1 /* $OpenBSD: s3_lib.c,v 1.144 2017/05/07 21:05:05 jsing Exp $ */ 2 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) 3 * All rights reserved. 4 * 5 * This package is an SSL implementation written 6 * by Eric Young (eay@cryptsoft.com). 7 * The implementation was written so as to conform with Netscapes SSL. 8 * 9 * This library is free for commercial and non-commercial use as long as 10 * the following conditions are aheared to. The following conditions 11 * apply to all code found in this distribution, be it the RC4, RSA, 12 * lhash, DES, etc., code; not just the SSL code. The SSL documentation 13 * included with this distribution is covered by the same copyright terms 14 * except that the holder is Tim Hudson (tjh@cryptsoft.com). 15 * 16 * Copyright remains Eric Young's, and as such any Copyright notices in 17 * the code are not to be removed. 18 * If this package is used in a product, Eric Young should be given attribution 19 * as the author of the parts of the library used. 20 * This can be in the form of a textual message at program startup or 21 * in documentation (online or textual) provided with the package. 22 * 23 * Redistribution and use in source and binary forms, with or without 24 * modification, are permitted provided that the following conditions 25 * are met: 26 * 1. Redistributions of source code must retain the copyright 27 * notice, this list of conditions and the following disclaimer. 28 * 2. Redistributions in binary form must reproduce the above copyright 29 * notice, this list of conditions and the following disclaimer in the 30 * documentation and/or other materials provided with the distribution. 31 * 3. All advertising materials mentioning features or use of this software 32 * must display the following acknowledgement: 33 * "This product includes cryptographic software written by 34 * Eric Young (eay@cryptsoft.com)" 35 * The word 'cryptographic' can be left out if the rouines from the library 36 * being used are not cryptographic related :-). 37 * 4. If you include any Windows specific code (or a derivative thereof) from 38 * the apps directory (application code) you must include an acknowledgement: 39 * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)" 40 * 41 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND 42 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 43 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 44 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE 45 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 46 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 47 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 48 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 49 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 50 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 51 * SUCH DAMAGE. 52 * 53 * The licence and distribution terms for any publically available version or 54 * derivative of this code cannot be changed. i.e. this code cannot simply be 55 * copied and put under another distribution licence 56 * [including the GNU Public Licence.] 57 */ 58 /* ==================================================================== 59 * Copyright (c) 1998-2007 The OpenSSL Project. All rights reserved. 60 * 61 * Redistribution and use in source and binary forms, with or without 62 * modification, are permitted provided that the following conditions 63 * are met: 64 * 65 * 1. Redistributions of source code must retain the above copyright 66 * notice, this list of conditions and the following disclaimer. 67 * 68 * 2. Redistributions in binary form must reproduce the above copyright 69 * notice, this list of conditions and the following disclaimer in 70 * the documentation and/or other materials provided with the 71 * distribution. 72 * 73 * 3. All advertising materials mentioning features or use of this 74 * software must display the following acknowledgment: 75 * "This product includes software developed by the OpenSSL Project 76 * for use in the OpenSSL Toolkit. (http://www.openssl.org/)" 77 * 78 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to 79 * endorse or promote products derived from this software without 80 * prior written permission. For written permission, please contact 81 * openssl-core@openssl.org. 82 * 83 * 5. Products derived from this software may not be called "OpenSSL" 84 * nor may "OpenSSL" appear in their names without prior written 85 * permission of the OpenSSL Project. 