET_TMP_ECDH: 2413 return _SSL_CTX_set_tmp_ecdh(ctx, parg); 2414 2415 case SSL_CTRL_SET_TMP_ECDH_CB: 2416 SSLerrorx(ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED); 2417 return 0; 2418 2419 case SSL_CTRL_SET_ECDH_AUTO: 2420 return _SSL_CTX_set_ecdh_auto(ctx, larg); 2421 2422 case SSL_CTRL_SET_TLSEXT_SERVERNAME_ARG: 2423 return _SSL_CTX_set_tlsext_servername_arg(ctx, parg); 2424 2425 case SSL_CTRL_GET_TLSEXT_TICKET_KEYS: 2426 return _SSL_CTX_get_tlsext_ticket_keys(ctx, parg, larg); 2427 2428 case SSL_CTRL_SET_TLSEXT_TICKET_KEYS: 2429 return _SSL_CTX_set_tlsext_ticket_keys(ctx, parg, larg); 2430 2431 case SSL_CTRL_GET_TLSEXT_STATUS_REQ_CB_ARG: 2432 return _SSL_CTX_get_tlsext_status_arg(ctx, parg); 2433 2434 case SSL_CTRL_SET_TLSEXT_STATUS_REQ_CB_ARG: 2435 return _SSL_CTX_set_tlsext_status_arg(ctx, parg); 2436 2437 case SSL_CTRL_CHAIN: 2438 if (larg == 0) 2439 return SSL_CTX_set0_chain(ctx, (STACK_OF(X509) *)parg); 2440 else 2441 return SSL_CTX_set1_chain(ctx, (STACK_OF(X509) *)parg); 2442 2443 case SSL_CTRL_CHAIN_CERT: 2444 if (larg == 0) 2445 return SSL_CTX_add0_chain_cert(ctx, (X509 *)parg); 2446 else 2447 return SSL_CTX_add1_chain_cert(ctx, (X509 *)parg); 2448 2449 case SSL_CTRL_GET_CHAIN_CERTS: 2450 return SSL_CTX_get0_chain_certs(ctx, (STACK_OF(X509) **)parg); 2451 2452 case SSL_CTRL_EXTRA_CHAIN_CERT: 2453 return _SSL_CTX_add_extra_chain_cert(ctx, parg); 2454 2455 case SSL_CTRL_GET_EXTRA_CHAIN_CERTS: 2456 if (larg == 0) 2457 return _SSL_CTX_get_extra_chain_certs(ctx, parg); 2458 else 2459 return _SSL_CTX_get_extra_chain_certs_only(ctx, parg); 2460 2461 case SSL_CTRL_CLEAR_EXTRA_CHAIN_CERTS: 2462 return _SSL_CTX_clear_extra_chain_certs(ctx); 2463 2464 case SSL_CTRL_SET_GROUPS: 2465 return SSL_CTX_set1_groups(ctx, parg, larg); 2466 2467 case SSL_CTRL_SET_GROUPS_LIST: 2468 return SSL_CTX_set1_groups_list(ctx, parg); 2469 2470 case SSL_CTRL_GET_MIN_PROTO_VERSION: 2471 return SSL_CTX_get_min_proto_version(ctx); 2472 2473 case SSL_CTRL_GET_MAX_PROTO_VERSION: 2474 return SSL_CTX_get_max_proto_version(ctx); 2475 2476 case SSL_CTRL_SET_MIN_PROTO_VERSION: 2477 if (larg < 0 || larg > UINT16_MAX) 2478 return 0; 2479 return SSL_CTX_set_min_proto_version(ctx, larg); 2480 2481 case SSL_CTRL_SET_MAX_PROTO_VERSION: 2482 if (larg < 0 || larg > UINT16_MAX) 2483 return 0; 2484 return SSL_CTX_set_max_proto_version(ctx, larg); 2485 2486 /* 2487 * Legacy controls that should eventually be removed. 