1 /* $OpenBSD: s3_lib.c,v 1.252 2024/05/10 05:08:05 tb Exp $ */ 2 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) 3 * All rights reserved. 4 * 5 * This package is an SSL implementation written 6 * by Eric Young (eay@cryptsoft.com). 7 * The implementation was written so as to conform with Netscapes SSL. 8 * 9 * This library is free for commercial and non-commercial use as long as 10 * the following conditions are aheared to. The following conditions 11 * apply to all code found in this distribution, be it the RC4, RSA, 12 * lhash, DES, etc., code; not just the SSL code. The SSL documentation 13 * included with this distribution is covered by the same copyright terms 14 * except that the holder is Tim Hudson (tjh@cryptsoft.com). 15 * 16 * Copyright remains Eric Young's, and as such any Copyright notices in 17 * the code are not to be removed. 18 * If this package is used in a product, Eric Young should be given attribution 19 * as the author of the parts of the library used. 20 * This can be in the form of a textual message at program startup or 21 * in documentation (online or textual) provided with the package. 22 * 23 * Redistribution and use in source and binary forms, with or without 24 * modification, are permitted provided that the following conditions 25 * are met: 26 * 1. Redistributions of source code must retain the copyright 27 * notice, this list of conditions and the following disclaimer. 28 * 2. Redistributions in binary form must reproduce the above copyright 29 * notice, this list of conditions and the following disclaimer in the 30 * documentation and/or other materials provided with the distribution. 31 * 3. All advertising materials mentioning features or use of this software 32 * must display the following acknowledgement: 33 * "This product includes cryptographic software written by 34 * Eric Young (eay@cryptsoft.com)" 35 * The word 'cryptographic' can be left out if the rouines from the library 36 * being used are not cryptographic related :-). 37 * 4. If you include any Windows specific code (or a derivative thereof) from 38 * the apps directory (application code) you must include an acknowledgement: 39 * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)" 40 * 41 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND 42 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 43 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 44 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE 45 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 46 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 47 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 48 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 49 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 50 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 51 * SUCH DAMAGE. 52 * 53 * The licence and distribution terms for any publically available version or 54 * derivative of this code cannot be changed. i.e. this code cannot simply be 55 * copied and put under another distribution licence 56 * [including the GNU Public Licence.] 57 */ 58 /* ==================================================================== 59 * Copyright (c) 1998-2007 The OpenSSL Project. All rights reserved. 60 * 61 * Redistribution and use in source and binary forms, with or without 62 * modification, are permitted provided that the following conditions 63 * are met: 64 * 65 * 1. Redistributions of source code must retain the above copyright 66 * notice, this list of conditions and the following disclaimer. 67 * 68 * 2. Redistributions in binary form must reproduce the above copyright 69 * notice, this list of conditions and the following disclaimer in 70 * the documentation and/or other materials provided with the 71 * distribution. 72 * 73 * 3. All advertising materials mentioning features or use of this 74 * software must display the following acknowledgment: 75 * "This product includes software developed by the OpenSSL Project 76 * for use in the OpenSSL Toolkit. (http://www.openssl.org/)" 77 * 78 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to 79 * endorse or promote products derived from this software without 80 * prior written permission. For written permission, please contact 81 * openssl-core@openssl.org. 82 * 83 * 5. Products derived from this software may not be called "OpenSSL" 84 * nor may "OpenSSL" appear in their names without prior written 85 * permission of the OpenSSL Project. 86 * 87 * 6. Redistributions of any form whatsoever must retain the following 88 * acknowledgment: 89 * "This product includes software developed by the OpenSSL Project 90 * for use in the OpenSSL Toolkit (http://www.openssl.org/)" 91 * 92 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY 93 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 94 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR 95 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR 96 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, 97 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT 98 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; 99 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 100 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, 101 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) 102 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED 103 * OF THE POSSIBILITY OF SUCH DAMAGE. 104 * ==================================================================== 105 * 106 * This product includes cryptographic software written by Eric Young 107 * (eay@cryptsoft.com). This product includes software written by Tim 108 * Hudson (tjh@cryptsoft.com). 109 * 110 */ 111 /* ==================================================================== 112 * Copyright 2002 Sun Microsystems, Inc. ALL RIGHTS RESERVED. 113 * 114 * Portions of the attached software ("Contribution") are developed by 115 * SUN MICROSYSTEMS, INC., and are contributed to the OpenSSL project. 116 * 117 * The Contribution is licensed pursuant to the OpenSSL open source 118 * license provided above. 119 * 120 * ECC cipher suite support in OpenSSL originally written by 121 * Vipul Gupta and Sumit Gupta of Sun Microsystems Laboratories. 122 * 123 */ 124 /* ==================================================================== 125 * Copyright 2005 Nokia. All rights reserved. 126 * 127 * The portions of the attached software ("Contribution") is developed by 128 * Nokia Corporation and is licensed pursuant to the OpenSSL open source 129 * license. 130 * 131 * The Contribution, originally written by Mika Kousa and Pasi Eronen of 132 * Nokia Corporation, consists of the "PSK" (Pre-Shared Key) ciphersuites 133 * support (see RFC 4279) to OpenSSL. 134 * 135 * No patent licenses or other rights except those expressly stated in 136 * the OpenSSL open source license shall be deemed granted or received 137 * expressly, by implication, estoppel, or otherwise. 138 * 139 * No assurances are provided by Nokia that the Contribution does not 140 * infringe the patent or other intellectual property rights of any third 141 * party or that the license provides you with all the necessary rights 142 * to make use of the Contribution. 143 * 144 * THE SOFTWARE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. IN 145 * ADDITION TO THE DISCLAIMERS INCLUDED IN THE LICENSE, NOKIA 146 * SPECIFICALLY DISCLAIMS ANY LIABILITY FOR CLAIMS BROUGHT BY YOU OR ANY 147 * OTHER ENTITY BASED ON INFRINGEMENT OF INTELLECTUAL PROPERTY RIGHTS OR 148 * OTHERWISE. 149 */ 150 151 #include <limits.h> 152 #include <stdio.h> 153 #include <stdlib.h> 154 155 #include <openssl/bn.h> 156 #include <openssl/curve25519.h> 157 #include <openssl/dh.h> 158 #include <openssl/md5.h> 159 #include <openssl/objects.h> 160 #include <openssl/opensslconf.h> 161 162 #include "bytestring.h" 163 #include "dtls_local.h" 164 #include "ssl_local.h" 165 #include "ssl_sigalgs.h" 166 #include "ssl_tlsext.h" 167 #include "tls_content.h" 168 169 #define SSL3_NUM_CIPHERS (sizeof(ssl3_ciphers) / sizeof(SSL_CIPHER)) 170 171 /* list of available SSLv3 ciphers (sorted by id) */ 172 const SSL_CIPHER ssl3_ciphers[] = { 173 174 /* The RSA ciphers */ 175 /* Cipher 01 */ 176 { 177 .valid = 1, 178 .name = SSL3_TXT_RSA_NULL_MD5, 179 .id = SSL3_CK_RSA_NULL_MD5, 180 .algorithm_mkey = SSL_kRSA, 181 .algorithm_auth = SSL_aRSA, 182 .algorithm_enc = SSL_eNULL, 183 .algorithm_mac = SSL_MD5, 184 .algorithm_ssl = SSL_SSLV3, 185 .algo_strength = SSL_STRONG_NONE, 186 .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF, 187 .strength_bits = 0, 188 .alg_bits = 0, 189 }, 190 191 /* Cipher 02 */ 192 { 193 .valid = 1, 194 .name = SSL3_TXT_RSA_NULL_SHA, 195 .id = SSL3_CK_RSA_NULL_SHA, 196 .algorithm_mkey = SSL_kRSA, 197 .algorithm_auth = SSL_aRSA, 198 .algorithm_enc = SSL_eNULL, 199 .algorithm_mac = SSL_SHA1, 200 .algorithm_ssl = SSL_SSLV3, 201 .algo_strength = SSL_STRONG_NONE, 202 .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF, 203 .strength_bits = 0, 204 .alg_bits = 0, 205 }, 206 207 /* Cipher 04 */ 208 { 209 .valid = 1, 210 .name = SSL3_TXT_RSA_RC4_128_MD5, 211 .id = SSL3_CK_RSA_RC4_128_MD5, 212 .algorithm_mkey = SSL_kRSA, 213 .algorithm_auth = SSL_aRSA, 214 .algorithm_enc = SSL_RC4, 215 .algorithm_mac = SSL_MD5, 216 .algorithm_ssl = SSL_SSLV3, 217 .algo_strength = SSL_LOW, 218 .