86 * 87 * 6. Redistributions of any form whatsoever must retain the following 88 * acknowledgment: 89 * "This product includes software developed by the OpenSSL Project 90 * for use in the OpenSSL Toolkit (http://www.openssl.org/)" 91 * 92 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY 93 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 94 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR 95 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR 96 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, 97 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT 98 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; 99 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 100 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, 101 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) 102 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED 103 * OF THE POSSIBILITY OF SUCH DAMAGE. 104 * ==================================================================== 105 * 106 * This product includes cryptographic software written by Eric Young 107 * (eay@cryptsoft.com). This product includes software written by Tim 108 * Hudson (tjh@cryptsoft.com). 109 * 110 */ 111 /* ==================================================================== 112 * Copyright 2002 Sun Microsystems, Inc. ALL RIGHTS RESERVED. 113 * 114 * Portions of the attached software ("Contribution") are developed by 115 * SUN MICROSYSTEMS, INC., and are contributed to the OpenSSL project. 116 * 117 * The Contribution is licensed pursuant to the OpenSSL open source 118 * license provided above. 119 * 120 * ECC cipher suite support in OpenSSL originally written by 121 * Vipul Gupta and Sumit Gupta of Sun Microsystems Laboratories. 122 * 123 */ 124 /* ==================================================================== 125 * Copyright 2005 Nokia. All rights reserved. 126 * 127 * The portions of the attached software ("Contribution") is developed by 128 * Nokia Corporation and is licensed pursuant to the OpenSSL open source 129 * license. 130 * 131 * The Contribution, originally written by Mika Kousa and Pasi Eronen of 132 * Nokia Corporation, consists of the "PSK" (Pre-Shared Key) ciphersuites 133 * support (see RFC 4279) to OpenSSL. 134 * 135 * No patent licenses or other rights except those expressly stated in 136 * the OpenSSL open source license shall be deemed granted or received 137 * expressly, by implication, estoppel, or otherwise. 138 * 139 * No assurances are provided by Nokia that the Contribution does not 140 * infringe the patent or other intellectual property rights of any third 141 * party or that the license provides you with all the necessary rights 142 * to make use of the Contribution. 143 * 144 * THE SOFTWARE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. IN 145 * ADDITION TO THE DISCLAIMERS INCLUDED IN THE LICENSE, NOKIA 146 * SPECIFICALLY DISCLAIMS ANY LIABILITY FOR CLAIMS BROUGHT BY YOU OR ANY 147 * OTHER ENTITY BASED ON INFRINGEMENT OF INTELLECTUAL PROPERTY RIGHTS OR 148 * OTHERWISE. 149 */ 150 151 #include <limits.h> 152 #include <stdio.h> 153 154 #include <openssl/bn.h> 155 #include <openssl/curve25519.h> 156 #include <openssl/dh.h> 157 #include <openssl/md5.h> 158 #include <openssl/objects.h> 159 160 #include "ssl_locl.h" 161 #include "bytestring.h" 162 163 #define SSL3_NUM_CIPHERS (sizeof(ssl3_ciphers) / sizeof(SSL_CIPHER)) 164 165 /* 166 * FIXED_NONCE_LEN is a macro that provides in the correct value to set the 167 * fixed nonce length in algorithms2. It is the inverse of the 168 * SSL_CIPHER_AEAD_FIXED_NONCE_LEN macro. 169 */ 170 #define FIXED_NONCE_LEN(x) (((x / 2) & 0xf) << 24) 171 172 /* list of available SSLv3 ciphers (sorted by id) */ 173 SSL_CIPHER ssl3_ciphers[] = { 174 175 /* The RSA ciphers */ 176 /* Cipher 01 */ 177 { 178 .valid = 1, 179 .name = SSL3_TXT_RSA_NULL_MD5, 180 .id = SSL3_CK_RSA_NULL_MD5, 181 .algorithm_mkey = SSL_kRSA, 182 .algorithm_auth = SSL_aRSA, 183 .algorithm_enc = SSL_eNULL, 184 .algorithm_mac = SSL_MD5, 185 .algorithm_ssl = SSL_SSLV3, 186 .algo_strength = SSL_STRONG_NONE, 187 .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF, 188 .strength_bits = 0, 189 .alg_bits = 0, 190 }, 191 192 /* Cipher 02 */ 193 { 194 .valid = 1, 195 .name = SSL3_TXT_RSA_NULL_SHA, 196 .id = SSL3_CK_RSA_NULL_SHA, 197 .algorithm_mkey = SSL_kRSA, 198 .algorithm_auth = SSL_aRSA, 199 .algorithm_enc = SSL_eNULL, 200 .algorithm_mac = SSL_SHA1, 201 .algorithm_ssl = SSL_SSLV3, 202 .algo_strength = SSL_STRONG_NONE, 203 .