2488 */ 2489 case SSL_CTRL_NEED_TMP_RSA: 2490 return 0; 2491 2492 case SSL_CTRL_SET_TMP_RSA: 2493 case SSL_CTRL_SET_TMP_RSA_CB: 2494 SSLerrorx(ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED); 2495 return 0; 2496 } 2497 2498 return 0; 2499 } 2500 2501 long 2502 ssl3_ctx_callback_ctrl(SSL_CTX *ctx, int cmd, void (*fp)(void)) 2503 { 2504 switch (cmd) { 2505 case SSL_CTRL_SET_TMP_RSA_CB: 2506 SSLerrorx(ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED); 2507 return 0; 2508 2509 case SSL_CTRL_SET_TMP_DH_CB: 2510 ctx->internal->cert->dhe_params_cb = 2511 (DH *(*)(SSL *, int, int))fp; 2512 return 1; 2513 2514 case SSL_CTRL_SET_TMP_ECDH_CB: 2515 return 1; 2516 2517 case SSL_CTRL_SET_TLSEXT_SERVERNAME_CB: 2518 ctx->internal->tlsext_servername_callback = 2519 (int (*)(SSL *, int *, void *))fp; 2520 return 1; 2521 2522 case SSL_CTRL_GET_TLSEXT_STATUS_REQ_CB: 2523 *(int (**)(SSL *, void *))fp = ctx->internal->tlsext_status_cb; 2524 return 1; 2525 2526 case SSL_CTRL_SET_TLSEXT_STATUS_REQ_CB: 2527 ctx->internal->tlsext_status_cb = (int (*)(SSL *, void *))fp; 2528 return 1; 2529 2530 case SSL_CTRL_SET_TLSEXT_TICKET_KEY_CB: 2531 ctx->internal->tlsext_ticket_key_cb = (int (*)(SSL *, unsigned char *, 2532 unsigned char *, EVP_CIPHER_CTX *, HMAC_CTX *, int))fp; 2533 return 1; 2534 } 2535 2536 return 0; 2537 } 2538 2539 SSL_CIPHER * 2540 ssl3_choose_cipher(SSL *s, STACK_OF(SSL_CIPHER) *clnt, 2541 STACK_OF(SSL_CIPHER) *srvr) 2542 { 2543 unsigned long alg_k, alg_a, mask_k, mask_a; 2544 STACK_OF(SSL_CIPHER) *prio, *allow; 2545 SSL_CIPHER *c, *ret = NULL; 2546 int can_use_ecc; 2547 int i, ii, nid, ok; 2548 SSL_CERT *cert; 2549 2550 /* Let's see which ciphers we can support */ 2551 cert = s->cert; 2552 2553 can_use_ecc = tls1_get_supported_group(s, &nid); 2554 2555 /* 2556 * Do not set the compare functions, because this may lead to a 2557 * reordering by "id". We want to keep the original ordering. 2558 * We may pay a price in performance during sk_SSL_CIPHER_find(), 2559 * but would have to pay with the price of sk_SSL_CIPHER_dup(). 2560 */ 2561 2562 if (s->internal->options & SSL_OP_CIPHER_SERVER_PREFERENCE) { 2563 prio = srvr; 2564 allow = clnt; 2565 } else { 2566 prio = clnt; 2567 allow = srvr; 2568 } 2569 2570 for (i = 0; i < sk_SSL_CIPHER_num(prio); i++) { 2571 c = sk_SSL_CIPHER_value(prio, i); 2572 2573 /* Skip TLS v1.2 only ciphersuites if not supported. */ 2574 if ((c->algorithm_ssl & SSL_TLSV1_2) && 2575 !SSL_USE_TLS1_2_CIPHERS(s)) 2576 continue; 2577 2578 /* Skip TLS v1.3 only ciphersuites if not supported. */ 2579 if ((c->algorithm_ssl & SSL_TLSV1_3) && 2580 !SSL_USE_TLS1_3_CIPHERS(s)) 2581 continue; 2582 2583 /* If TLS v1.3, only allow TLS v1.3 ciphersuites. */ 2584 if (SSL_USE_TLS1_3_CIPHERS(s) && 2585 !