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF, 219 .strength_bits = 128, 220 .alg_bits = 128, 221 }, 222 223 /* Cipher 05 */ 224 { 225 .valid = 1, 226 .name = SSL3_TXT_RSA_RC4_128_SHA, 227 .id = SSL3_CK_RSA_RC4_128_SHA, 228 .algorithm_mkey = SSL_kRSA, 229 .algorithm_auth = SSL_aRSA, 230 .algorithm_enc = SSL_RC4, 231 .algorithm_mac = SSL_SHA1, 232 .algorithm_ssl = SSL_SSLV3, 233 .algo_strength = SSL_LOW, 234 .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF, 235 .strength_bits = 128, 236 .alg_bits = 128, 237 }, 238 239 /* Cipher 0A */ 240 { 241 .valid = 1, 242 .name = SSL3_TXT_RSA_DES_192_CBC3_SHA, 243 .id = SSL3_CK_RSA_DES_192_CBC3_SHA, 244 .algorithm_mkey = SSL_kRSA, 245 .algorithm_auth = SSL_aRSA, 246 .algorithm_enc = SSL_3DES, 247 .algorithm_mac = SSL_SHA1, 248 .algorithm_ssl = SSL_SSLV3, 249 .algo_strength = SSL_MEDIUM, 250 .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF, 251 .strength_bits = 112, 252 .alg_bits = 168, 253 }, 254 255 /* 256 * Ephemeral DH (DHE) ciphers. 257 */ 258 259 /* Cipher 16 */ 260 { 261 .valid = 1, 262 .name = SSL3_TXT_EDH_RSA_DES_192_CBC3_SHA, 263 .id = SSL3_CK_EDH_RSA_DES_192_CBC3_SHA, 264 .algorithm_mkey = SSL_kDHE, 265 .algorithm_auth = SSL_aRSA, 266 .algorithm_enc = SSL_3DES, 267 .algorithm_mac = SSL_SHA1, 268 .algorithm_ssl = SSL_SSLV3, 269 .algo_strength = SSL_MEDIUM, 270 .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF, 271 .strength_bits = 112, 272 .alg_bits = 168, 273 }, 274 275 /* Cipher 18 */ 276 { 277 .valid = 1, 278 .name = SSL3_TXT_ADH_RC4_128_MD5, 279 .id = SSL3_CK_ADH_RC4_128_MD5, 280 .algorithm_mkey = SSL_kDHE, 281 .algorithm_auth = SSL_aNULL, 282 .algorithm_enc = SSL_RC4, 283 .algorithm_mac = SSL_MD5, 284 .algorithm_ssl = SSL_SSLV3, 285 .algo_strength = SSL_LOW, 286 .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF, 287 .strength_bits = 128, 288 .alg_bits = 128, 289 }, 290 291 /* Cipher 1B */ 292 { 293 .valid = 1, 294 .name = SSL3_TXT_ADH_DES_192_CBC_SHA, 295 .id = SSL3_CK_ADH_DES_192_CBC_SHA, 296 .algorithm_mkey = SSL_kDHE, 297 .algorithm_auth = SSL_aNULL, 298 .algorithm_enc = SSL_3DES, 299 .algorithm_mac = SSL_SHA1, 300 .algorithm_ssl = SSL_SSLV3, 301 .algo_strength = SSL_MEDIUM, 302 .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF, 303 .strength_bits = 112, 304 .alg_bits = 168, 305 }, 306 307 /* 308 * AES ciphersuites. 309 */ 310 311 /* Cipher 2F */ 312 { 313 .valid = 1, 314 .name = TLS1_TXT_RSA_WITH_AES_128_SHA, 315 .id = TLS1_CK_RSA_WITH_AES_128_SHA, 316 .algorithm_mkey = SSL_kRSA, 317 .algorithm_auth = SSL_aRSA, 318 .algorithm_enc = SSL_AES128, 319 .algorithm_mac = SSL_SHA1, 320 .algorithm_ssl = SSL_TLSV1, 321 .algo_strength = SSL_HIGH, 322 .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF, 323 .strength_bits = 128, 324 .alg_bits = 128, 325 }, 326 327 /* Cipher 33 */ 328 { 329 .valid = 1, 330 .name = TLS1_TXT_DHE_RSA_WITH_AES_128_SHA, 331 .id = TLS1_CK_DHE_RSA_WITH_AES_128_SHA, 332 .algorithm_mkey = SSL_kDHE, 333 .algorithm_auth = SSL_aRSA, 334 .algorithm_enc = SSL_AES128, 335 .algorithm_mac = SSL_SHA1, 336 .algorithm_ssl = SSL_TLSV1, 337 .algo_strength = SSL_HIGH, 338 .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF, 339 .strength_bits = 128, 340 .alg_bits = 128, 341 }, 342 343 /* Cipher 34 */ 344 { 345 .valid = 1, 346 .name = TLS1_TXT_ADH_WITH_AES_128_SHA, 347 .id = TLS1_CK_ADH_WITH_AES_128_SHA, 348 .algorithm_mkey = SSL_kDHE, 349 .algorithm_auth = SSL_aNULL, 350 .algorithm_enc = SSL_AES128, 351 .algorithm_mac = SSL_SHA1, 352 .algorithm_ssl = SSL_TLSV1, 353 .algo_strength = SSL_HIGH, 354 .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF, 355 .strength_bits = 128, 356 .alg_bits = 128, 357 }, 358 359 /* Cipher 35 */ 360 { 361 .valid = 1, 362 .name = TLS1_TXT_RSA_WITH_AES_256_SHA, 363 .id = TLS1_CK_RSA_WITH_AES_256_SHA, 364 .algorithm_mkey = SSL_kRSA, 365 .algorithm_auth = SSL_aRSA, 366 .algorithm_enc = SSL_AES256, 367 .algorithm_mac = SSL_SHA1, 368 .algorithm_ssl = SSL_TLSV1, 369 .algo_strength = SSL_HIGH, 370 .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF, 371 .strength_bits = 256, 372 .alg_bits = 256, 373 }, 374 375 /* Cipher 39 */ 376 { 377 .valid = 1, 378 .name = TLS1_TXT_DHE_RSA_WITH_AES_256_SHA, 379 .id = TLS1_CK_DHE_RSA_WITH_AES_256_SHA, 380 .algorithm_mkey = SSL_kDHE, 381 .algorithm_auth = SSL_aRSA, 382 .algorithm_enc = SSL_AES256, 383 .algorithm_mac = SSL_SHA1, 384 .algorithm_ssl = SSL_TLSV1, 385 .algo_strength = SSL_HIGH, 386 .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF, 387 .strength_bits = 256, 388 .alg_bits = 256, 389 }, 390 391 /* Cipher 3A */ 392 { 393 .valid = 1, 394 .name = TLS1_TXT_ADH_WITH_AES_256_SHA, 395 .id = TLS1_CK_ADH_WITH_AES_256_SHA, 396 .algorithm_mkey = SSL_kDHE, 397 .algorithm_auth = SSL_aNULL, 398 .algorithm_enc = SSL_AES256, 399 .algorithm_mac = SSL_SHA1, 400 .algorithm_ssl = SSL_TLSV1, 401 .algo_strength = SSL_HIGH, 402 .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF, 403 .strength_bits = 256, 404 .alg_bits = 256, 405 }, 406 407 /* TLS v1.2 ciphersuites */ 408 /* Cipher 3B */ 409 { 410 .valid = 1, 411 .name = TLS1_TXT_RSA_WITH_NULL_SHA256, 412 .id = TLS1_CK_RSA_WITH_NULL_SHA256, 413 .algorithm_mkey = SSL_kRSA, 414 .algorithm_auth = SSL_aRSA, 415 .algorithm_enc = SSL_eNULL, 416 .algorithm_mac = SSL_SHA256, 417 .algorithm_ssl = SSL_TLSV1_2, 418 .algo_strength = SSL_STRONG_NONE, 419 .algorithm2 = SSL_HANDSHAKE_MAC_SHA256|TLS1_PRF_SHA256, 420 .strength_bits = 0, 421 .alg_bits = 0, 422 }, 423 424 /* Cipher 3C */ 425 { 426 .valid = 1, 427 .name = TLS1_TXT_RSA_WITH_AES_128_SHA256, 428 .id = TLS1_CK_RSA_WITH_AES_128_SHA256, 429 .algorithm_mkey = SSL_kRSA, 430 .algorithm_auth = SSL_aRSA, 431 .algorithm_enc = SSL_AES128, 432 .algorithm_mac = SSL_SHA256, 433 .algorithm_ssl = SSL_TLSV1_2, 434 .algo_strength = SSL_HIGH, 435 .algorithm2 = SSL_HANDSHAKE_MAC_SHA256|TLS1_PRF_SHA256, 436 .strength_bits = 128, 437 .alg_bits = 128, 438 }, 439 440 /* Cipher 3D */ 441 { 442 .valid = 1, 443 .name = TLS1_TXT_RSA_WITH_AES_256_SHA256, 444 .id = TLS1_CK_RSA_WITH_AES_256_SHA256, 445 .algorithm_mkey = SSL_kRSA, 446 .algorithm_auth = SSL_aRSA, 447 .algorithm_enc = SSL_AES256, 448 .algorithm_mac = SSL_SHA256, 449 .algorithm_ssl = SSL_TLSV1_2, 450 .algo_strength = SSL_HIGH, 451 .algorithm2 = SSL_HANDSHAKE_MAC_SHA256|TLS1_PRF_SHA256, 452 .strength_bits = 256, 453 .alg_bits = 256, 454 }, 455 456 #ifndef OPENSSL_NO_CAMELLIA 457 /* Camellia ciphersuites from RFC4132 (128-bit portion) */ 458 459 /* Cipher 41 */ 460 { 461 .valid = 1, 462 .name = TLS1_TXT_RSA_WITH_CAMELLIA_128_CBC_SHA, 463 .id = TLS1_CK_RSA_WITH_CAMELLIA_128_CBC_SHA, 464 .algorithm_mkey = SSL_kRSA, 465 .algorithm_auth = SSL_aRSA, 466 .algorithm_enc = SSL_CAMELLIA128, 467 .algorithm_mac = SSL_SHA1, 468 .algorithm_ssl = SSL_TLSV1, 469 .algo_strength = SSL_HIGH, 470 .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF, 471 .strength_bits = 128, 472 .alg_bits = 128, 473 }, 474 475 /* Cipher 45 */ 476 { 477 .valid = 1, 478 .name = TLS1_TXT_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA, 479 .id = TLS1_CK_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA, 480 .algorithm_mkey = SSL_kDHE, 481 .algorithm_auth = SSL_aRSA, 482 .algorithm_enc = SSL_CAMELLIA128, 483 .algorithm_mac = SSL_SHA1, 484 .algorithm_ssl = SSL_TLSV1, 485 .algo_strength = SSL_HIGH, 486 .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF, 487 .strength_bits = 128, 488 .alg_bits = 128, 489 }, 490 491 /* Cipher 46 */ 492 { 493 .valid = 1, 494 .name = TLS1_TXT_ADH_WITH_CAMELLIA_128_CBC_SHA, 495 .id = TLS1_CK_ADH_WITH_CAMELLIA_128_CBC_SHA, 496 .algorithm_mkey = SSL_kDHE, 497 .algorithm_auth = SSL_aNULL, 498 .algorithm_enc = SSL_CAMELLIA128, 499 .algorithm_mac = SSL_SHA1, 500 .algorithm_ssl = SSL_TLSV1, 501 .algo_strength = SSL_HIGH, 502 .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF, 503 .strength_bits = 128, 504 .alg_bits = 128, 505 }, 506 #endif /* OPENSSL_NO_CAMELLIA */ 507 508 /* TLS v1.2 ciphersuites */ 509 /* Cipher 67 */ 510 { 511 .valid = 1, 512 .name = TLS1_TXT_DHE_RSA_WITH_AES_128_SHA256, 513 .id = TLS1_CK_DHE_RSA_WITH_AES_128_SHA256, 514 .algorithm_mkey = SSL_kDHE, 515 .algorithm_auth = SSL_aRSA, 516 .algorithm_enc = SSL_AES128, 517 .algorithm_mac = SSL_SHA256, 518 .algorithm_ssl = SSL_TLSV1_2, 519 .algo_strength = SSL_HIGH, 520 .algorithm2 = SSL_HANDSHAKE_MAC_SHA256|TLS1_PRF_SHA256, 521 .strength_bits = 128, 522 .alg_bits = 128, 523 }, 524 525 /* Cipher 6B */ 526 { 527 .valid = 1, 528 .name = TLS1_TXT_DHE_RSA_WITH_AES_256_SHA256, 529 .id = TLS1_CK_DHE_RSA_WITH_AES_256_SHA256, 530 .algorithm_mkey = SSL_kDHE, 531 .algorithm_auth = SSL_aRSA, 532 .algorithm_enc = SSL_AES256, 533 .algorithm_mac = SSL_SHA256, 534 .algorithm_ssl = SSL_TLSV1_2, 535 .algo_strength = SSL_HIGH, 536 .algorithm2 = SSL_HANDSHAKE_MAC_SHA256|TLS1_PRF_SHA256, 537 .strength_bits = 256, 538 .alg_bits = 256, 539 }, 540 541 /* Cipher 6C */ 542 { 543 .valid = 1, 544 .name = TLS1_TXT_ADH_WITH_AES_128_SHA256, 545 .id = TLS1_CK_ADH_WITH_AES_128_SHA256, 546 .algorithm_mkey = SSL_kDHE, 547 .algorithm_auth = SSL_aNULL, 548 .algorithm_enc = SSL_AES128, 549 .algorithm_mac = SSL_SHA256, 550 .algorithm_ssl = SSL_TLSV1_2, 551 .algo_strength = SSL_HIGH, 552 .algorithm2 = SSL_HANDSHAKE_MAC_SHA256|TLS1_PRF_SHA256, 553 .strength_bits = 128, 554 .alg_bits = 128, 555 }, 556 557 /* Cipher 6D */ 558 { 559 .valid = 1, 560 .name = TLS1_TXT_ADH_WITH_AES_256_SHA256, 561 .id = TLS1_CK_ADH_WITH_AES_256_SHA256, 562 .algorithm_mkey = SSL_kDHE, 563 .algorithm_auth = SSL_aNULL, 564 .algorithm_enc = SSL_AES256, 565 .algorithm_mac = SSL_SHA256, 566 .algorithm_ssl = SSL_TLSV1_2, 567 .algo_strength = SSL_HIGH, 568 .algorithm2 = SSL_HANDSHAKE_MAC_SHA256|TLS1_PRF_SHA256, 569 .strength_bits = 256, 570 .alg_bits = 256, 571 }, 572 573 #ifndef OPENSSL_NO_CAMELLIA 574 /* Camellia ciphersuites from RFC4132 (256-bit portion) */ 575 576 /* Cipher 84 */ 577 { 578 .valid = 1, 579 .name = TLS1_TXT_RSA_WITH_CAMELLIA_256_CBC_SHA, 580 .id = TLS1_CK_RSA_WITH_CAMELLIA_256_CBC_SHA, 581 .algorithm_mkey = SSL_kRSA, 582 .algorithm_auth = SSL_aRSA, 583 .algorithm_enc = SSL_CAMELLIA256, 584 .algorithm_mac = SSL_SHA1, 585 .algorithm_ssl = SSL_TLSV1, 586 .algo_strength = SSL_HIGH, 587 .