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF, 204 .strength_bits = 0, 205 .alg_bits = 0, 206 }, 207 208 /* Cipher 04 */ 209 { 210 .valid = 1, 211 .name = SSL3_TXT_RSA_RC4_128_MD5, 212 .id = SSL3_CK_RSA_RC4_128_MD5, 213 .algorithm_mkey = SSL_kRSA, 214 .algorithm_auth = SSL_aRSA, 215 .algorithm_enc = SSL_RC4, 216 .algorithm_mac = SSL_MD5, 217 .algorithm_ssl = SSL_SSLV3, 218 .algo_strength = SSL_LOW, 219 .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF, 220 .strength_bits = 128, 221 .alg_bits = 128, 222 }, 223 224 /* Cipher 05 */ 225 { 226 .valid = 1, 227 .name = SSL3_TXT_RSA_RC4_128_SHA, 228 .id = SSL3_CK_RSA_RC4_128_SHA, 229 .algorithm_mkey = SSL_kRSA, 230 .algorithm_auth = SSL_aRSA, 231 .algorithm_enc = SSL_RC4, 232 .algorithm_mac = SSL_SHA1, 233 .algorithm_ssl = SSL_SSLV3, 234 .algo_strength = SSL_LOW, 235 .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF, 236 .strength_bits = 128, 237 .alg_bits = 128, 238 }, 239 240 /* Cipher 09 */ 241 { 242 .valid = 1, 243 .name = SSL3_TXT_RSA_DES_64_CBC_SHA, 244 .id = SSL3_CK_RSA_DES_64_CBC_SHA, 245 .algorithm_mkey = SSL_kRSA, 246 .algorithm_auth = SSL_aRSA, 247 .algorithm_enc = SSL_DES, 248 .algorithm_mac = SSL_SHA1, 249 .algorithm_ssl = SSL_SSLV3, 250 .algo_strength = SSL_LOW, 251 .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF, 252 .strength_bits = 56, 253 .alg_bits = 56, 254 }, 255 256 /* Cipher 0A */ 257 { 258 .valid = 1, 259 .name = SSL3_TXT_RSA_DES_192_CBC3_SHA, 260 .id = SSL3_CK_RSA_DES_192_CBC3_SHA, 261 .algorithm_mkey = SSL_kRSA, 262 .algorithm_auth = SSL_aRSA, 263 .algorithm_enc = SSL_3DES, 264 .algorithm_mac = SSL_SHA1, 265 .algorithm_ssl = SSL_SSLV3, 266 .algo_strength = SSL_MEDIUM, 267 .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF, 268 .strength_bits = 112, 269 .alg_bits = 168, 270 }, 271 272 /* 273 * Ephemeral DH (DHE) ciphers. 274 */ 275 276 /* Cipher 15 */ 277 { 278 .valid = 1, 279 .name = SSL3_TXT_EDH_RSA_DES_64_CBC_SHA, 280 .id = SSL3_CK_EDH_RSA_DES_64_CBC_SHA, 281 .algorithm_mkey = SSL_kDHE, 282 .algorithm_auth = SSL_aRSA, 283 .algorithm_enc = SSL_DES, 284 .algorithm_mac = SSL_SHA1, 285 .algorithm_ssl = SSL_SSLV3, 286 .algo_strength = SSL_LOW, 287 .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF, 288 .strength_bits = 56, 289 .alg_bits = 56, 290 }, 291 292 /* Cipher 16 */ 293 { 294 .valid = 1, 295 .name = SSL3_TXT_EDH_RSA_DES_192_CBC3_SHA, 296 .id = SSL3_CK_EDH_RSA_DES_192_CBC3_SHA, 297 .algorithm_mkey = SSL_kDHE, 298 .algorithm_auth = SSL_aRSA, 299 .algorithm_enc = SSL_3DES, 300 .algorithm_mac = SSL_SHA1, 301 .algorithm_ssl = SSL_SSLV3, 302 .algo_strength = SSL_MEDIUM, 303 .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF, 304 .strength_bits = 112, 305 .alg_bits = 168, 306 }, 307 308 /* Cipher 18 */ 309 { 310 .valid = 1, 311 .name = SSL3_TXT_ADH_RC4_128_MD5, 312 .id = SSL3_CK_ADH_RC4_128_MD5, 313 .algorithm_mkey = SSL_kDHE, 314 .algorithm_auth = SSL_aNULL, 315 .algorithm_enc = SSL_RC4, 316 .algorithm_mac = SSL_MD5, 317 .algorithm_ssl = SSL_SSLV3, 318 .algo_strength = SSL_LOW, 319 .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF, 320 .strength_bits = 128, 321 .alg_bits = 128, 322 }, 323 324 /* Cipher 1A */ 325 { 326 .valid = 1, 327 .name = SSL3_TXT_ADH_DES_64_CBC_SHA, 328 .id = SSL3_CK_ADH_DES_64_CBC_SHA, 329 .algorithm_mkey = SSL_kDHE, 330 .algorithm_auth = SSL_aNULL, 331 .algorithm_enc = SSL_DES, 332 .algorithm_mac = SSL_SHA1, 333 .algorithm_ssl = SSL_SSLV3, 334 .algo_strength = SSL_LOW, 335 .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF, 336 .strength_bits = 56, 337 .alg_bits = 56, 338 }, 339 340 /* Cipher 1B */ 341 { 342 .valid = 1, 343 .name = SSL3_TXT_ADH_DES_192_CBC_SHA, 344 .id = SSL3_CK_ADH_DES_192_CBC_SHA, 345 .algorithm_mkey = SSL_kDHE, 346 .algorithm_auth = SSL_aNULL, 347 .algorithm_enc = SSL_3DES, 348 .algorithm_mac = SSL_SHA1, 349 .algorithm_ssl = SSL_SSLV3, 350 .algo_strength = SSL_MEDIUM, 351 .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF, 352 .strength_bits = 112, 353 .alg_bits = 168, 354 }, 355 356 /* 357 * AES ciphersuites. 358 */ 359 360 /* Cipher 2F */ 361 { 362 .valid = 1, 363 .name = TLS1_TXT_RSA_WITH_AES_128_SHA, 364 .id = TLS1_CK_RSA_WITH_AES_128_SHA, 365 .algorithm_mkey = SSL_kRSA, 366 .algorithm_auth = SSL_aRSA, 367 .algorithm_enc = SSL_AES128, 368 .algorithm_mac = SSL_SHA1, 369 .algorithm_ssl = SSL_TLSV1, 370 .algo_strength = SSL_HIGH, 371 .