(c->algorithm_ssl & SSL_TLSV1_3)) 2586 continue; 2587 2588 if (!ssl_security_shared_cipher(s, c)) 2589 continue; 2590 2591 ssl_set_cert_masks(cert, c); 2592 mask_k = cert->mask_k; 2593 mask_a = cert->mask_a; 2594 2595 alg_k = c->algorithm_mkey; 2596 alg_a = c->algorithm_auth; 2597 2598 ok = (alg_k & mask_k) && (alg_a & mask_a); 2599 2600 /* 2601 * If we are considering an ECC cipher suite that uses our 2602 * certificate check it. 2603 */ 2604 if (alg_a & SSL_aECDSA) 2605 ok = ok && tls1_check_ec_server_key(s); 2606 /* 2607 * If we are considering an ECC cipher suite that uses 2608 * an ephemeral EC key check it. 2609 */ 2610 if (alg_k & SSL_kECDHE) 2611 ok = ok && can_use_ecc; 2612 2613 if (!ok) 2614 continue; 2615 ii = sk_SSL_CIPHER_find(allow, c); 2616 if (ii >= 0) { 2617 ret = sk_SSL_CIPHER_value(allow, ii); 2618 break; 2619 } 2620 } 2621 return (ret); 2622 } 2623 2624 int 2625 ssl3_get_req_cert_types(SSL *s, CBB *cbb) 2626 { 2627 unsigned long alg_k; 2628 2629 alg_k = s->s3->hs.cipher->algorithm_mkey; 2630 2631 #ifndef OPENSSL_NO_GOST 2632 if ((alg_k & SSL_kGOST) != 0) { 2633 if (!CBB_add_u8(cbb, TLS_CT_GOST01_SIGN)) 2634 return 0; 2635 if (!CBB_add_u8(cbb, TLS_CT_GOST12_256_SIGN)) 2636 return 0; 2637 if (!CBB_add_u8(cbb, TLS_CT_GOST12_512_SIGN)) 2638 return 0; 2639 if (!CBB_add_u8(cbb, TLS_CT_GOST12_256_SIGN_COMPAT)) 2640 return 0; 2641 if (!CBB_add_u8(cbb, TLS_CT_GOST12_512_SIGN_COMPAT)) 2642 return 0; 2643 } 2644 #endif 2645 2646 if ((alg_k & SSL_kDHE) != 0) { 2647 if (!CBB_add_u8(cbb, SSL3_CT_RSA_FIXED_DH)) 2648 return 0; 2649 } 2650 2651 if (!CBB_add_u8(cbb, SSL3_CT_RSA_SIGN)) 2652 return 0; 2653 2654 /* 2655 * ECDSA certs can be used with RSA cipher suites as well 2656 * so we don't need to check for SSL_kECDH or SSL_kECDHE. 2657 */ 2658 if (!CBB_add_u8(cbb, TLS_CT_ECDSA_SIGN)) 2659 return 0; 2660 2661 return 1; 2662 } 2663 2664 int 2665 ssl3_shutdown(SSL *s) 2666 { 2667 int ret; 2668 2669 /* 2670 * Don't do anything much if we have not done the handshake or 2671 * we don't want to send messages :-) 2672 */ 2673 if ((s->internal->quiet_shutdown) || (s->s3->hs.state == SSL_ST_BEFORE)) { 2674 s->internal->shutdown = (SSL_SENT_SHUTDOWN|SSL_RECEIVED_SHUTDOWN); 2675 return (1); 2676 } 2677 2678 if (!(s->internal->shutdown & SSL_SENT_SHUTDOWN)) { 2679 s->internal->shutdown|=SSL_SENT_SHUTDOWN; 2680 ssl3_send_alert(s, SSL3_AL_WARNING, SSL_AD_CLOSE_NOTIFY); 2681 /* 2682 * Our shutdown alert has been sent now, and if it still needs 2683 * to be written, s->s3->alert_dispatch will be true 2684 */ 2685 if (s->s3->alert_dispatch) 2686 return (-1); /* return WANT_WRITE */ 2687 } else if (s->s3->alert_dispatch) { 2688 /* resend it if not sent */ 2689 ret = ssl3_dispatch_alert(s); 2690 if (ret == -1) { 2691 /* 2692 * We only get to return -1 here the 2nd/Nth 2693 * invocation, we must have already signalled 2694 * return 0 upon a previous invoation, 2695 * return WANT_WRITE 2696 */ 2697 return (ret); 2698 } 2699 } else if (!