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF, 588 .strength_bits = 256, 589 .alg_bits = 256, 590 }, 591 592 /* Cipher 88 */ 593 { 594 .valid = 1, 595 .name = TLS1_TXT_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA, 596 .id = TLS1_CK_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA, 597 .algorithm_mkey = SSL_kDHE, 598 .algorithm_auth = SSL_aRSA, 599 .algorithm_enc = SSL_CAMELLIA256, 600 .algorithm_mac = SSL_SHA1, 601 .algorithm_ssl = SSL_TLSV1, 602 .algo_strength = SSL_HIGH, 603 .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF, 604 .strength_bits = 256, 605 .alg_bits = 256, 606 }, 607 608 /* Cipher 89 */ 609 { 610 .valid = 1, 611 .name = TLS1_TXT_ADH_WITH_CAMELLIA_256_CBC_SHA, 612 .id = TLS1_CK_ADH_WITH_CAMELLIA_256_CBC_SHA, 613 .algorithm_mkey = SSL_kDHE, 614 .algorithm_auth = SSL_aNULL, 615 .algorithm_enc = SSL_CAMELLIA256, 616 .algorithm_mac = SSL_SHA1, 617 .algorithm_ssl = SSL_TLSV1, 618 .algo_strength = SSL_HIGH, 619 .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF, 620 .strength_bits = 256, 621 .alg_bits = 256, 622 }, 623 #endif /* OPENSSL_NO_CAMELLIA */ 624 625 /* 626 * GCM ciphersuites from RFC5288. 627 */ 628 629 /* Cipher 9C */ 630 { 631 .valid = 1, 632 .name = TLS1_TXT_RSA_WITH_AES_128_GCM_SHA256, 633 .id = TLS1_CK_RSA_WITH_AES_128_GCM_SHA256, 634 .algorithm_mkey = SSL_kRSA, 635 .algorithm_auth = SSL_aRSA, 636 .algorithm_enc = SSL_AES128GCM, 637 .algorithm_mac = SSL_AEAD, 638 .algorithm_ssl = SSL_TLSV1_2, 639 .algo_strength = SSL_HIGH, 640 .algorithm2 = SSL_HANDSHAKE_MAC_SHA256|TLS1_PRF_SHA256, 641 .strength_bits = 128, 642 .alg_bits = 128, 643 }, 644 645 /* Cipher 9D */ 646 { 647 .valid = 1, 648 .name = TLS1_TXT_RSA_WITH_AES_256_GCM_SHA384, 649 .id = TLS1_CK_RSA_WITH_AES_256_GCM_SHA384, 650 .algorithm_mkey = SSL_kRSA, 651 .algorithm_auth = SSL_aRSA, 652 .algorithm_enc = SSL_AES256GCM, 653 .algorithm_mac = SSL_AEAD, 654 .algorithm_ssl = SSL_TLSV1_2, 655 .algo_strength = SSL_HIGH, 656 .algorithm2 = SSL_HANDSHAKE_MAC_SHA384|TLS1_PRF_SHA384, 657 .strength_bits = 256, 658 .alg_bits = 256, 659 }, 660 661 /* Cipher 9E */ 662 { 663 .valid = 1, 664 .name = TLS1_TXT_DHE_RSA_WITH_AES_128_GCM_SHA256, 665 .id = TLS1_CK_DHE_RSA_WITH_AES_128_GCM_SHA256, 666 .algorithm_mkey = SSL_kDHE, 667 .algorithm_auth = SSL_aRSA, 668 .algorithm_enc = SSL_AES128GCM, 669 .algorithm_mac = SSL_AEAD, 670 .algorithm_ssl = SSL_TLSV1_2, 671 .algo_strength = SSL_HIGH, 672 .algorithm2 = SSL_HANDSHAKE_MAC_SHA256|TLS1_PRF_SHA256, 673 .strength_bits = 128, 674 .alg_bits = 128, 675 }, 676 677 /* Cipher 9F */ 678 { 679 .valid = 1, 680 .name = TLS1_TXT_DHE_RSA_WITH_AES_256_GCM_SHA384, 681 .id = TLS1_CK_DHE_RSA_WITH_AES_256_GCM_SHA384, 682 .algorithm_mkey = SSL_kDHE, 683 .algorithm_auth = SSL_aRSA, 684 .algorithm_enc = SSL_AES256GCM, 685 .algorithm_mac = SSL_AEAD, 686 .algorithm_ssl = SSL_TLSV1_2, 687 .algo_strength = SSL_HIGH, 688 .algorithm2 = SSL_HANDSHAKE_MAC_SHA384|TLS1_PRF_SHA384, 689 .strength_bits = 256, 690 .alg_bits = 256, 691 }, 692 693 /* Cipher A6 */ 694 { 695 .valid = 1, 696 .name = TLS1_TXT_ADH_WITH_AES_128_GCM_SHA256, 697 .id = TLS1_CK_ADH_WITH_AES_128_GCM_SHA256, 698 .algorithm_mkey = SSL_kDHE, 699 .algorithm_auth = SSL_aNULL, 700 .algorithm_enc = SSL_AES128GCM, 701 .algorithm_mac = SSL_AEAD, 702 .algorithm_ssl = SSL_TLSV1_2, 703 .algo_strength = SSL_HIGH, 704 .algorithm2 = SSL_HANDSHAKE_MAC_SHA256|TLS1_PRF_SHA256, 705 .strength_bits = 128, 706 .alg_bits = 128, 707 }, 708 709 /* Cipher A7 */ 710 { 711 .valid = 1, 712 .name = TLS1_TXT_ADH_WITH_AES_256_GCM_SHA384, 713 .id = TLS1_CK_ADH_WITH_AES_256_GCM_SHA384, 714 .algorithm_mkey = SSL_kDHE, 715 .algorithm_auth = SSL_aNULL, 716 .algorithm_enc = SSL_AES256GCM, 717 .algorithm_mac = SSL_AEAD, 718 .algorithm_ssl = SSL_TLSV1_2, 719 .algo_strength = SSL_HIGH, 720 .algorithm2 = SSL_HANDSHAKE_MAC_SHA384|TLS1_PRF_SHA384, 721 .strength_bits = 256, 722 .alg_bits = 256, 723 }, 724 725 #ifndef OPENSSL_NO_CAMELLIA 726 /* TLS 1.2 Camellia SHA-256 ciphersuites from RFC5932 */ 727 728 /* Cipher BA */ 729 { 730 .valid = 1, 731 .name = TLS1_TXT_RSA_WITH_CAMELLIA_128_CBC_SHA256, 732 .id = TLS1_CK_RSA_WITH_CAMELLIA_128_CBC_SHA256, 733 .algorithm_mkey = SSL_kRSA, 734 .algorithm_auth = SSL_aRSA, 735 .algorithm_enc = SSL_CAMELLIA128, 736 .algorithm_mac = SSL_SHA256, 737 .algorithm_ssl = SSL_TLSV1_2, 738 .algo_strength = SSL_HIGH, 739 .algorithm2 = SSL_HANDSHAKE_MAC_SHA256|TLS1_PRF_SHA256, 740 .strength_bits = 128, 741 .alg_bits = 128, 742 }, 743 744 /* Cipher BE */ 745 { 746 .valid = 1, 747 .name = TLS1_TXT_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA256, 748 .id = TLS1_CK_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA256, 749 .algorithm_mkey = SSL_kDHE, 750 .algorithm_auth = SSL_aRSA, 751 .algorithm_enc = SSL_CAMELLIA128, 752 .algorithm_mac = SSL_SHA256, 753 .algorithm_ssl = SSL_TLSV1_2, 754 .algo_strength = SSL_HIGH, 755 .algorithm2 = SSL_HANDSHAKE_MAC_SHA256|TLS1_PRF_SHA256, 756 .strength_bits = 128, 757 .alg_bits = 128, 758 }, 759 760 /* Cipher BF */ 761 { 762 .valid = 1, 763 .name = TLS1_TXT_ADH_WITH_CAMELLIA_128_CBC_SHA256, 764 .id = TLS1_CK_ADH_WITH_CAMELLIA_128_CBC_SHA256, 765 .algorithm_mkey = SSL_kDHE, 766 .algorithm_auth = SSL_aNULL, 767 .algorithm_enc = SSL_CAMELLIA128, 768 .algorithm_mac = SSL_SHA256, 769 .algorithm_ssl = SSL_TLSV1_2, 770 .algo_strength = SSL_HIGH, 771 .algorithm2 = SSL_HANDSHAKE_MAC_SHA256|TLS1_PRF_SHA256, 772 .strength_bits = 128, 773 .alg_bits = 128, 774 }, 775 776 /* Cipher C0 */ 777 { 778 .valid = 1, 779 .name = TLS1_TXT_RSA_WITH_CAMELLIA_256_CBC_SHA256, 780 .id = TLS1_CK_RSA_WITH_CAMELLIA_256_CBC_SHA256, 781 .algorithm_mkey = SSL_kRSA, 782 .algorithm_auth = SSL_aRSA, 783 .algorithm_enc = SSL_CAMELLIA256, 784 .algorithm_mac = SSL_SHA256, 785 .algorithm_ssl = SSL_TLSV1_2, 786 .algo_strength = SSL_HIGH, 787 .algorithm2 = SSL_HANDSHAKE_MAC_SHA256|TLS1_PRF_SHA256, 788 .strength_bits = 256, 789 .alg_bits = 256, 790 }, 791 792 /* Cipher C4 */ 793 { 794 .valid = 1, 795 .name = TLS1_TXT_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA256, 796 .id = TLS1_CK_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA256, 797 .algorithm_mkey = SSL_kDHE, 798 .algorithm_auth = SSL_aRSA, 799 .algorithm_enc = SSL_CAMELLIA256, 800 .algorithm_mac = SSL_SHA256, 801 .algorithm_ssl = SSL_TLSV1_2, 802 .algo_strength = SSL_HIGH, 803 .algorithm2 = SSL_HANDSHAKE_MAC_SHA256|TLS1_PRF_SHA256, 804 .strength_bits = 256, 805 .alg_bits = 256, 806 }, 807 808 /* Cipher C5 */ 809 { 810 .valid = 1, 811 .name = TLS1_TXT_ADH_WITH_CAMELLIA_256_CBC_SHA256, 812 .id = TLS1_CK_ADH_WITH_CAMELLIA_256_CBC_SHA256, 813 .algorithm_mkey = SSL_kDHE, 814 .algorithm_auth = SSL_aNULL, 815 .algorithm_enc = SSL_CAMELLIA256, 816 .algorithm_mac = SSL_SHA256, 817 .algorithm_ssl = SSL_TLSV1_2, 818 .algo_strength = SSL_HIGH, 819 .algorithm2 = SSL_HANDSHAKE_MAC_SHA256|TLS1_PRF_SHA256, 820 .strength_bits = 256, 821 .alg_bits = 256, 822 }, 823 #endif /* OPENSSL_NO_CAMELLIA */ 824 825 /* 826 * TLSv1.3 cipher suites. 827 */ 828 829 #ifdef LIBRESSL_HAS_TLS1_3 830 /* Cipher 1301 */ 831 { 832 .valid = 1, 833 .name = TLS1_3_RFC_AES_128_GCM_SHA256, 834 .id = TLS1_3_CK_AES_128_GCM_SHA256, 835 .algorithm_mkey = SSL_kTLS1_3, 836 .algorithm_auth = SSL_aTLS1_3, 837 .algorithm_enc = SSL_AES128GCM, 838 .algorithm_mac = SSL_AEAD, 839 .algorithm_ssl = SSL_TLSV1_3, 840 .algo_strength = SSL_HIGH, 841 .algorithm2 = SSL_HANDSHAKE_MAC_SHA256, /* XXX */ 842 .strength_bits = 128, 843 .alg_bits = 128, 844 }, 845 846 /* Cipher 1302 */ 847 { 848 .valid = 1, 849 .name = TLS1_3_RFC_AES_256_GCM_SHA384, 850 .id = TLS1_3_CK_AES_256_GCM_SHA384, 851 .algorithm_mkey = SSL_kTLS1_3, 852 .algorithm_auth = SSL_aTLS1_3, 853 .algorithm_enc = SSL_AES256GCM, 854 .algorithm_mac = SSL_AEAD, 855 .algorithm_ssl = SSL_TLSV1_3, 856 .algo_strength = SSL_HIGH, 857 .algorithm2 = SSL_HANDSHAKE_MAC_SHA384, /* XXX */ 858 .strength_bits = 256, 859 .alg_bits = 256, 860 }, 861 862 /* Cipher 1303 */ 863 { 864 .valid = 1, 865 .name = TLS1_3_RFC_CHACHA20_POLY1305_SHA256, 866 .id = TLS1_3_CK_CHACHA20_POLY1305_SHA256, 867 .algorithm_mkey = SSL_kTLS1_3, 868 .algorithm_auth = SSL_aTLS1_3, 869 .algorithm_enc = SSL_CHACHA20POLY1305, 870 .algorithm_mac = SSL_AEAD, 871 .algorithm_ssl = SSL_TLSV1_3, 872 .algo_strength = SSL_HIGH, 873 .algorithm2 = SSL_HANDSHAKE_MAC_SHA256, /* XXX */ 874 .strength_bits = 256, 875 .alg_bits = 256, 876 }, 877 #endif 878 879 /* Cipher C006 */ 880 { 881 .valid = 1, 882 .name = TLS1_TXT_ECDHE_ECDSA_WITH_NULL_SHA, 883 .id = TLS1_CK_ECDHE_ECDSA_WITH_NULL_SHA, 884 .algorithm_mkey = SSL_kECDHE, 885 .algorithm_auth = SSL_aECDSA, 886 .algorithm_enc = SSL_eNULL, 887 .algorithm_mac = SSL_SHA1, 888 .algorithm_ssl = SSL_TLSV1, 889 .algo_strength = SSL_STRONG_NONE, 890 .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF, 891 .strength_bits = 0, 892 .alg_bits = 0, 893 }, 894 895 /* Cipher C007 */ 896 { 897 .valid = 1, 898 .name = TLS1_TXT_ECDHE_ECDSA_WITH_RC4_128_SHA, 899 .id = TLS1_CK_ECDHE_ECDSA_WITH_RC4_128_SHA, 900 .algorithm_mkey = SSL_kECDHE, 901 .algorithm_auth = SSL_aECDSA, 902 .algorithm_enc = SSL_RC4, 903 .algorithm_mac = SSL_SHA1, 904 .algorithm_ssl = SSL_TLSV1, 905 .algo_strength = SSL_LOW, 906 .