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF, 372 .strength_bits = 128, 373 .alg_bits = 128, 374 }, 375 376 /* Cipher 33 */ 377 { 378 .valid = 1, 379 .name = TLS1_TXT_DHE_RSA_WITH_AES_128_SHA, 380 .id = TLS1_CK_DHE_RSA_WITH_AES_128_SHA, 381 .algorithm_mkey = SSL_kDHE, 382 .algorithm_auth = SSL_aRSA, 383 .algorithm_enc = SSL_AES128, 384 .algorithm_mac = SSL_SHA1, 385 .algorithm_ssl = SSL_TLSV1, 386 .algo_strength = SSL_HIGH, 387 .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF, 388 .strength_bits = 128, 389 .alg_bits = 128, 390 }, 391 392 /* Cipher 34 */ 393 { 394 .valid = 1, 395 .name = TLS1_TXT_ADH_WITH_AES_128_SHA, 396 .id = TLS1_CK_ADH_WITH_AES_128_SHA, 397 .algorithm_mkey = SSL_kDHE, 398 .algorithm_auth = SSL_aNULL, 399 .algorithm_enc = SSL_AES128, 400 .algorithm_mac = SSL_SHA1, 401 .algorithm_ssl = SSL_TLSV1, 402 .algo_strength = SSL_HIGH, 403 .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF, 404 .strength_bits = 128, 405 .alg_bits = 128, 406 }, 407 408 /* Cipher 35 */ 409 { 410 .valid = 1, 411 .name = TLS1_TXT_RSA_WITH_AES_256_SHA, 412 .id = TLS1_CK_RSA_WITH_AES_256_SHA, 413 .algorithm_mkey = SSL_kRSA, 414 .algorithm_auth = SSL_aRSA, 415 .algorithm_enc = SSL_AES256, 416 .algorithm_mac = SSL_SHA1, 417 .algorithm_ssl = SSL_TLSV1, 418 .algo_strength = SSL_HIGH, 419 .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF, 420 .strength_bits = 256, 421 .alg_bits = 256, 422 }, 423 424 /* Cipher 39 */ 425 { 426 .valid = 1, 427 .name = TLS1_TXT_DHE_RSA_WITH_AES_256_SHA, 428 .id = TLS1_CK_DHE_RSA_WITH_AES_256_SHA, 429 .algorithm_mkey = SSL_kDHE, 430 .algorithm_auth = SSL_aRSA, 431 .algorithm_enc = SSL_AES256, 432 .algorithm_mac = SSL_SHA1, 433 .algorithm_ssl = SSL_TLSV1, 434 .algo_strength = SSL_HIGH, 435 .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF, 436 .strength_bits = 256, 437 .alg_bits = 256, 438 }, 439 440 /* Cipher 3A */ 441 { 442 .valid = 1, 443 .name = TLS1_TXT_ADH_WITH_AES_256_SHA, 444 .id = TLS1_CK_ADH_WITH_AES_256_SHA, 445 .algorithm_mkey = SSL_kDHE, 446 .algorithm_auth = SSL_aNULL, 447 .algorithm_enc = SSL_AES256, 448 .algorithm_mac = SSL_SHA1, 449 .algorithm_ssl = SSL_TLSV1, 450 .algo_strength = SSL_HIGH, 451 .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF, 452 .strength_bits = 256, 453 .alg_bits = 256, 454 }, 455 456 /* TLS v1.2 ciphersuites */ 457 /* Cipher 3B */ 458 { 459 .valid = 1, 460 .name = TLS1_TXT_RSA_WITH_NULL_SHA256, 461 .id = TLS1_CK_RSA_WITH_NULL_SHA256, 462 .algorithm_mkey = SSL_kRSA, 463 .algorithm_auth = SSL_aRSA, 464 .algorithm_enc = SSL_eNULL, 465 .algorithm_mac = SSL_SHA256, 466 .algorithm_ssl = SSL_TLSV1_2, 467 .algo_strength = SSL_STRONG_NONE, 468 .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF, 469 .strength_bits = 0, 470 .alg_bits = 0, 471 }, 472 473 /* Cipher 3C */ 474 { 475 .valid = 1, 476 .name = TLS1_TXT_RSA_WITH_AES_128_SHA256, 477 .id = TLS1_CK_RSA_WITH_AES_128_SHA256, 478 .algorithm_mkey = SSL_kRSA, 479 .algorithm_auth = SSL_aRSA, 480 .algorithm_enc = SSL_AES128, 481 .algorithm_mac = SSL_SHA256, 482 .algorithm_ssl = SSL_TLSV1_2, 483 .algo_strength = SSL_HIGH, 484 .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF, 485 .strength_bits = 128, 486 .alg_bits = 128, 487 }, 488 489 /* Cipher 3D */ 490 { 491 .valid = 1, 492 .name = TLS1_TXT_RSA_WITH_AES_256_SHA256, 493 .id = TLS1_CK_RSA_WITH_AES_256_SHA256, 494 .algorithm_mkey = SSL_kRSA, 495 .algorithm_auth = SSL_aRSA, 496 .algorithm_enc = SSL_AES256, 497 .algorithm_mac = SSL_SHA256, 498 .algorithm_ssl = SSL_TLSV1_2, 499 .algo_strength = SSL_HIGH, 500 .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF, 501 .strength_bits = 256, 502 .alg_bits = 256, 503 }, 504 505 #ifndef OPENSSL_NO_CAMELLIA 506 /* Camellia ciphersuites from RFC4132 (128-bit portion) */ 507 508 /* Cipher 41 */ 509 { 510 .valid = 1, 511 .name = TLS1_TXT_RSA_WITH_CAMELLIA_128_CBC_SHA, 512 .id = TLS1_CK_RSA_WITH_CAMELLIA_128_CBC_SHA, 513 .algorithm_mkey = SSL_kRSA, 514 .algorithm_auth = SSL_aRSA, 515 .algorithm_enc = SSL_CAMELLIA128, 516 .algorithm_mac = SSL_SHA1, 517 .algorithm_ssl = SSL_TLSV1, 518 .algo_strength = SSL_HIGH, 519 .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF, 520 .strength_bits = 128, 521 .alg_bits = 128, 522 }, 523 524 /* Cipher 45 */ 525 { 526 .valid = 1, 527 .name = TLS1_TXT_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA, 528 .id = TLS1_CK_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA, 529 .algorithm_mkey = SSL_kDHE, 530 .algorithm_auth = SSL_aRSA, 531 .algorithm_enc = SSL_CAMELLIA128, 532 .algorithm_mac = SSL_SHA1, 533 .algorithm_ssl = SSL_TLSV1, 534 .algo_strength = SSL_HIGH, 535 .