(s->internal->shutdown & SSL_RECEIVED_SHUTDOWN)) { 2700 /* If we are waiting for a close from our peer, we are closed */ 2701 s->method->ssl_read_bytes(s, 0, NULL, 0, 0); 2702 if (!(s->internal->shutdown & SSL_RECEIVED_SHUTDOWN)) { 2703 return (-1); /* return WANT_READ */ 2704 } 2705 } 2706 2707 if ((s->internal->shutdown == (SSL_SENT_SHUTDOWN|SSL_RECEIVED_SHUTDOWN)) && 2708 !s->s3->alert_dispatch) 2709 return (1); 2710 else 2711 return (0); 2712 } 2713 2714 int 2715 ssl3_write(SSL *s, const void *buf, int len) 2716 { 2717 errno = 0; 2718 2719 if (s->s3->renegotiate) 2720 ssl3_renegotiate_check(s); 2721 2722 return s->method->ssl_write_bytes(s, SSL3_RT_APPLICATION_DATA, 2723 buf, len); 2724 } 2725 2726 static int 2727 ssl3_read_internal(SSL *s, void *buf, int len, int peek) 2728 { 2729 int ret; 2730 2731 errno = 0; 2732 if (s->s3->renegotiate) 2733 ssl3_renegotiate_check(s); 2734 s->s3->in_read_app_data = 1; 2735 2736 ret = s->method->ssl_read_bytes(s, SSL3_RT_APPLICATION_DATA, buf, len, 2737 peek); 2738 if ((ret == -1) && (s->s3->in_read_app_data == 2)) { 2739 /* 2740 * ssl3_read_bytes decided to call s->internal->handshake_func, 2741 * which called ssl3_read_bytes to read handshake data. 2742 * However, ssl3_read_bytes actually found application data 2743 * and thinks that application data makes sense here; so disable 2744 * handshake processing and try to read application data again. 2745 */ 2746 s->internal->in_handshake++; 2747 ret = s->method->ssl_read_bytes(s, SSL3_RT_APPLICATION_DATA, 2748 buf, len, peek); 2749 s->internal->in_handshake--; 2750 } else 2751 s->s3->in_read_app_data = 0; 2752 2753 return (ret); 2754 } 2755 2756 int 2757 ssl3_read(SSL *s, void *buf, int len) 2758 { 2759 return ssl3_read_internal(s, buf, len, 0); 2760 } 2761 2762 int 2763 ssl3_peek(SSL *s, void *buf, int len) 2764 { 2765 return ssl3_read_internal(s, buf, len, 1); 2766 } 2767 2768 int 2769 ssl3_renegotiate(SSL *s) 2770 { 2771 if (s->internal->handshake_func == NULL) 2772 return 1; 2773 2774 if (s->s3->flags & SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS) 2775 return 0; 2776 2777 s->s3->renegotiate = 1; 2778 2779 return 1; 2780 } 2781 2782 int 2783 ssl3_renegotiate_check(SSL *s) 2784 { 2785 if (!s->s3->renegotiate) 2786 return 0; 2787 if (SSL_in_init(s) || s->s3->rbuf.left != 0 || s->s3->wbuf.left != 0) 2788 return 0; 2789 2790 s->s3->hs.state = SSL_ST_RENEGOTIATE; 2791 s->s3->renegotiate = 0; 2792 s->s3->num_renegotiations++; 2793 s->s3->total_renegotiations++; 2794 2795 return 1; 2796 } 2797