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF, 907 .strength_bits = 128, 908 .alg_bits = 128, 909 }, 910 911 /* Cipher C008 */ 912 { 913 .valid = 1, 914 .name = TLS1_TXT_ECDHE_ECDSA_WITH_DES_192_CBC3_SHA, 915 .id = TLS1_CK_ECDHE_ECDSA_WITH_DES_192_CBC3_SHA, 916 .algorithm_mkey = SSL_kECDHE, 917 .algorithm_auth = SSL_aECDSA, 918 .algorithm_enc = SSL_3DES, 919 .algorithm_mac = SSL_SHA1, 920 .algorithm_ssl = SSL_TLSV1, 921 .algo_strength = SSL_MEDIUM, 922 .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF, 923 .strength_bits = 112, 924 .alg_bits = 168, 925 }, 926 927 /* Cipher C009 */ 928 { 929 .valid = 1, 930 .name = TLS1_TXT_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, 931 .id = TLS1_CK_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, 932 .algorithm_mkey = SSL_kECDHE, 933 .algorithm_auth = SSL_aECDSA, 934 .algorithm_enc = SSL_AES128, 935 .algorithm_mac = SSL_SHA1, 936 .algorithm_ssl = SSL_TLSV1, 937 .algo_strength = SSL_HIGH, 938 .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF, 939 .strength_bits = 128, 940 .alg_bits = 128, 941 }, 942 943 /* Cipher C00A */ 944 { 945 .valid = 1, 946 .name = TLS1_TXT_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, 947 .id = TLS1_CK_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, 948 .algorithm_mkey = SSL_kECDHE, 949 .algorithm_auth = SSL_aECDSA, 950 .algorithm_enc = SSL_AES256, 951 .algorithm_mac = SSL_SHA1, 952 .algorithm_ssl = SSL_TLSV1, 953 .algo_strength = SSL_HIGH, 954 .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF, 955 .strength_bits = 256, 956 .alg_bits = 256, 957 }, 958 959 /* Cipher C010 */ 960 { 961 .valid = 1, 962 .name = TLS1_TXT_ECDHE_RSA_WITH_NULL_SHA, 963 .id = TLS1_CK_ECDHE_RSA_WITH_NULL_SHA, 964 .algorithm_mkey = SSL_kECDHE, 965 .algorithm_auth = SSL_aRSA, 966 .algorithm_enc = SSL_eNULL, 967 .algorithm_mac = SSL_SHA1, 968 .algorithm_ssl = SSL_TLSV1, 969 .algo_strength = SSL_STRONG_NONE, 970 .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF, 971 .strength_bits = 0, 972 .alg_bits = 0, 973 }, 974 975 /* Cipher C011 */ 976 { 977 .valid = 1, 978 .name = TLS1_TXT_ECDHE_RSA_WITH_RC4_128_SHA, 979 .id = TLS1_CK_ECDHE_RSA_WITH_RC4_128_SHA, 980 .algorithm_mkey = SSL_kECDHE, 981 .algorithm_auth = SSL_aRSA, 982 .algorithm_enc = SSL_RC4, 983 .algorithm_mac = SSL_SHA1, 984 .algorithm_ssl = SSL_TLSV1, 985 .algo_strength = SSL_LOW, 986 .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF, 987 .strength_bits = 128, 988 .alg_bits = 128, 989 }, 990 991 /* Cipher C012 */ 992 { 993 .valid = 1, 994 .name = TLS1_TXT_ECDHE_RSA_WITH_DES_192_CBC3_SHA, 995 .id = TLS1_CK_ECDHE_RSA_WITH_DES_192_CBC3_SHA, 996 .algorithm_mkey = SSL_kECDHE, 997 .algorithm_auth = SSL_aRSA, 998 .algorithm_enc = SSL_3DES, 999 .algorithm_mac = SSL_SHA1, 1000 .algorithm_ssl = SSL_TLSV1, 1001 .algo_strength = SSL_MEDIUM, 1002 .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF, 1003 .strength_bits = 112, 1004 .alg_bits = 168, 1005 }, 1006 1007 /* Cipher C013 */ 1008 { 1009 .valid = 1, 1010 .name = TLS1_TXT_ECDHE_RSA_WITH_AES_128_CBC_SHA, 1011 .id = TLS1_CK_ECDHE_RSA_WITH_AES_128_CBC_SHA, 1012 .algorithm_mkey = SSL_kECDHE, 1013 .algorithm_auth = SSL_aRSA, 1014 .algorithm_enc = SSL_AES128, 1015 .algorithm_mac = SSL_SHA1, 1016 .algorithm_ssl = SSL_TLSV1, 1017 .algo_strength = SSL_HIGH, 1018 .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF, 1019 .strength_bits = 128, 1020 .alg_bits = 128, 1021 }, 1022 1023 /* Cipher C014 */ 1024 { 1025 .valid = 1, 1026 .name = TLS1_TXT_ECDHE_RSA_WITH_AES_256_CBC_SHA, 1027 .id = TLS1_CK_ECDHE_RSA_WITH_AES_256_CBC_SHA, 1028 .algorithm_mkey = SSL_kECDHE, 1029 .algorithm_auth = SSL_aRSA, 1030 .algorithm_enc = SSL_AES256, 1031 .algorithm_mac = SSL_SHA1, 1032 .algorithm_ssl = SSL_TLSV1, 1033 .algo_strength = SSL_HIGH, 1034 .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF, 1035 .strength_bits = 256, 1036 .alg_bits = 256, 1037 }, 1038 1039 /* Cipher C015 */ 1040 { 1041 .valid = 1, 1042 .name = TLS1_TXT_ECDH_anon_WITH_NULL_SHA, 1043 .id = TLS1_CK_ECDH_anon_WITH_NULL_SHA, 1044 .algorithm_mkey = SSL_kECDHE, 1045 .algorithm_auth = SSL_aNULL, 1046 .algorithm_enc = SSL_eNULL, 1047 .algorithm_mac = SSL_SHA1, 1048 .algorithm_ssl = SSL_TLSV1, 1049 .algo_strength = SSL_STRONG_NONE, 1050 .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF, 1051 .strength_bits = 0, 1052 .alg_bits = 0, 1053 }, 1054 1055 /* Cipher C016 */ 1056 { 1057 .valid = 1, 1058 .name = TLS1_TXT_ECDH_anon_WITH_RC4_128_SHA, 1059 .id = TLS1_CK_ECDH_anon_WITH_RC4_128_SHA, 1060 .algorithm_mkey = SSL_kECDHE, 1061 .algorithm_auth = SSL_aNULL, 1062 .algorithm_enc = SSL_RC4, 1063 .algorithm_mac = SSL_SHA1, 1064 .algorithm_ssl = SSL_TLSV1, 1065 .algo_strength = SSL_LOW, 1066 .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF, 1067 .strength_bits = 128, 1068 .alg_bits = 128, 1069 }, 1070 1071 /* Cipher C017 */ 1072 { 1073 .valid = 1, 1074 .name = TLS1_TXT_ECDH_anon_WITH_DES_192_CBC3_SHA, 1075 .id = TLS1_CK_ECDH_anon_WITH_DES_192_CBC3_SHA, 1076 .algorithm_mkey = SSL_kECDHE, 1077 .algorithm_auth = SSL_aNULL, 1078 .algorithm_enc = SSL_3DES, 1079 .algorithm_mac = SSL_SHA1, 1080 .algorithm_ssl = SSL_TLSV1, 1081 .algo_strength = SSL_MEDIUM, 1082 .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF, 1083 .strength_bits = 112, 1084 .alg_bits = 168, 1085 }, 1086 1087 /* Cipher C018 */ 1088 { 1089 .valid = 1, 1090 .name = TLS1_TXT_ECDH_anon_WITH_AES_128_CBC_SHA, 1091 .id = TLS1_CK_ECDH_anon_WITH_AES_128_CBC_SHA, 1092 .algorithm_mkey = SSL_kECDHE, 1093 .algorithm_auth = SSL_aNULL, 1094 .algorithm_enc = SSL_AES128, 1095 .algorithm_mac = SSL_SHA1, 1096 .algorithm_ssl = SSL_TLSV1, 1097 .algo_strength = SSL_HIGH, 1098 .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF, 1099 .strength_bits = 128, 1100 .alg_bits = 128, 1101 }, 1102 1103 /* Cipher C019 */ 1104 { 1105 .valid = 1, 1106 .name = TLS1_TXT_ECDH_anon_WITH_AES_256_CBC_SHA, 1107 .id = TLS1_CK_ECDH_anon_WITH_AES_256_CBC_SHA, 1108 .algorithm_mkey = SSL_kECDHE, 1109 .algorithm_auth = SSL_aNULL, 1110 .algorithm_enc = SSL_AES256, 1111 .algorithm_mac = SSL_SHA1, 1112 .algorithm_ssl = SSL_TLSV1, 1113 .algo_strength = SSL_HIGH, 1114 .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF, 1115 .strength_bits = 256, 1116 .alg_bits = 256, 1117 }, 1118 1119 1120 /* HMAC based TLS v1.2 ciphersuites from RFC5289 */ 1121 1122 /* Cipher C023 */ 1123 { 1124 .valid = 1, 1125 .name = TLS1_TXT_ECDHE_ECDSA_WITH_AES_128_SHA256, 1126 .id = TLS1_CK_ECDHE_ECDSA_WITH_AES_128_SHA256, 1127 .algorithm_mkey = SSL_kECDHE, 1128 .algorithm_auth = SSL_aECDSA, 1129 .algorithm_enc = SSL_AES128, 1130 .algorithm_mac = SSL_SHA256, 1131 .algorithm_ssl = SSL_TLSV1_2, 1132 .algo_strength = SSL_HIGH, 1133 .algorithm2 = SSL_HANDSHAKE_MAC_SHA256|TLS1_PRF_SHA256, 1134 .strength_bits = 128, 1135 .alg_bits = 128, 1136 }, 1137 1138 /* Cipher C024 */ 1139 { 1140 .valid = 1, 1141 .name = TLS1_TXT_ECDHE_ECDSA_WITH_AES_256_SHA384, 1142 .id = TLS1_CK_ECDHE_ECDSA_WITH_AES_256_SHA384, 1143 .algorithm_mkey = SSL_kECDHE, 1144 .algorithm_auth = SSL_aECDSA, 1145 .algorithm_enc = SSL_AES256, 1146 .algorithm_mac = SSL_SHA384, 1147 .algorithm_ssl = SSL_TLSV1_2, 1148 .algo_strength = SSL_HIGH, 1149 .algorithm2 = SSL_HANDSHAKE_MAC_SHA384|TLS1_PRF_SHA384, 1150 .strength_bits = 256, 1151 .alg_bits = 256, 1152 }, 1153 1154 /* Cipher C027 */ 1155 { 1156 .valid = 1, 1157 .name = TLS1_TXT_ECDHE_RSA_WITH_AES_128_SHA256, 1158 .id = TLS1_CK_ECDHE_RSA_WITH_AES_128_SHA256, 1159 .algorithm_mkey = SSL_kECDHE, 1160 .algorithm_auth = SSL_aRSA, 1161 .algorithm_enc = SSL_AES128, 1162 .algorithm_mac = SSL_SHA256, 1163 .algorithm_ssl = SSL_TLSV1_2, 1164 .algo_strength = SSL_HIGH, 1165 .algorithm2 = SSL_HANDSHAKE_MAC_SHA256|TLS1_PRF_SHA256, 1166 .strength_bits = 128, 1167 .alg_bits = 128, 1168 }, 1169 1170 /* Cipher C028 */ 1171 { 1172 .valid = 1, 1173 .name = TLS1_TXT_ECDHE_RSA_WITH_AES_256_SHA384, 1174 .id = TLS1_CK_ECDHE_RSA_WITH_AES_256_SHA384, 1175 .algorithm_mkey = SSL_kECDHE, 1176 .algorithm_auth = SSL_aRSA, 1177 .algorithm_enc = SSL_AES256, 1178 .algorithm_mac = SSL_SHA384, 1179 .algorithm_ssl = SSL_TLSV1_2, 1180 .algo_strength = SSL_HIGH, 1181 .algorithm2 = SSL_HANDSHAKE_MAC_SHA384|TLS1_PRF_SHA384, 1182 .strength_bits = 256, 1183 .alg_bits = 256, 1184 }, 1185 1186 /* GCM based TLS v1.2 ciphersuites from RFC5289 */ 1187 1188 /* Cipher C02B */ 1189 { 1190 .valid = 1, 1191 .name = TLS1_TXT_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, 1192 .id = TLS1_CK_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, 1193 .algorithm_mkey = SSL_kECDHE, 1194 .algorithm_auth = SSL_aECDSA, 1195 .algorithm_enc = SSL_AES128GCM, 1196 .algorithm_mac = SSL_AEAD, 1197 .algorithm_ssl = SSL_TLSV1_2, 1198 .algo_strength = SSL_HIGH, 1199 .algorithm2 = SSL_HANDSHAKE_MAC_SHA256|TLS1_PRF_SHA256, 1200 .strength_bits = 128, 1201 .alg_bits = 128, 1202 }, 1203 1204 /* Cipher C02C */ 1205 { 1206 .valid = 1, 1207 .name = TLS1_TXT_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, 1208 .id = TLS1_CK_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, 1209 .algorithm_mkey = SSL_kECDHE, 1210 .algorithm_auth = SSL_aECDSA, 1211 .algorithm_enc = SSL_AES256GCM, 1212 .algorithm_mac = SSL_AEAD, 1213 .algorithm_ssl = SSL_TLSV1_2, 1214 .algo_strength = SSL_HIGH, 1215 .algorithm2 = SSL_HANDSHAKE_MAC_SHA384|TLS1_PRF_SHA384, 1216 .strength_bits = 256, 1217 .alg_bits = 256, 1218 }, 1219 1220 /* Cipher C02F */ 1221 { 1222 .valid = 1, 1223 .name = TLS1_TXT_ECDHE_RSA_WITH_AES_128_GCM_SHA256, 1224 .id = TLS1_CK_ECDHE_RSA_WITH_AES_128_GCM_SHA256, 1225 .algorithm_mkey = SSL_kECDHE, 1226 .algorithm_auth = SSL_aRSA, 1227 .algorithm_enc = SSL_AES128GCM, 1228 .algorithm_mac = SSL_AEAD, 1229 .algorithm_ssl = SSL_TLSV1_2, 1230 .algo_strength = SSL_HIGH, 1231 .algorithm2 = SSL_HANDSHAKE_MAC_SHA256|TLS1_PRF_SHA256, 1232 .strength_bits = 128, 1233 .alg_bits = 128, 1234 }, 1235 1236 /* Cipher C030 */ 1237 { 1238 .valid = 1, 1239 .name = TLS1_TXT_ECDHE_RSA_WITH_AES_256_GCM_SHA384, 1240 .id = TLS1_CK_ECDHE_RSA_WITH_AES_256_GCM_SHA384, 1241 .algorithm_mkey = SSL_kECDHE, 1242 .algorithm_auth = SSL_aRSA, 1243 .algorithm_enc = SSL_AES256GCM, 1244 .algorithm_mac = SSL_AEAD, 1245 .algorithm_ssl = SSL_TLSV1_2, 1246 .algo_strength = SSL_HIGH, 1247 .algorithm2 = SSL_HANDSHAKE_MAC_SHA384|TLS1_PRF_SHA384, 1248 .strength_bits = 256, 1249 .alg_bits = 256, 1250 }, 1251 1252 /* Cipher CCA8 */ 1253 { 1254 .valid = 1, 1255 .name = TLS1_TXT_ECDHE_RSA_WITH_CHACHA20_POLY1305, 1256 .id = TLS1_CK_ECDHE_RSA_CHACHA20_POLY1305, 1257 .algorithm_mkey = SSL_kECDHE, 1258 .algorithm_auth = SSL_aRSA, 1259 .algorithm_enc = SSL_CHACHA20POLY1305, 1260 .algorithm_mac = SSL_AEAD, 1261 .algorithm_ssl = SSL_TLSV1_2, 1262 .algo_strength = SSL_HIGH, 1263 .algorithm2 = SSL_HANDSHAKE_MAC_SHA256|TLS1_PRF_SHA256, 1264 .strength_bits = 256, 1265 .alg_bits = 256, 1266 }, 1267 1268 /* Cipher CCA9 */ 1269 { 1270 .valid = 1, 1271 .name = TLS1_TXT_ECDHE_ECDSA_WITH_CHACHA20_POLY1305, 1272 .id = TLS1_CK_ECDHE_ECDSA_CHACHA20_POLY1305, 1273 .algorithm_mkey = SSL_kECDHE, 1274 .algorithm_auth = SSL_aECDSA, 1275 .algorithm_enc = SSL_CHACHA20POLY1305, 1276 .algorithm_mac = SSL_AEAD, 1277 .algorithm_ssl = SSL_TLSV1_2, 1278 .algo_strength = SSL_HIGH, 1279 .algorithm2 = SSL_HANDSHAKE_MAC_SHA256|TLS1_PRF_SHA256, 1280 .strength_bits = 256, 1281 .alg_bits = 256, 1282 }, 1283 1284 /* Cipher CCAA */ 1285 { 1286 .valid = 1, 1287 .name = TLS1_TXT_DHE_RSA_WITH_CHACHA20_POLY1305, 1288 .id = TLS1_CK_DHE_RSA_CHACHA20_POLY1305, 1289 .algorithm_mkey = SSL_kDHE, 1290 .algorithm_auth = SSL_aRSA, 1291 .algorithm_enc = SSL_CHACHA20POLY1305, 1292 .algorithm_mac = SSL_AEAD, 1293 .algorithm_ssl = SSL_TLSV1_2, 1294 .algo_strength = SSL_HIGH, 1295 .algorithm2 = SSL_HANDSHAKE_MAC_SHA256|TLS1_PRF_SHA256, 1296 .strength_bits = 256, 1297 .alg_bits = 256, 1298 }, 1299 1300 /* end of list */ 1301 }; 1302 1303 int 1304 ssl3_num_ciphers(void) 1305 { 1306 return (SSL3_NUM_CIPHERS); 1307 } 1308 1309 const SSL_CIPHER * 1310 ssl3_get_cipher(unsigned int u) 1311 { 1312 if (u < SSL3_NUM_CIPHERS) 1313 return (&(ssl3_ciphers[SSL3_NUM_CIPHERS - 1 - u])); 1314 else 1315 return (NULL); 1316 } 1317 1318 static int 1319 ssl3_cipher_id_cmp(const void *id, const void *cipher) 1320 { 1321 unsigned long a = *(const unsigned long *)id; 1322 unsigned long b = ((const SSL_CIPHER *)cipher)->id; 1323 1324 return a < b ? -1 : a > b; 1325 } 1326 1327 const SSL_CIPHER * 1328 ssl3_get_cipher_by_id(unsigned long id) 1329 { 1330 const SSL_CIPHER *cipher; 1331 1332 cipher = bsearch(&id, ssl3_ciphers, SSL3_NUM_CIPHERS, sizeof(*cipher), 1333 ssl3_cipher_id_cmp); 1334 if (cipher != NULL && cipher->valid == 1) 1335 return cipher; 1336 1337 return NULL; 1338 } 1339 1340 const SSL_CIPHER * 1341 ssl3_get_cipher_by_value(uint16_t value) 1342 { 1343 return ssl3_get_cipher_by_id(SSL3_CK_ID | value); 1344 } 1345 1346 uint16_t 1347 ssl3_cipher_get_value(const SSL_CIPHER *c) 1348 { 1349 return (c->id & SSL3_CK_VALUE_MASK); 1350 } 1351 1352 int 1353 ssl3_pending(const SSL *s) 1354 { 1355 if (s->s3->rcontent == NULL) 1356 return 0; 1357 if (tls_content_type(s->s3->rcontent) != SSL3_RT_APPLICATION_DATA) 1358 return 0; 1359 1360 return tls_content_remaining(s->s3->rcontent); 1361 } 1362 1363 int 1364 ssl3_handshake_msg_hdr_len(SSL *s) 1365 { 1366 return (SSL_is_dtls(s) ? DTLS1_HM_HEADER_LENGTH : 1367 SSL3_HM_HEADER_LENGTH); 1368 } 1369 1370 int 1371 ssl3_handshake_msg_start(SSL *s, CBB *handshake, CBB *body, uint8_t msg_type) 1372 { 1373 int ret = 0; 1374 1375 if (!CBB_init(handshake, SSL3_RT_MAX_PLAIN_LENGTH)) 1376 goto err; 1377 if (!CBB_add_u8(handshake, msg_type)) 1378 goto err; 1379 if (SSL_is_dtls(s)) { 1380 unsigned char *data; 1381 1382 if (!CBB_add_space(handshake, &data, DTLS1_HM_HEADER_LENGTH - 1383 SSL3_HM_HEADER_LENGTH)) 1384 goto err; 1385 } 1386 if (!CBB_add_u24_length_prefixed(handshake, body)) 1387 goto err; 1388 1389 ret = 1; 1390 1391 err: 1392 return (ret); 1393 } 1394 1395 int 1396 ssl3_handshake_msg_finish(SSL *s, CBB *handshake) 1397 { 1398 unsigned char *data = NULL; 1399 size_t outlen; 1400 int ret = 0; 1401 1402 if (!CBB_finish(handshake, &data, &outlen)) 1403 goto err; 1404 1405 if (outlen > INT_MAX) 1406 goto err; 1407 1408 if (!BUF_MEM_grow_clean(s->init_buf, outlen)) 1409 goto err; 1410 1411 memcpy(s->init_buf->data, data, outlen); 1412 1413 s->init_num = (int)outlen; 1414 s->init_off = 0; 1415 1416 if (SSL_is_dtls(s)) { 1417 unsigned long len; 1418 uint8_t msg_type; 1419 CBS cbs; 1420 1421 CBS_init(&cbs, data, outlen); 1422 if (!CBS_get_u8(&cbs, &msg_type)) 1423 goto err; 1424 1425 len = outlen - ssl3_handshake_msg_hdr_len(s); 1426 1427 dtls1_set_message_header(s, msg_type, len, 0, len); 1428 dtls1_buffer_message(s, 0); 1429 } 1430 1431 ret = 1; 1432 1433 err: 1434 free(data); 1435 1436 return (ret); 1437 } 1438 1439 int 1440 ssl3_handshake_write(SSL *s) 1441 { 1442 return ssl3_record_write(s, SSL3_RT_HANDSHAKE); 1443 } 1444 1445 int 1446 ssl3_record_write(SSL *s, int type) 1447 { 1448 if (SSL_is_dtls(s)) 1449 return dtls1_do_write(s, type); 1450 1451 return ssl3_do_write(s, type); 1452 } 1453 1454 int 1455 ssl3_new(SSL *s) 1456 { 1457 if ((s->s3 = calloc(1, sizeof(*s->s3))) == NULL) 1458 return (0); 1459 1460 s->method->ssl_clear(s); 1461 1462 return (1); 1463 } 1464 1465 void 1466 ssl3_free(SSL *s) 1467 { 1468 if (s == NULL) 1469 return; 1470 1471 tls1_cleanup_key_block(s); 1472 ssl3_release_read_buffer(s); 1473 ssl3_release_write_buffer(s); 1474 1475 tls_content_free(s->s3->rcontent); 1476 1477 tls_buffer_free(s->s3->alert_fragment); 1478 tls_buffer_free(s->s3->handshake_fragment); 1479 1480 freezero(s->s3->hs.sigalgs, s->s3->hs.sigalgs_len); 1481 sk_X509_pop_free(s->s3->hs.peer_certs, X509_free); 1482 sk_X509_pop_free(s->s3->hs.peer_certs_no_leaf, X509_free); 1483 sk_X509_pop_free(s->s3->hs.verified_chain, X509_free); 1484 tls_key_share_free(s->s3->hs.key_share); 1485 1486 tls13_secrets_destroy(s->s3->hs.tls13.secrets); 1487 freezero(s->s3->hs.tls13.cookie, s->s3->hs.tls13.cookie_len); 1488 tls13_clienthello_hash_clear(&s->s3->hs.tls13); 1489 1490 tls_buffer_free(s->s3->hs.tls13.quic_read_buffer); 1491 1492 sk_X509_NAME_pop_free(s->s3->hs.tls12.ca_names, X509_NAME_free); 1493 1494 tls1_transcript_free(s); 1495 tls1_transcript_hash_free(s); 1496 1497 free(s->s3->alpn_selected); 1498 1499 freezero(s->s3->peer_quic_transport_params, 1500 s->s3->peer_quic_transport_params_len); 1501 1502 freezero(s->s3, sizeof(*s->s3)); 1503 1504 s->s3 = NULL; 1505 } 1506 1507 void 1508 ssl3_clear(SSL *s) 1509 { 1510 unsigned char *rp, *wp; 1511 size_t rlen, wlen; 1512 1513 tls1_cleanup_key_block(s); 1514 sk_X509_NAME_pop_free(s->s3->hs.tls12.ca_names, X509_NAME_free); 1515 1516 tls_buffer_free(s->s3->alert_fragment); 1517 s->s3->alert_fragment = NULL; 1518 tls_buffer_free(s->s3->handshake_fragment); 1519 s->s3->handshake_fragment = NULL; 1520 1521 freezero(s->s3->hs.sigalgs, s->s3->hs.sigalgs_len); 1522 s->s3->hs.sigalgs = NULL; 1523 s->s3->hs.sigalgs_len = 0; 1524 1525 sk_X509_pop_free(s->s3->hs.peer_certs, X509_free); 1526 s->s3->hs.peer_certs = NULL; 1527 sk_X509_pop_free(s->s3->hs.peer_certs_no_leaf, X509_free); 1528 s->s3->hs.peer_certs_no_leaf = NULL; 1529 sk_X509_pop_free(s->s3->hs.verified_chain, X509_free); 1530 s->s3->hs.verified_chain = NULL; 1531 1532 tls_key_share_free(s->s3->hs.key_share); 1533 s->s3->hs.key_share = NULL; 1534 1535 tls13_secrets_destroy(s->s3->hs.tls13.secrets); 1536 s->s3->hs.tls13.secrets = NULL; 1537 freezero(s->s3->hs.tls13.cookie, s->s3->hs.tls13.cookie_len); 1538 s->s3->hs.tls13.cookie = NULL; 1539 s->s3->hs.tls13.cookie_len = 0; 1540 tls13_clienthello_hash_clear(&s->s3->hs.tls13); 1541 1542 tls_buffer_free(s->s3->hs.tls13.quic_read_buffer); 1543 s->s3->hs.tls13.quic_read_buffer = NULL; 1544 s->s3->hs.tls13.quic_read_level = ssl_encryption_initial; 1545 s->s3->hs.tls13.quic_write_level = ssl_encryption_initial; 1546 1547 s->s3->hs.extensions_seen = 0; 1548 1549 rp = s->s3->rbuf.buf; 1550 wp = s->s3->wbuf.buf; 1551 rlen = s->s3->rbuf.len; 1552 wlen = s->s3->wbuf.len; 1553 1554 tls_content_free(s->s3->rcontent); 1555 s->s3->rcontent = NULL; 1556 1557 tls1_transcript_free(s); 1558 tls1_transcript_hash_free(s); 1559 1560 free(s->s3->alpn_selected); 1561 s->s3->alpn_selected = NULL; 1562 s->s3->alpn_selected_len = 0; 1563 1564 freezero(s->s3->peer_quic_transport_params, 1565 s->s3->peer_quic_transport_params_len); 1566 s->s3->peer_quic_transport_params = NULL; 1567 s->s3->peer_quic_transport_params_len = 0; 1568 1569 memset(s->s3, 0, sizeof(*s->s3)); 1570 1571 s->s3->rbuf.buf = rp; 1572 s->s3->wbuf.buf = wp; 1573 s->s3->rbuf.len = rlen; 1574 s->s3->wbuf.len = wlen; 1575 1576 ssl_free_wbio_buffer(s); 1577 1578 /* Not needed... */ 1579 s->s3->renegotiate = 0; 1580 s->s3->total_renegotiations = 0; 