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF, 536 .strength_bits = 128, 537 .alg_bits = 128, 538 }, 539 540 /* Cipher 46 */ 541 { 542 .valid = 1, 543 .name = TLS1_TXT_ADH_WITH_CAMELLIA_128_CBC_SHA, 544 .id = TLS1_CK_ADH_WITH_CAMELLIA_128_CBC_SHA, 545 .algorithm_mkey = SSL_kDHE, 546 .algorithm_auth = SSL_aNULL, 547 .algorithm_enc = SSL_CAMELLIA128, 548 .algorithm_mac = SSL_SHA1, 549 .algorithm_ssl = SSL_TLSV1, 550 .algo_strength = SSL_HIGH, 551 .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF, 552 .strength_bits = 128, 553 .alg_bits = 128, 554 }, 555 #endif /* OPENSSL_NO_CAMELLIA */ 556 557 /* TLS v1.2 ciphersuites */ 558 /* Cipher 67 */ 559 { 560 .valid = 1, 561 .name = TLS1_TXT_DHE_RSA_WITH_AES_128_SHA256, 562 .id = TLS1_CK_DHE_RSA_WITH_AES_128_SHA256, 563 .algorithm_mkey = SSL_kDHE, 564 .algorithm_auth = SSL_aRSA, 565 .algorithm_enc = SSL_AES128, 566 .algorithm_mac = SSL_SHA256, 567 .algorithm_ssl = SSL_TLSV1_2, 568 .algo_strength = SSL_HIGH, 569 .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF, 570 .strength_bits = 128, 571 .alg_bits = 128, 572 }, 573 574 /* Cipher 6B */ 575 { 576 .valid = 1, 577 .name = TLS1_TXT_DHE_RSA_WITH_AES_256_SHA256, 578 .id = TLS1_CK_DHE_RSA_WITH_AES_256_SHA256, 579 .algorithm_mkey = SSL_kDHE, 580 .algorithm_auth = SSL_aRSA, 581 .algorithm_enc = SSL_AES256, 582 .algorithm_mac = SSL_SHA256, 583 .algorithm_ssl = SSL_TLSV1_2, 584 .algo_strength = SSL_HIGH, 585 .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF, 586 .strength_bits = 256, 587 .alg_bits = 256, 588 }, 589 590 /* Cipher 6C */ 591 { 592 .valid = 1, 593 .name = TLS1_TXT_ADH_WITH_AES_128_SHA256, 594 .id = TLS1_CK_ADH_WITH_AES_128_SHA256, 595 .algorithm_mkey = SSL_kDHE, 596 .algorithm_auth = SSL_aNULL, 597 .algorithm_enc = SSL_AES128, 598 .algorithm_mac = SSL_SHA256, 599 .algorithm_ssl = SSL_TLSV1_2, 600 .algo_strength = SSL_HIGH, 601 .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF, 602 .strength_bits = 128, 603 .alg_bits = 128, 604 }, 605 606 /* Cipher 6D */ 607 { 608 .valid = 1, 609 .name = TLS1_TXT_ADH_WITH_AES_256_SHA256, 610 .id = TLS1_CK_ADH_WITH_AES_256_SHA256, 611 .algorithm_mkey = SSL_kDHE, 612 .algorithm_auth = SSL_aNULL, 613 .algorithm_enc = SSL_AES256, 614 .algorithm_mac = SSL_SHA256, 615 .algorithm_ssl = SSL_TLSV1_2, 616 .algo_strength = SSL_HIGH, 617 .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF, 618 .strength_bits = 256, 619 .alg_bits = 256, 620 }, 621 622 /* GOST Ciphersuites */ 623 624 /* Cipher 81 */ 625 { 626 .valid = 1, 627 .name = "GOST2001-GOST89-GOST89", 628 .id = 0x3000081, 629 .algorithm_mkey = SSL_kGOST, 630 .algorithm_auth = SSL_aGOST01, 631 .algorithm_enc = SSL_eGOST2814789CNT, 632 .algorithm_mac = SSL_GOST89MAC, 633 .algorithm_ssl = SSL_TLSV1, 634 .algo_strength = SSL_HIGH, 635 .algorithm2 = SSL_HANDSHAKE_MAC_GOST94|TLS1_PRF_GOST94| 636 TLS1_STREAM_MAC, 637 .strength_bits = 256, 638 .alg_bits = 256 639 }, 640 641 /* Cipher 83 */ 642 { 643 .valid = 1, 644 .name = "GOST2001-NULL-GOST94", 645 .id = 0x3000083, 646 .algorithm_mkey = SSL_kGOST, 647 .algorithm_auth = SSL_aGOST01, 648 .algorithm_enc = SSL_eNULL, 649 .algorithm_mac = SSL_GOST94, 650 .algorithm_ssl = SSL_TLSV1, 651 .algo_strength = SSL_STRONG_NONE, 652 .algorithm2 = SSL_HANDSHAKE_MAC_GOST94|TLS1_PRF_GOST94, 653 .strength_bits = 0, 654 .alg_bits = 0 655 }, 656 657 #ifndef OPENSSL_NO_CAMELLIA 658 /* Camellia ciphersuites from RFC4132 (256-bit portion) */ 659 660 /* Cipher 84 */ 661 { 662 .valid = 1, 663 .name = TLS1_TXT_RSA_WITH_CAMELLIA_256_CBC_SHA, 664 .id = TLS1_CK_RSA_WITH_CAMELLIA_256_CBC_SHA, 665 .algorithm_mkey = SSL_kRSA, 666 .algorithm_auth = SSL_aRSA, 667 .algorithm_enc = SSL_CAMELLIA256, 668 .algorithm_mac = SSL_SHA1, 669 .algorithm_ssl = SSL_TLSV1, 670 .algo_strength = SSL_HIGH, 671 .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF, 672 .strength_bits = 256, 673 .alg_bits = 256, 674 }, 675 676 /* Cipher 88 */ 677 { 678 .valid = 1, 679 .name = TLS1_TXT_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA, 680 .id = TLS1_CK_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA, 681 .algorithm_mkey = SSL_kDHE, 682 .algorithm_auth = SSL_aRSA, 683 .algorithm_enc = SSL_CAMELLIA256, 684 .algorithm_mac = SSL_SHA1, 685 .algorithm_ssl = SSL_TLSV1, 686 .algo_strength = SSL_HIGH, 687 .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF, 688 .strength_bits = 256, 689 .alg_bits = 256, 690 }, 691 692 /* Cipher 89 */ 693 { 694 .valid = 1, 695 .name = TLS1_TXT_ADH_WITH_CAMELLIA_256_CBC_SHA, 696 .id = TLS1_CK_ADH_WITH_CAMELLIA_256_CBC_SHA, 697 .algorithm_mkey = SSL_kDHE, 698 .algorithm_auth = SSL_aNULL, 699 .algorithm_enc = SSL_CAMELLIA256, 700 .algorithm_mac = SSL_SHA1, 701 .algorithm_ssl = SSL_TLSV1, 702 .algo_strength = SSL_HIGH, 703 .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF, 704 .strength_bits = 256, 705 .alg_bits = 256, 706 }, 707 #endif /* OPENSSL_NO_CAMELLIA */ 708 709 /* 710 * GCM ciphersuites from RFC5288. 711 */ 712 713 /* Cipher 9C */ 714 { 715 .valid = 1, 716 .name = TLS1_TXT_RSA_WITH_AES_128_GCM_SHA256, 717 .id = TLS1_CK_RSA_WITH_AES_128_GCM_SHA256, 718 .algorithm_mkey = SSL_kRSA, 719 .algorithm_auth = SSL_aRSA, 720 .algorithm_enc = SSL_AES128GCM, 721 .algorithm_mac = SSL_AEAD, 722 .algorithm_ssl = SSL_TLSV1_2, 723 .algo_strength = SSL_HIGH, 724 .algorithm2 = SSL_HANDSHAKE_MAC_SHA256|TLS1_PRF_SHA256| 725 SSL_CIPHER_ALGORITHM2_AEAD|FIXED_NONCE_LEN(4)| 726 SSL_CIPHER_ALGORITHM2_VARIABLE_NONCE_IN_RECORD, 727 .strength_bits = 128, 728 .alg_bits = 128, 729 }, 730 731 /* Cipher 9D */ 732 { 733 .valid = 1, 734 .name = TLS1_TXT_RSA_WITH_AES_256_GCM_SHA384, 735 .id = TLS1_CK_RSA_WITH_AES_256_GCM_SHA384, 736 .algorithm_mkey = SSL_kRSA, 737 .algorithm_auth = SSL_aRSA, 738 .algorithm_enc = SSL_AES256GCM, 739 .algorithm_mac = SSL_AEAD, 740 .algorithm_ssl = SSL_TLSV1_2, 741 .algo_strength = SSL_HIGH, 742 .algorithm2 = SSL_HANDSHAKE_MAC_SHA384|TLS1_PRF_SHA384| 743 SSL_CIPHER_ALGORITHM2_AEAD|FIXED_NONCE_LEN(4)| 744 SSL_CIPHER_ALGORITHM2_VARIABLE_NONCE_IN_RECORD, 745 .strength_bits = 256, 746 .alg_bits = 256, 747 }, 748 749 /* Cipher 9E */ 750 { 751 .valid = 1, 752 .name = TLS1_TXT_DHE_RSA_WITH_AES_128_GCM_SHA256, 753 .id = TLS1_CK_DHE_RSA_WITH_AES_128_GCM_SHA256, 754 .algorithm_mkey = SSL_kDHE, 755 .algorithm_auth = SSL_aRSA, 756 .algorithm_enc = SSL_AES128GCM, 757 .algorithm_mac = SSL_AEAD, 758 .algorithm_ssl = SSL_TLSV1_2, 759 .algo_strength = SSL_HIGH, 760 .algorithm2 = SSL_HANDSHAKE_MAC_SHA256|TLS1_PRF_SHA256| 761 SSL_CIPHER_ALGORITHM2_AEAD|FIXED_NONCE_LEN(4)| 762 SSL_CIPHER_ALGORITHM2_VARIABLE_NONCE_IN_RECORD, 763 .strength_bits = 128, 764 .alg_bits = 128, 765 }, 766 767 /* Cipher 9F */ 768 { 769 .valid = 1, 770 .name = TLS1_TXT_DHE_RSA_WITH_AES_256_GCM_SHA384, 771 .id = TLS1_CK_DHE_RSA_WITH_AES_256_GCM_SHA384, 772 .algorithm_mkey = SSL_kDHE, 773 .algorithm_auth = SSL_aRSA, 774 .algorithm_enc = SSL_AES256GCM, 775 .algorithm_mac = SSL_AEAD, 776 .algorithm_ssl = SSL_TLSV1_2, 777 .algo_strength = SSL_HIGH, 778 .algorithm2 = SSL_HANDSHAKE_MAC_SHA384|TLS1_PRF_SHA384| 779 SSL_CIPHER_ALGORITHM2_AEAD|FIXED_NONCE_LEN(4)| 780 SSL_CIPHER_ALGORITHM2_VARIABLE_NONCE_IN_RECORD, 781 .strength_bits = 256, 782 .alg_bits = 256, 783 }, 784 785 /* Cipher A6 */ 786 { 787 .valid = 1, 788 .name = TLS1_TXT_ADH_WITH_AES_128_GCM_SHA256, 789 .id = TLS1_CK_ADH_WITH_AES_128_GCM_SHA256, 790 .algorithm_mkey = SSL_kDHE, 791 .algorithm_auth = SSL_aNULL, 792 .algorithm_enc = SSL_AES128GCM, 793 .algorithm_mac = SSL_AEAD, 794 .algorithm_ssl = SSL_TLSV1_2, 795 .algo_strength = SSL_HIGH, 796 .algorithm2 = SSL_HANDSHAKE_MAC_SHA256|TLS1_PRF_SHA256| 797 SSL_CIPHER_ALGORITHM2_AEAD|FIXED_NONCE_LEN(4)| 798 SSL_CIPHER_ALGORITHM2_VARIABLE_NONCE_IN_RECORD, 799 .strength_bits = 128, 800 .alg_bits = 128, 801 }, 802 803 /* Cipher A7 */ 804 { 805 .valid = 1, 806 .name = TLS1_TXT_ADH_WITH_AES_256_GCM_SHA384, 807 .id = TLS1_CK_ADH_WITH_AES_256_GCM_SHA384, 808 .algorithm_mkey = SSL_kDHE, 809 .algorithm_auth = SSL_aNULL, 810 .algorithm_enc = SSL_AES256GCM, 811 .algorithm_mac = SSL_AEAD, 812 .algorithm_ssl = SSL_TLSV1_2, 813 .algo_strength = SSL_HIGH, 814 .algorithm2 = SSL_HANDSHAKE_MAC_SHA384|TLS1_PRF_SHA384| 815 SSL_CIPHER_ALGORITHM2_AEAD|FIXED_NONCE_LEN(4)| 816 SSL_CIPHER_ALGORITHM2_VARIABLE_NONCE_IN_RECORD, 817 .strength_bits = 256, 818 .alg_bits = 256, 819 }, 820 821 #ifndef OPENSSL_NO_CAMELLIA 822 /* TLS 1.2 Camellia SHA-256 ciphersuites from RFC5932 */ 823 824 /* Cipher BA */ 825 { 826 .valid = 1, 827 .name = TLS1_TXT_RSA_WITH_CAMELLIA_128_CBC_SHA256, 828 .id = TLS1_CK_RSA_WITH_CAMELLIA_128_CBC_SHA256, 829 .algorithm_mkey = SSL_kRSA, 830 .algorithm_auth = SSL_aRSA, 831 .algorithm_enc = SSL_CAMELLIA128, 832 .algorithm_mac = SSL_SHA256, 833 .algorithm_ssl = SSL_TLSV1_2, 834 .algo_strength = SSL_HIGH, 835 .algorithm2 = SSL_HANDSHAKE_MAC_SHA256|TLS1_PRF_SHA256, 836 .strength_bits = 128, 837 .alg_bits = 128, 838 }, 839 840 /* Cipher BE */ 841 { 842 .valid = 1, 843 .name = TLS1_TXT_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA256, 844 .id = TLS1_CK_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA256, 845 .algorithm_mkey = SSL_kDHE, 846 .algorithm_auth = SSL_aRSA, 847 .algorithm_enc = SSL_CAMELLIA128, 848 .algorithm_mac = SSL_SHA256, 849 .algorithm_ssl = SSL_TLSV1_2, 850 .algo_strength = SSL_HIGH, 851 .algorithm2 = SSL_HANDSHAKE_MAC_SHA256|TLS1_PRF_SHA256, 852 .strength_bits = 128, 853 .alg_bits = 128, 854 }, 855 856 /* Cipher BF */ 857 { 858 .valid = 1, 859 .name = TLS1_TXT_ADH_WITH_CAMELLIA_128_CBC_SHA256, 860 .id = TLS1_CK_ADH_WITH_CAMELLIA_128_CBC_SHA256, 861 .algorithm_mkey = SSL_kDHE, 862 .algorithm_auth = SSL_aNULL, 863 .algorithm_enc = SSL_CAMELLIA128, 864 .algorithm_mac = SSL_SHA256, 865 .algorithm_ssl = SSL_TLSV1_2, 866 .algo_strength = SSL_HIGH, 867 .algorithm2 = SSL_HANDSHAKE_MAC_SHA256|TLS1_PRF_SHA256, 868 .strength_bits = 128, 869 .alg_bits = 128, 870 }, 871 872 /* Cipher C0 */ 873 { 874 .valid = 1, 875 .name = TLS1_TXT_RSA_WITH_CAMELLIA_256_CBC_SHA256, 876 .id = TLS1_CK_RSA_WITH_CAMELLIA_256_CBC_SHA256, 877 .algorithm_mkey = SSL_kRSA, 878 .algorithm_auth = SSL_aRSA, 879 .algorithm_enc = SSL_CAMELLIA256, 880 .algorithm_mac = SSL_SHA256, 881 .algorithm_ssl = SSL_TLSV1_2, 882 .algo_strength = SSL_HIGH, 883 .algorithm2 = SSL_HANDSHAKE_MAC_SHA256|TLS1_PRF_SHA256, 884 .strength_bits = 256, 885 .alg_bits = 256, 886 }, 887 888 /* Cipher C4 */ 889 { 890 .valid = 1, 891 .name = TLS1_TXT_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA256, 892 .id = TLS1_CK_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA256, 893 .algorithm_mkey = SSL_kDHE, 894 .algorithm_auth = SSL_aRSA, 895 .algorithm_enc = SSL_CAMELLIA256, 896 .algorithm_mac = SSL_SHA256, 897 .algorithm_ssl = SSL_TLSV1_2, 898 .algo_strength = SSL_HIGH, 899 .algorithm2 = SSL_HANDSHAKE_MAC_SHA256|TLS1_PRF_SHA256, 900 .strength_bits = 256, 901 .alg_bits = 256, 902 }, 903 904 /* Cipher C5 */ 905 { 906 .valid = 1, 907 .name = TLS1_TXT_ADH_WITH_CAMELLIA_256_CBC_SHA256, 908 .id = TLS1_CK_ADH_WITH_CAMELLIA_256_CBC_SHA256, 909 .algorithm_mkey = SSL_kDHE, 910 .algorithm_auth = SSL_aNULL, 911 .algorithm_enc = SSL_CAMELLIA256, 912 .algorithm_mac = SSL_SHA256, 913 .algorithm_ssl = SSL_TLSV1_2, 914 .algo_strength = SSL_HIGH, 915 .algorithm2 = SSL_HANDSHAKE_MAC_SHA256|TLS1_PRF_SHA256, 916 .strength_bits = 256, 917 .alg_bits = 256, 918 }, 919 #endif /* OPENSSL_NO_CAMELLIA */ 920 921 /* Cipher C006 */ 922 { 923 .valid = 1, 924 .name = TLS1_TXT_ECDHE_ECDSA_WITH_NULL_SHA, 925 .id = TLS1_CK_ECDHE_ECDSA_WITH_NULL_SHA, 926 .algorithm_mkey = SSL_kECDHE, 927 .algorithm_auth = SSL_aECDSA, 928 .algorithm_enc = SSL_eNULL, 929 .algorithm_mac = SSL_SHA1, 930 .algorithm_ssl = SSL_TLSV1, 931 .algo_strength = SSL_STRONG_NONE, 932 .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF, 933 .strength_bits = 0, 934 .alg_bits = 0, 935 }, 936 937 /* Cipher C007 */ 938 { 939 .valid = 1, 940 .name = TLS1_TXT_ECDHE_ECDSA_WITH_RC4_128_SHA, 941 .id = TLS1_CK_ECDHE_ECDSA_WITH_RC4_128_SHA, 942 .algorithm_mkey = SSL_kECDHE, 943 .algorithm_auth = SSL_aECDSA, 944 .algorithm_enc = SSL_RC4, 945 .algorithm_mac = SSL_SHA1, 946 .algorithm_ssl = SSL_TLSV1, 947 .algo_strength = SSL_LOW, 948 .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF, 949 .strength_bits = 128, 950 .alg_bits = 128, 951 }, 952 953 /* Cipher C008 */ 954 { 955 .valid = 1, 956 .name = TLS1_TXT_ECDHE_ECDSA_WITH_DES_192_CBC3_SHA, 957 .id = TLS1_CK_ECDHE_ECDSA_WITH_DES_192_CBC3_SHA, 958 .algorithm_mkey = SSL_kECDHE, 959 .algorithm_auth = SSL_aECDSA, 960 .algorithm_enc = SSL_3DES, 961 .algorithm_mac = SSL_SHA1, 962 .algorithm_ssl = SSL_TLSV1, 963 .algo_strength = SSL_MEDIUM, 964 .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF, 965 .strength_bits = 112, 966 .alg_bits = 168, 967 }, 968 969 /* Cipher C009 */ 970 { 971 .valid = 1, 972 .name = TLS1_TXT_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, 973 .id = TLS1_CK_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, 974 .algorithm_mkey = SSL_kECDHE, 975 .algorithm_auth = SSL_aECDSA, 976 .algorithm_enc = SSL_AES128, 977 .algorithm_mac = SSL_SHA1, 978 .algorithm_ssl = SSL_TLSV1, 979 .algo_strength = SSL_HIGH, 980 .