1581 s->s3->num_renegotiations = 0; 1582 s->s3->in_read_app_data = 0; 1583 1584 s->packet_length = 0; 1585 s->version = TLS1_2_VERSION; 1586 1587 s->s3->hs.state = SSL_ST_BEFORE|((s->server) ? SSL_ST_ACCEPT : SSL_ST_CONNECT); 1588 } 1589 1590 long 1591 _SSL_get_shared_group(SSL *s, long n) 1592 { 1593 size_t count; 1594 int nid; 1595 1596 /* OpenSSL document that they return -1 for clients. They return 0. */ 1597 if (!s->server) 1598 return 0; 1599 1600 if (n == -1) { 1601 if (!tls1_count_shared_groups(s, &count)) 1602 return 0; 1603 1604 if (count > LONG_MAX) 1605 count = LONG_MAX; 1606 1607 return count; 1608 } 1609 1610 /* Undocumented special case added for Suite B profile support. */ 1611 if (n == -2) 1612 n = 0; 1613 1614 if (n < 0) 1615 return 0; 1616 1617 if (!tls1_get_shared_group_by_index(s, n, &nid)) 1618 return NID_undef; 1619 1620 return nid; 1621 } 1622 1623 long 1624 _SSL_get_peer_tmp_key(SSL *s, EVP_PKEY **key) 1625 { 1626 EVP_PKEY *pkey = NULL; 1627 int ret = 0; 1628 1629 *key = NULL; 1630 1631 if (s->s3->hs.key_share == NULL) 1632 goto err; 1633 1634 if ((pkey = EVP_PKEY_new()) == NULL) 1635 goto err; 1636 if (!tls_key_share_peer_pkey(s->s3->hs.key_share, pkey)) 1637 goto err; 1638 1639 *key = pkey; 1640 pkey = NULL; 1641 1642 ret = 1; 1643 1644 err: 1645 EVP_PKEY_free(pkey); 1646 1647 return (ret); 1648 } 1649 1650 static int 1651 _SSL_session_reused(SSL *s) 1652 { 1653 return s->hit; 1654 } 1655 1656 static int 1657 _SSL_num_renegotiations(SSL *s) 1658 { 1659 return s->s3->num_renegotiations; 1660 } 1661 1662 static int 1663 _SSL_clear_num_renegotiations(SSL *s) 1664 { 1665 int renegs; 1666 1667 renegs = s->s3->num_renegotiations; 1668 s->s3->num_renegotiations = 0; 1669 1670 return renegs; 1671 } 1672 1673 static int 1674 _SSL_total_renegotiations(SSL *s) 1675 { 1676 return s->s3->total_renegotiations; 1677 } 1678 1679 static int 1680 _SSL_set_tmp_dh(SSL *s, DH *dh) 1681 { 1682 DH *dhe_params; 1683 1684 if (dh == NULL) { 1685 SSLerror(s, ERR_R_PASSED_NULL_PARAMETER); 1686 return 0; 1687 } 1688 1689 if (!ssl_security_dh(s, dh)) { 1690 SSLerror(s, SSL_R_DH_KEY_TOO_SMALL); 1691 return 0; 1692 } 1693 1694 if ((dhe_params = DHparams_dup(dh)) == NULL) { 1695 SSLerror(s, ERR_R_DH_LIB); 1696 return 0; 1697 } 1698 1699 DH_free(s->cert->dhe_params); 1700 s->cert->dhe_params = dhe_params; 1701 1702 return 1; 1703 } 1704 1705 static int 1706 _SSL_set_dh_auto(SSL *s, int state) 1707 { 1708 s->cert->dhe_params_auto = state; 1709 return 1; 1710 } 1711 1712 static int 1713 _SSL_set_tmp_ecdh(SSL *s, EC_KEY *ecdh) 1714 { 1715 const EC_GROUP *group; 1716 int nid; 1717 1718 if (ecdh == NULL) 1719 return 0; 1720 if ((group = EC_KEY_get0_group(ecdh)) == NULL) 1721 return 0; 1722 1723 nid = EC_GROUP_get_curve_name(group); 1724 return SSL_set1_groups(s, &nid, 1); 1725 } 1726 1727 static int 1728 _SSL_set_ecdh_auto(SSL *s, int state) 1729 { 1730 return 1; 1731 } 1732 1733 static int 1734 _SSL_set_tlsext_host_name(SSL *s, const char *name) 1735 { 1736 int is_ip; 1737 CBS cbs; 1738 1739 free(s->tlsext_hostname); 1740 s->tlsext_hostname = NULL; 1741 1742 if (name == NULL) 1743 return 1; 1744 1745 CBS_init(&cbs, name, strlen(name)); 1746 1747 if (!tlsext_sni_is_valid_hostname(&cbs, &is_ip)) { 1748 SSLerror(s, SSL_R_SSL3_EXT_INVALID_SERVERNAME); 1749 return 0; 1750 } 1751 if ((s->tlsext_hostname = strdup(name)) == NULL) { 1752 SSLerror(s, ERR_R_INTERNAL_ERROR); 1753 return 0; 1754 } 1755 1756 return 1; 1757 } 1758 1759 static int 1760 _SSL_set_tlsext_debug_arg(SSL *s, void *arg) 1761 { 1762 s->tlsext_debug_arg = arg; 1763 return 1; 1764 } 1765 1766 static int 1767 _SSL_get_tlsext_status_type(SSL *s) 1768 { 1769 return s->tlsext_status_type; 1770 } 1771 1772 static int 1773 _SSL_set_tlsext_status_type(SSL *s, int type) 1774 { 1775 s->tlsext_status_type = type; 1776 return 1; 1777 } 1778 1779 static int 1780 _SSL_get_tlsext_status_exts(SSL *s, STACK_OF(X509_EXTENSION) **exts) 1781 { 1782 *exts = s->tlsext_ocsp_exts; 1783 return 1; 1784 } 1785 1786 static int 1787 _SSL_set_tlsext_status_exts(SSL *s, STACK_OF(X509_EXTENSION) *exts) 1788 { 1789 /* XXX - leak... */ 1790 s->tlsext_ocsp_exts = exts; 1791 return 1; 1792 } 1793 1794 static int 1795 _SSL_get_tlsext_status_ids(SSL *s, STACK_OF(OCSP_RESPID) **ids) 1796 { 1797 *ids = s->tlsext_ocsp_ids; 1798 return 1; 1799 } 1800 1801 static int 1802 _SSL_set_tlsext_status_ids(SSL *s, STACK_OF(OCSP_RESPID) *ids) 1803 { 1804 /* XXX - leak... */ 1805 s->tlsext_ocsp_ids = ids; 1806 return 1; 1807 } 1808 1809 static int 1810 _SSL_get_tlsext_status_ocsp_resp(SSL *s, unsigned char **resp) 1811 { 1812 if (s->tlsext_ocsp_resp != NULL && 1813 s->tlsext_ocsp_resp_len < INT_MAX) { 1814 *resp = s->tlsext_ocsp_resp; 1815 return (int)s->tlsext_ocsp_resp_len; 1816 } 1817 1818 *resp = NULL; 1819 1820 return -1; 1821 } 1822 1823 static int 1824 _SSL_set_tlsext_status_ocsp_resp(SSL *s, unsigned char *resp, int resp_len) 1825 { 1826 free(s->tlsext_ocsp_resp); 1827 s->tlsext_ocsp_resp = NULL; 1828 s->tlsext_ocsp_resp_len = 0; 1829 1830 if (resp_len < 0) 1831 return 0; 1832 1833 s->tlsext_ocsp_resp = resp; 1834 s->tlsext_ocsp_resp_len = (size_t)resp_len; 1835 1836 return 1; 1837 } 1838 1839 int 1840 SSL_set0_chain(SSL *ssl, STACK_OF(X509) *chain) 1841 { 1842 return ssl_cert_set0_chain(NULL, ssl, chain); 1843 } 1844 LSSL_ALIAS(SSL_set0_chain); 1845 1846 int 1847 SSL_set1_chain(SSL *ssl, STACK_OF(X509) *chain) 1848 { 1849 return ssl_cert_set1_chain(NULL, ssl, chain); 1850 } 1851 LSSL_ALIAS(SSL_set1_chain); 1852 1853 int 1854 SSL_add0_chain_cert(SSL *ssl, X509 *x509) 1855 { 1856 return ssl_cert_add0_chain_cert(NULL, ssl, x509); 1857 } 1858 LSSL_ALIAS(SSL_add0_chain_cert); 1859 1860 int 1861 SSL_add1_chain_cert(SSL *ssl, X509 *x509) 1862 { 1863 return ssl_cert_add1_chain_cert(NULL, ssl, x509); 1864 } 1865 LSSL_ALIAS(SSL_add1_chain_cert); 1866 1867 int 1868 SSL_get0_chain_certs(const SSL *ssl, STACK_OF(X509) **out_chain) 1869 { 1870 *out_chain = NULL; 1871 1872 if (ssl->cert->key != NULL) 1873 *out_chain = ssl->cert->key->chain; 1874 1875 return 1; 1876 } 1877 LSSL_ALIAS(SSL_get0_chain_certs); 1878 1879 int 1880 SSL_clear_chain_certs(SSL *ssl) 1881 { 1882 return ssl_cert_set0_chain(NULL, ssl, NULL); 1883 } 1884 LSSL_ALIAS(SSL_clear_chain_certs); 1885 1886 int 1887 SSL_set1_groups(SSL *s, const int *groups, size_t groups_len) 1888 { 1889 return tls1_set_groups(&s->tlsext_supportedgroups, 1890 &s->tlsext_supportedgroups_length, groups, groups_len); 1891 } 1892 LSSL_ALIAS(SSL_set1_groups); 1893 1894 int 1895 SSL_set1_groups_list(SSL *s, const char *groups) 1896 { 1897 return tls1_set_group_list(&s->tlsext_supportedgroups, 1898 &s->tlsext_supportedgroups_length, groups); 1899 } 1900 LSSL_ALIAS(SSL_set1_groups_list); 1901 1902 static int 1903 _SSL_get_signature_nid(SSL *s, int *nid) 1904 { 1905 const struct ssl_sigalg *sigalg; 1906 1907 if ((sigalg = s->s3->hs.our_sigalg) == NULL) 1908 return 0; 1909 1910 *nid = EVP_MD_type(sigalg->md()); 1911 1912 return 1; 1913 } 1914 1915 static int 1916 _SSL_get_peer_signature_nid(SSL *s, int *nid) 1917 { 1918 const struct ssl_sigalg *sigalg; 1919 1920 if ((sigalg = s->s3->hs.peer_sigalg) == NULL) 1921 return 0; 1922 1923 *nid = EVP_MD_type(sigalg->md()); 1924 1925 return 1; 1926 } 1927 1928 int 1929 SSL_get_signature_type_nid(const SSL *s, int *nid) 1930 { 1931 const struct ssl_sigalg *sigalg; 1932 1933 if ((sigalg = s->s3->hs.our_sigalg) == NULL) 1934 return 0; 1935 1936 *nid = sigalg->key_type; 1937 if (sigalg->key_type == EVP_PKEY_RSA && 1938 (sigalg->flags & SIGALG_FLAG_RSA_PSS)) 1939 *nid = EVP_PKEY_RSA_PSS; 1940 1941 return 1; 1942 } 1943 LSSL_ALIAS(SSL_get_signature_type_nid); 1944 1945 int 1946 SSL_get_peer_signature_type_nid(const SSL *s, int *nid) 1947 { 1948 const struct ssl_sigalg *sigalg; 1949 1950 if ((sigalg = s->s3->hs.peer_sigalg) == NULL) 1951 return 0; 1952 1953 *nid = sigalg->key_type; 1954 if (sigalg->key_type == EVP_PKEY_RSA && 1955 (sigalg->flags & SIGALG_FLAG_RSA_PSS)) 1956 *nid = EVP_PKEY_RSA_PSS; 1957 1958 return 1; 1959 } 1960 LSSL_ALIAS(SSL_get_peer_signature_type_nid); 1961 1962 long 1963 ssl3_ctrl(SSL *s, int cmd, long larg, void *parg) 1964 { 1965 switch (cmd) { 1966 case SSL_CTRL_GET_SESSION_REUSED: 1967 return _SSL_session_reused(s); 1968 1969 case SSL_CTRL_GET_NUM_RENEGOTIATIONS: 1970 return _SSL_num_renegotiations(s); 1971 1972 case SSL_CTRL_CLEAR_NUM_RENEGOTIATIONS: 1973 return _SSL_clear_num_renegotiations(s); 1974 1975 case SSL_CTRL_GET_TOTAL_RENEGOTIATIONS: 1976 return _SSL_total_renegotiations(s); 1977 1978 case SSL_CTRL_SET_TMP_DH: 1979 return _SSL_set_tmp_dh(s, parg); 1980 1981 case SSL_CTRL_SET_TMP_DH_CB: 1982 SSLerror(s, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED); 1983 return 0; 1984 1985 case SSL_CTRL_SET_DH_AUTO: 1986 return _SSL_set_dh_auto(s, larg); 1987 1988 case SSL_CTRL_SET_TMP_ECDH: 1989 return _SSL_set_tmp_ecdh(s, parg); 1990 1991 case SSL_CTRL_SET_TMP_ECDH_CB: 1992 SSLerror(s, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED); 1993 return 0; 1994 1995 case SSL_CTRL_SET_ECDH_AUTO: 1996 return _SSL_set_ecdh_auto(s, larg); 1997 1998 case SSL_CTRL_SET_TLSEXT_HOSTNAME: 1999 if (larg != TLSEXT_NAMETYPE_host_name) { 2000 SSLerror(s, SSL_R_SSL3_EXT_INVALID_SERVERNAME_TYPE); 2001 return 0; 2002 } 2003 return _SSL_set_tlsext_host_name(s, parg); 2004 2005 case SSL_CTRL_SET_TLSEXT_DEBUG_ARG: 2006 return _SSL_set_tlsext_debug_arg(s, parg); 2007 2008 case SSL_CTRL_GET_TLSEXT_STATUS_REQ_TYPE: 2009 return _SSL_get_tlsext_status_type(s); 2010 2011 case SSL_CTRL_SET_TLSEXT_STATUS_REQ_TYPE: 2012 return _SSL_set_tlsext_status_type(s, larg); 2013 2014 case SSL_CTRL_GET_TLSEXT_STATUS_REQ_EXTS: 2015 return _SSL_get_tlsext_status_exts(s, parg); 2016 2017 case SSL_CTRL_SET_TLSEXT_STATUS_REQ_EXTS: 2018 return _SSL_set_tlsext_status_exts(s, parg); 2019 2020 case SSL_CTRL_GET_TLSEXT_STATUS_REQ_IDS: 2021 return _SSL_get_tlsext_status_ids(s, parg); 2022 2023 case SSL_CTRL_SET_TLSEXT_STATUS_REQ_IDS: 2024 return _SSL_set_tlsext_status_ids(s, parg); 2025 2026 case SSL_CTRL_GET_TLSEXT_STATUS_REQ_OCSP_RESP: 2027 return _SSL_get_tlsext_status_ocsp_resp(s, parg); 2028 2029 case SSL_CTRL_SET_TLSEXT_STATUS_REQ_OCSP_RESP: 2030 return _SSL_set_tlsext_status_ocsp_resp(s, parg, larg); 2031 2032 case SSL_CTRL_CHAIN: 2033 if (larg == 0) 2034 return SSL_set0_chain(s, (STACK_OF(X509) *)parg); 2035 else 2036 return SSL_set1_chain(s, (STACK_OF(X509) *)parg); 2037 2038 case SSL_CTRL_CHAIN_CERT: 2039 if (larg == 0) 2040 return SSL_add0_chain_cert(s, (X509 *)parg); 2041 else 2042 return SSL_add1_chain_cert(s, (X509 *)parg); 2043 2044 case SSL_CTRL_GET_CHAIN_CERTS: 2045 return SSL_get0_chain_certs(s, (STACK_OF(X509) **)parg); 2046 2047 case SSL_CTRL_SET_GROUPS: 2048 return SSL_set1_groups(s, parg, larg); 2049 2050 case SSL_CTRL_SET_GROUPS_LIST: 2051 return SSL_set1_groups_list(s, parg); 2052 2053 case SSL_CTRL_GET_SHARED_GROUP: 2054 return _SSL_get_shared_group(s, larg); 2055 2056 /* XXX - rename to SSL_CTRL_GET_PEER_TMP_KEY and remove server check. */ 2057 case SSL_CTRL_GET_SERVER_TMP_KEY: 2058 if (s->server != 0) 2059 return 0; 2060 return _SSL_get_peer_tmp_key(s, parg); 2061 2062 case SSL_CTRL_GET_MIN_PROTO_VERSION: 2063 return SSL_get_min_proto_version(s); 2064 2065 case SSL_CTRL_GET_MAX_PROTO_VERSION: 2066 return SSL_get_max_proto_version(s); 2067 2068 case SSL_CTRL_SET_MIN_PROTO_VERSION: 2069 if (larg < 0 || larg > UINT16_MAX) 2070 return 0; 2071 return SSL_set_min_proto_version(s, larg); 2072 2073 case SSL_CTRL_SET_MAX_PROTO_VERSION: 2074 if (larg < 0 || larg > UINT16_MAX) 2075 return 0; 2076 return SSL_set_max_proto_version(s, larg); 2077 2078 case SSL_CTRL_GET_SIGNATURE_NID: 2079 return _SSL_get_signature_nid(s, parg); 2080 2081 case SSL_CTRL_GET_PEER_SIGNATURE_NID: 2082 return _SSL_get_peer_signature_nid(s, parg); 2083 2084 /* 2085 * Legacy controls that should eventually be removed. 2086 */ 2087 case SSL_CTRL_GET_CLIENT_CERT_REQUEST: 2088 return 0; 2089 2090 case SSL_CTRL_GET_FLAGS: 2091 return (int)(s->s3->flags); 2092 2093 case SSL_CTRL_NEED_TMP_RSA: 2094 return 0; 2095 2096 case SSL_CTRL_SET_TMP_RSA: 2097 case SSL_CTRL_SET_TMP_RSA_CB: 2098 SSLerror(s, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED); 2099 return 0; 2100 } 2101 2102 return 0; 2103 } 2104 2105 long 2106 ssl3_callback_ctrl(SSL *s, int cmd, void (*fp)(void)) 2107 { 2108 switch (cmd) { 2109 case SSL_CTRL_SET_TMP_RSA_CB: 2110 SSLerror(s, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED); 2111 return 0; 2112 2113 case SSL_CTRL_SET_TMP_DH_CB: 2114 s->cert->dhe_params_cb = (DH *(*)(SSL *, int, int))fp; 2115 return 1; 2116 2117 case SSL_CTRL_SET_TMP_ECDH_CB: 2118 return 1; 2119 2120 case SSL_CTRL_SET_TLSEXT_DEBUG_CB: 2121 s->tlsext_debug_cb = (void (*)(SSL *, int , int, 2122 unsigned char *, int, void *))fp; 2123 return 1; 2124 } 2125 2126 return 0; 2127 } 2128 2129 static int 2130 _SSL_CTX_set_tmp_dh(SSL_CTX *ctx, DH *dh) 2131 { 2132 DH *dhe_params; 2133 2134 if (dh == NULL) { 2135 SSLerrorx(ERR_R_PASSED_NULL_PARAMETER); 2136 return 0; 2137 } 2138 2139 if (!ssl_ctx_security_dh(ctx, dh)) { 2140 SSLerrorx(SSL_R_DH_KEY_TOO_SMALL); 2141 return 0; 2142 } 2143 2144 if ((dhe_params = DHparams_dup(dh)) == NULL) { 2145 SSLerrorx(ERR_R_DH_LIB); 2146 return 0; 2147 } 2148 2149 DH_free(ctx->cert->dhe_params); 2150 ctx->cert->dhe_params = dhe_params; 2151 2152 return 1; 2153 } 2154 2155 static int 2156 _SSL_CTX_set_dh_auto(SSL_CTX *ctx, int state) 2157 { 2158 ctx->cert->dhe_params_auto = state; 2159 return 1; 2160 } 2161 2162 static int 2163 _SSL_CTX_set_tmp_ecdh(SSL_CTX *ctx, EC_KEY *ecdh) 2164 { 2165 const EC_GROUP *group; 2166 int nid; 2167 2168 if (ecdh == NULL) 2169 return 0; 2170 if ((group = EC_KEY_get0_group(ecdh)) == NULL) 2171 return 0; 2172 2173 nid = EC_GROUP_get_curve_name(group); 2174 return SSL_CTX_set1_groups(ctx, &nid, 1); 2175 } 2176 2177 static int 2178 _SSL_CTX_set_ecdh_auto(SSL_CTX *ctx, int state) 2179 { 2180 return 1; 2181 } 2182 2183 static int 2184 _SSL_CTX_set_tlsext_servername_arg(SSL_CTX *ctx, void *arg) 2185 { 2186 ctx->tlsext_servername_arg = arg; 2187 return 1; 2188 } 2189 2190 static int 2191 _SSL_CTX_get_tlsext_ticket_keys(SSL_CTX *ctx, unsigned char *keys, int keys_len) 2192 { 2193 if (keys == NULL) 2194 return 48; 2195 2196 if (keys_len != 48) { 2197 SSLerrorx(SSL_R_INVALID_TICKET_KEYS_LENGTH); 2198 return 0; 2199 } 2200 2201 memcpy(keys, ctx->tlsext_tick_key_name, 16); 2202 memcpy(keys + 16, ctx->tlsext_tick_hmac_key, 16); 2203 memcpy(keys + 32, ctx->tlsext_tick_aes_key, 16); 2204 2205 return 1; 2206 } 2207 2208 static int 2209 _SSL_CTX_set_tlsext_ticket_keys(SSL_CTX *ctx, unsigned char *keys, int keys_len) 2210 { 2211 if (keys == NULL) 2212 return 48; 2213 2214 if (keys_len != 48) { 2215 SSLerrorx(SSL_R_INVALID_TICKET_KEYS_LENGTH); 2216 return 0; 2217 } 2218 2219 memcpy(ctx->tlsext_tick_key_name, keys, 16); 2220 memcpy(ctx->tlsext_tick_hmac_key, keys + 16, 16); 2221 memcpy(ctx->tlsext_tick_aes_key, keys + 32, 16); 2222 2223 return 1; 2224 } 2225 2226 static int 2227 _SSL_CTX_get_tlsext_status_arg(SSL_CTX *ctx, void **arg) 2228 { 2229 *arg = ctx->tlsext_status_arg; 2230 return 1; 2231 } 2232 2233 static int 2234 _SSL_CTX_set_tlsext_status_arg(SSL_CTX *ctx, void *arg) 2235 { 2236 ctx->tlsext_status_arg = arg; 2237 return 1; 2238 } 2239 2240 int 2241 SSL_CTX_set0_chain(SSL_CTX *ctx, STACK_OF(X509) *chain) 2242 { 2243 return ssl_cert_set0_chain(ctx, NULL, chain); 2244 } 2245 LSSL_ALIAS(SSL_CTX_set0_chain); 2246 2247 int 2248 SSL_CTX_set1_chain(SSL_CTX *ctx, STACK_OF(X509) *chain) 2249 { 2250 return ssl_cert_set1_chain(ctx, NULL, chain); 2251 } 2252 LSSL_ALIAS(SSL_CTX_set1_chain); 2253 2254 int 2255 SSL_CTX_add0_chain_cert(SSL_CTX *ctx, X509 *x509) 2256 { 2257 return ssl_cert_add0_chain_cert(ctx, NULL, x509); 2258 } 2259 LSSL_ALIAS(SSL_CTX_add0_chain_cert); 2260 2261 int 2262 SSL_CTX_add1_chain_cert(SSL_CTX *ctx, X509 *x509) 2263 { 2264 return ssl_cert_add1_chain_cert(ctx, NULL, x509); 2265 } 2266 LSSL_ALIAS(SSL_CTX_add1_chain_cert); 2267 2268 int 2269 SSL_CTX_get0_chain_certs(const SSL_CTX *ctx, STACK_OF(X509) **out_chain) 2270 { 2271 *out_chain = NULL; 2272 2273 if (ctx->cert->key != NULL) 2274 *out_chain = ctx->cert->key->chain; 2275 2276 return 1; 2277 } 2278 LSSL_ALIAS(SSL_CTX_get0_chain_certs); 2279 2280 int 2281 SSL_CTX_clear_chain_certs(SSL_CTX *ctx) 2282 { 2283 return ssl_cert_set0_chain(ctx, NULL, NULL); 2284 } 2285 LSSL_ALIAS(SSL_CTX_clear_chain_certs); 2286 2287 static int 2288 _SSL_CTX_add_extra_chain_cert(SSL_CTX *ctx, X509 *cert) 2289 { 2290 if (ctx->extra_certs == NULL) { 2291 if ((ctx->extra_certs = sk_X509_new_null()) == NULL) 2292 return 0; 2293 } 2294 if (sk_X509_push(ctx->extra_certs, cert) == 0) 2295 return 0; 2296 2297 return 1; 2298 } 2299 2300 static int 2301 _SSL_CTX_get_extra_chain_certs(SSL_CTX *ctx, STACK_OF(X509) **certs) 2302 { 2303 *certs = ctx->extra_certs; 2304 if (*certs == NULL) 2305 *certs = ctx->cert->key->chain; 2306 2307 return 1; 2308 } 2309 2310 static int 2311 _SSL_CTX_get_extra_chain_certs_only(SSL_CTX *ctx, STACK_OF(X509) **certs) 2312 { 2313 *certs = ctx->extra_certs; 2314 return 1; 2315 } 2316 2317 static int 2318 _SSL_CTX_clear_extra_chain_certs(SSL_CTX *ctx) 2319 { 2320 sk_X509_pop_free(ctx->extra_certs, X509_free); 2321 ctx->extra_certs = NULL; 2322 return 1; 2323 } 2324 2325 int 2326 SSL_CTX_set1_groups(SSL_CTX *ctx, const int *groups, size_t groups_len) 2327 { 2328 return tls1_set_groups(&ctx->tlsext_supportedgroups, 2329 &ctx->tlsext_supportedgroups_length, groups, groups_len); 2330 } 2331 LSSL_ALIAS(SSL_CTX_set1_groups); 2332 2333 int 2334 SSL_CTX_set1_groups_list(SSL_CTX *ctx, const char *groups) 2335 { 2336 return tls1_set_group_list(&ctx->tlsext_supportedgroups, 2337 &ctx->tlsext_supportedgroups_length, groups); 2338 } 2339 LSSL_ALIAS(SSL_CTX_set1_groups_list); 2340 2341 long 2342 ssl3_ctx_ctrl(SSL_CTX *ctx, int cmd, long larg, void *parg) 2343 { 2344 switch (cmd) { 2345 case SSL_CTRL_SET_TMP_DH: 2346 return _SSL_CTX_set_tmp_dh(ctx, parg); 2347 2348 case SSL_CTRL_SET_TMP_DH_CB: 2349 SSLerrorx(ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED); 2350 return 0; 2351 2352 case SSL_CTRL_SET_DH_AUTO: 2353 return _SSL_CTX_set_dh_auto(ctx, larg); 2354 2355 case SSL_CTRL_SET_TMP_ECDH: 2356 return _SSL_CTX_set_tmp_ecdh(ctx, parg); 2357 2358 case SSL_CTRL_SET_TMP_ECDH_CB: 2359 SSLerrorx(ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED); 2360 return 0; 2361 2362 case SSL_CTRL_SET_ECDH_AUTO: 2363 return _SSL_CTX_set_ecdh_auto(ctx, larg); 2364 2365 case SSL_CTRL_SET_TLSEXT_SERVERNAME_ARG: 2366 return _SSL_CTX_set_tlsext_servername_arg(ctx, parg); 2367 2368 case SSL_CTRL_GET_TLSEXT_TICKET_KEYS: 2369 return _SSL_CTX_get_tlsext_ticket_keys(ctx, parg, larg); 2370 2371 case SSL_CTRL_SET_TLSEXT_TICKET_KEYS: 2372 return _SSL_CTX_set_tlsext_ticket_keys(ctx, parg, larg); 2373 2374 case SSL_CTRL_GET_TLSEXT_STATUS_REQ_CB_ARG: 2375 return _SSL_CTX_get_tlsext_status_arg(ctx, parg); 2376 2377 case SSL_CTRL_SET_TLSEXT_STATUS_REQ_CB_ARG: 2378 return _SSL_CTX_set_tlsext_status_arg(ctx, parg); 2379 2380 case SSL_CTRL_CHAIN: 2381 if (larg == 0) 2382 return SSL_CTX_set0_chain(ctx, (STACK_OF(X509) *)parg); 2383 else 2384 return SSL_CTX_set1_chain(ctx, (STACK_OF(X509) *)parg); 2385 2386 case SSL_CTRL_CHAIN_CERT: 2387 if (larg == 0) 2388 return SSL_CTX_add0_chain_cert(ctx, (X509 *)parg); 2389 else 2390 return SSL_CTX_add1_chain_cert(ctx, (X509 *)parg); 2391 2392 case SSL_CTRL_GET_CHAIN_CERTS: 2393 return SSL_CTX_get0_chain_certs(ctx, (STACK_OF(X509) **)parg); 2394 2395 case SSL_CTRL_EXTRA_CHAIN_CERT: 2396 return _SSL_CTX_add_extra_chain_cert(ctx, parg); 2397 2398 case SSL_CTRL_GET_EXTRA_CHAIN_CERTS: 2399 if (larg == 0) 2400 return _SSL_CTX_get_extra_chain_certs(ctx, parg); 2401 else 2402 return _SSL_CTX_get_extra_chain_certs_only(ctx, parg); 2403 2404 case SSL_CTRL_CLEAR_EXTRA_CHAIN_CERTS: 2405 return _SSL_CTX_clear_extra_chain_certs(ctx); 2406 2407 case SSL_CTRL_SET_GROUPS: 2408 return SSL_CTX_set1_groups(ctx, parg, larg); 2409 2410 case SSL_CTRL_SET_GROUPS_LIST: 2411 return SSL_CTX_set1_groups_list(ctx, parg); 2412 2413 case SSL_CTRL_GET_MIN_PROTO_VERSION: 2414 return SSL_CTX_get_min_proto_version(ctx); 2415 2416 case SSL_CTRL_GET_MAX_PROTO_VERSION: 2417 return SSL_CTX_get_max_proto_version(ctx); 2418 2419 case SSL_CTRL_SET_MIN_PROTO_VERSION: 2420 if (larg < 0 || larg > UINT16_MAX) 2421 return 0; 2422 return SSL_CTX_set_min_proto_version(ctx, larg); 2423 2424 case SSL_CTRL_SET_MAX_PROTO_VERSION: 2425 if (larg < 0 || larg > UINT16_MAX) 2426 return 0; 2427 return SSL_CTX_set_max_proto_version(ctx, larg); 2428 2429 /* 2430 * Legacy controls that should eventually be removed. 2431 */ 2432 case SSL_CTRL_NEED_TMP_RSA: 2433 return 0; 2434 2435 case SSL_CTRL_SET_TMP_RSA: 2436 case SSL_CTRL_SET_TMP_RSA_CB: 2437 SSLerrorx(ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED); 2438 return 0; 2439 } 2440 2441 return 0; 2442 } 2443 2444 long 2445 ssl3_ctx_callback_ctrl(SSL_CTX *ctx, int cmd, void (*fp)(void)) 2446 { 2447 switch (cmd) { 2448 case SSL_CTRL_SET_TMP_RSA_CB: 2449 SSLerrorx(ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED); 2450 return 0; 2451 2452 case SSL_CTRL_SET_TMP_DH_CB: 2453 ctx->cert->dhe_params_cb = 2454 (DH *(*)(SSL *, int, int))fp; 2455 return 1; 2456 2457 case SSL_CTRL_SET_TMP_ECDH_CB: 2458 return 1; 2459 2460 case SSL_CTRL_SET_TLSEXT_SERVERNAME_CB: 2461 ctx->tlsext_servername_callback = 2462 (int (*)(SSL *, int *, void *))fp; 2463 return 1; 2464 2465 case SSL_CTRL_GET_TLSEXT_STATUS_REQ_CB: 2466 *(int (**)(SSL *, void *))fp = ctx->tlsext_status_cb; 2467 return 1; 2468 2469 case SSL_CTRL_SET_TLSEXT_STATUS_REQ_CB: 2470 ctx->tlsext_status_cb = (int (*)(SSL *, void *))fp; 2471 return 1; 2472 2473 case SSL_CTRL_SET_TLSEXT_TICKET_KEY_CB: 2474 ctx->tlsext_ticket_key_cb = (int (*)(SSL *, unsigned char *, 2475 unsigned char *, EVP_CIPHER_CTX *, HMAC_CTX *, int))fp; 2476 return 1; 2477 } 2478 2479 return 0; 2480 } 2481 2482 SSL_CIPHER * 2483 ssl3_choose_cipher(SSL *s, STACK_OF(SSL_CIPHER) *clnt, 2484 STACK_OF(SSL_CIPHER) *srvr) 2485 { 2486 unsigned long alg_k, alg_a, mask_k, mask_a; 2487 STACK_OF(SSL_CIPHER) *prio, *allow; 2488 SSL_CIPHER *c, *ret = NULL; 2489 int can_use_ecc; 2490 int i, ii, nid, ok; 2491 SSL_CERT *cert; 2492 2493 /* Let's see which ciphers we can support */ 2494 cert = s->cert; 2495 2496 can_use_ecc = tls1_get_supported_group(s, &nid); 2497 2498 /* 2499 * Do not set the compare functions, because this may lead to a 2500 * reordering by "id". We want to keep the original ordering. 2501 * We may pay a price in performance during sk_SSL_CIPHER_find(), 2502 * but would have to pay with the price of sk_SSL_CIPHER_dup(). 2503 */ 2504 2505 if (s->options & SSL_OP_CIPHER_SERVER_PREFERENCE) { 2506 prio = srvr; 2507 allow = clnt; 2508 } else { 2509 prio = clnt; 2510 allow = srvr; 2511 } 2512 2513 for (i = 0; i < sk_SSL_CIPHER_num(prio); i++) { 2514 c = sk_SSL_CIPHER_value(prio, i); 2515 2516 /* Skip TLS v1.2 only ciphersuites if not supported. */ 2517 if ((c->algorithm_ssl & SSL_TLSV1_2) && 2518 !SSL_USE_TLS1_2_CIPHERS(s)) 2519 continue; 2520 2521 /* Skip TLS v1.3 only ciphersuites if not supported. */ 2522 if ((c->algorithm_ssl & SSL_TLSV1_3) && 2523 !SSL_USE_TLS1_3_CIPHERS(s)) 2524 continue; 2525 2526 /* If TLS v1.3, only allow TLS v1.3 ciphersuites. */ 2527 if (SSL_USE_TLS1_3_CIPHERS(s) && 2528 !(c->algorithm_ssl & SSL_TLSV1_3)) 2529 continue; 2530 2531 if (!ssl_security_shared_cipher(s, c)) 2532 continue; 2533 2534 ssl_set_cert_masks(cert, c); 2535 mask_k = cert->mask_k; 2536 mask_a = cert->mask_a; 2537 2538 alg_k = c->algorithm_mkey; 2539 alg_a = c->algorithm_auth; 2540 2541 ok = (alg_k & mask_k) && (alg_a & mask_a); 2542 2543 /* 2544 * If we are considering an ECC cipher suite that uses our 2545 * certificate check it. 2546 */ 2547 if (alg_a & SSL_aECDSA) 2548 ok = ok && tls1_check_ec_server_key(s); 2549 /* 2550 * If we are considering an ECC cipher suite that uses 2551 * an ephemeral EC key check it. 2552 */ 2553 if (alg_k & SSL_kECDHE) 2554 ok = ok && can_use_ecc; 2555 2556 if (!ok) 2557 continue; 2558 ii = sk_SSL_CIPHER_find(allow, c); 2559 if (ii >= 0) { 2560 ret = sk_SSL_CIPHER_value(allow, ii); 2561 break; 2562 } 2563 } 2564 return (ret); 2565 } 2566 2567 #define SSL3_CT_RSA_SIGN 1 2568 #define SSL3_CT_RSA_FIXED_DH 3 2569 #define SSL3_CT_ECDSA_SIGN 64 2570 2571 int 2572 ssl3_get_req_cert_types(SSL *s, CBB *cbb) 2573 { 2574 unsigned long alg_k; 2575 2576 alg_k = s->s3->hs.cipher->algorithm_mkey; 2577 2578 if ((alg_k & SSL_kDHE) != 0) { 2579 if (!CBB_add_u8(cbb, SSL3_CT_RSA_FIXED_DH)) 2580 return 0; 2581 } 2582 2583 if (!CBB_add_u8(cbb, SSL3_CT_RSA_SIGN)) 2584 return 0; 2585 2586 /* 2587 * ECDSA certs can be used with RSA cipher suites as well 2588 * so we don't need to check for SSL_kECDH or SSL_kECDHE. 2589 */ 2590 if (!CBB_add_u8(cbb, SSL3_CT_ECDSA_SIGN)) 2591 return 0; 2592 2593 return 1; 2594 } 2595 2596 int 2597 ssl3_shutdown(SSL *s) 2598 { 2599 int ret; 2600 2601 /* 2602 * Don't do anything much if we have not done the handshake or 2603 * we don't want to send messages :-) 2604 */ 2605 if ((s->quiet_shutdown) || (s->s3->hs.state == SSL_ST_BEFORE)) { 2606 s->shutdown = (SSL_SENT_SHUTDOWN|SSL_RECEIVED_SHUTDOWN); 2607 return (1); 2608 } 2609 2610 if (!(s->shutdown & SSL_SENT_SHUTDOWN)) { 2611 s->shutdown|=SSL_SENT_SHUTDOWN; 2612 ssl3_send_alert(s, SSL3_AL_WARNING, SSL_AD_CLOSE_NOTIFY); 2613 /* 2614 * Our shutdown alert has been sent now, and if it still needs 2615 * to be written, s->s3->alert_dispatch will be true 2616 */ 2617 if (s->s3->alert_dispatch) 2618 return (-1); /* return WANT_WRITE */ 2619 } else if (s->s3->alert_dispatch) { 2620 /* resend it if not sent */ 2621 ret = ssl3_dispatch_alert(s); 2622 if (ret == -1) { 2623 /* 2624 * We only get to return -1 here the 2nd/Nth 2625 * invocation, we must have already signalled 2626 * return 0 upon a previous invoation, 2627 * return WANT_WRITE 2628 */ 2629 return (ret); 2630 } 2631 } else if (!(s->shutdown & SSL_RECEIVED_SHUTDOWN)) { 2632 /* If we are waiting for a close from our peer, we are closed */ 2633 s->method->ssl_read_bytes(s, 0, NULL, 0, 0); 2634 if (!(s->shutdown & SSL_RECEIVED_SHUTDOWN)) { 2635 return (-1); /* return WANT_READ */ 2636 } 2637 } 2638 2639 if ((s->shutdown == (SSL_SENT_SHUTDOWN|SSL_RECEIVED_SHUTDOWN)) && 2640 !s->s3->alert_dispatch) 2641 return (1); 2642 else 2643 return (0); 2644 } 2645 2646 int 2647 ssl3_write(SSL *s, const void *buf, int len) 2648 { 2649 errno = 0; 2650 2651 if (s->s3->renegotiate) 2652 ssl3_renegotiate_check(s); 2653 2654 return s->method->ssl_write_bytes(s, SSL3_RT_APPLICATION_DATA, 2655 buf, len); 2656 } 2657 2658 static int 2659 ssl3_read_internal(SSL *s, void *buf, int len, int peek) 2660 { 2661 int ret; 2662 2663 errno = 0; 2664 if (s->s3->renegotiate) 2665 ssl3_renegotiate_check(s); 2666 s->s3->in_read_app_data = 1; 2667 2668 ret = s->method->ssl_read_bytes(s, SSL3_RT_APPLICATION_DATA, buf, len, 2669 peek); 2670 if ((ret == -1) && (s->s3->in_read_app_data == 2)) { 2671 /* 2672 * ssl3_read_bytes decided to call s->handshake_func, 2673 * which called ssl3_read_bytes to read handshake data. 2674 * However, ssl3_read_bytes actually found application data 2675 * and thinks that application data makes sense here; so disable 2676 * handshake processing and try to read application data again. 2677 */ 2678 s->in_handshake++; 2679 ret = s->method->ssl_read_bytes(s, SSL3_RT_APPLICATION_DATA, 2680 buf, len, peek); 2681 s->in_handshake--; 2682 } else 2683 s->s3->in_read_app_data = 0; 2684 2685 return (ret); 2686 } 2687 2688 int 2689 ssl3_read(SSL *s, void *buf, int len) 2690 { 2691 return ssl3_read_internal(s, buf, len, 0); 2692 } 2693 2694 int 2695 ssl3_peek(SSL *s, void *buf, int len) 2696 { 2697 return ssl3_read_internal(s, buf, len, 1); 2698 } 2699 2700 int 2701 ssl3_renegotiate(SSL *s) 2702 { 2703 if (s->handshake_func == NULL) 2704 return 1; 2705 2706 if (s->s3->flags & SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS) 2707 return 0; 2708 2709 s->s3->renegotiate = 1; 2710 2711 return 1; 2712 } 2713 2714 int 2715 ssl3_renegotiate_check(SSL *s) 2716 { 2717 if (!s->s3->renegotiate) 2718 return 0; 2719 if (SSL_in_init(s) || s->s3->rbuf.left != 0 || s->s3->wbuf.left != 0) 2720 return 0; 2721 2722 s->s3->hs.state = SSL_ST_RENEGOTIATE; 2723 s->s3->renegotiate = 0; 2724 s->s3->num_renegotiations++; 2725 s->s3->total_renegotiations++; 2726 2727 return 1; 2728 } 2729