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF, 981 .strength_bits = 128, 982 .alg_bits = 128, 983 }, 984 985 /* Cipher C00A */ 986 { 987 .valid = 1, 988 .name = TLS1_TXT_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, 989 .id = TLS1_CK_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, 990 .algorithm_mkey = SSL_kECDHE, 991 .algorithm_auth = SSL_aECDSA, 992 .algorithm_enc = SSL_AES256, 993 .algorithm_mac = SSL_SHA1, 994 .algorithm_ssl = SSL_TLSV1, 995 .algo_strength = SSL_HIGH, 996 .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF, 997 .strength_bits = 256, 998 .alg_bits = 256, 999 }, 1000 1001 /* Cipher C010 */ 1002 { 1003 .valid = 1, 1004 .name = TLS1_TXT_ECDHE_RSA_WITH_NULL_SHA, 1005 .id = TLS1_CK_ECDHE_RSA_WITH_NULL_SHA, 1006 .algorithm_mkey = SSL_kECDHE, 1007 .algorithm_auth = SSL_aRSA, 1008 .algorithm_enc = SSL_eNULL, 1009 .algorithm_mac = SSL_SHA1, 1010 .algorithm_ssl = SSL_TLSV1, 1011 .algo_strength = SSL_STRONG_NONE, 1012 .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF, 1013 .strength_bits = 0, 1014 .alg_bits = 0, 1015 }, 1016 1017 /* Cipher C011 */ 1018 { 1019 .valid = 1, 1020 .name = TLS1_TXT_ECDHE_RSA_WITH_RC4_128_SHA, 1021 .id = TLS1_CK_ECDHE_RSA_WITH_RC4_128_SHA, 1022 .algorithm_mkey = SSL_kECDHE, 1023 .algorithm_auth = SSL_aRSA, 1024 .algorithm_enc = SSL_RC4, 1025 .algorithm_mac = SSL_SHA1, 1026 .algorithm_ssl = SSL_TLSV1, 1027 .algo_strength = SSL_LOW, 1028 .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF, 1029 .strength_bits = 128, 1030 .alg_bits = 128, 1031 }, 1032 1033 /* Cipher C012 */ 1034 { 1035 .valid = 1, 1036 .name = TLS1_TXT_ECDHE_RSA_WITH_DES_192_CBC3_SHA, 1037 .id = TLS1_CK_ECDHE_RSA_WITH_DES_192_CBC3_SHA, 1038 .algorithm_mkey = SSL_kECDHE, 1039 .algorithm_auth = SSL_aRSA, 1040 .algorithm_enc = SSL_3DES, 1041 .algorithm_mac = SSL_SHA1, 1042 .algorithm_ssl = SSL_TLSV1, 1043 .algo_strength = SSL_HIGH, 1044 .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF, 1045 .strength_bits = 112, 1046 .alg_bits = 168, 1047 }, 1048 1049 /* Cipher C013 */ 1050 { 1051 .valid = 1, 1052 .name = TLS1_TXT_ECDHE_RSA_WITH_AES_128_CBC_SHA, 1053 .id = TLS1_CK_ECDHE_RSA_WITH_AES_128_CBC_SHA, 1054 .algorithm_mkey = SSL_kECDHE, 1055 .algorithm_auth = SSL_aRSA, 1056 .algorithm_enc = SSL_AES128, 1057 .algorithm_mac = SSL_SHA1, 1058 .algorithm_ssl = SSL_TLSV1, 1059 .algo_strength = SSL_HIGH, 1060 .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF, 1061 .strength_bits = 128, 1062 .alg_bits = 128, 1063 }, 1064 1065 /* Cipher C014 */ 1066 { 1067 .valid = 1, 1068 .name = TLS1_TXT_ECDHE_RSA_WITH_AES_256_CBC_SHA, 1069 .id = TLS1_CK_ECDHE_RSA_WITH_AES_256_CBC_SHA, 1070 .algorithm_mkey = SSL_kECDHE, 1071 .algorithm_auth = SSL_aRSA, 1072 .algorithm_enc = SSL_AES256, 1073 .algorithm_mac = SSL_SHA1, 1074 .algorithm_ssl = SSL_TLSV1, 1075 .algo_strength = SSL_HIGH, 1076 .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF, 1077 .strength_bits = 256, 1078 .alg_bits = 256, 1079 }, 1080 1081 /* Cipher C015 */ 1082 { 1083 .valid = 1, 1084 .name = TLS1_TXT_ECDH_anon_WITH_NULL_SHA, 1085 .id = TLS1_CK_ECDH_anon_WITH_NULL_SHA, 1086 .algorithm_mkey = SSL_kECDHE, 1087 .algorithm_auth = SSL_aNULL, 1088 .algorithm_enc = SSL_eNULL, 1089 .algorithm_mac = SSL_SHA1, 1090 .algorithm_ssl = SSL_TLSV1, 1091 .algo_strength = SSL_STRONG_NONE, 1092 .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF, 1093 .strength_bits = 0, 1094 .alg_bits = 0, 1095 }, 1096 1097 /* Cipher C016 */ 1098 { 1099 .valid = 1, 1100 .name = TLS1_TXT_ECDH_anon_WITH_RC4_128_SHA, 1101 .id = TLS1_CK_ECDH_anon_WITH_RC4_128_SHA, 1102 .algorithm_mkey = SSL_kECDHE, 1103 .algorithm_auth = SSL_aNULL, 1104 .algorithm_enc = SSL_RC4, 1105 .algorithm_mac = SSL_SHA1, 1106 .algorithm_ssl = SSL_TLSV1, 1107 .algo_strength = SSL_LOW, 1108 .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF, 1109 .strength_bits = 128, 1110 .alg_bits = 128, 1111 }, 1112 1113 /* Cipher C017 */ 1114 { 1115 .valid = 1, 1116 .name = TLS1_TXT_ECDH_anon_WITH_DES_192_CBC3_SHA, 1117 .id = TLS1_CK_ECDH_anon_WITH_DES_192_CBC3_SHA, 1118 .algorithm_mkey = SSL_kECDHE, 1119 .algorithm_auth = SSL_aNULL, 1120 .algorithm_enc = SSL_3DES, 1121 .algorithm_mac = SSL_SHA1, 1122 .algorithm_ssl = SSL_TLSV1, 1123 .algo_strength = SSL_MEDIUM, 1124 .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF, 1125 .strength_bits = 112, 1126 .alg_bits = 168, 1127 }, 1128 1129 /* Cipher C018 */ 1130 { 1131 .valid = 1, 1132 .name = TLS1_TXT_ECDH_anon_WITH_AES_128_CBC_SHA, 1133 .id = TLS1_CK_ECDH_anon_WITH_AES_128_CBC_SHA, 1134 .algorithm_mkey = SSL_kECDHE, 1135 .algorithm_auth = SSL_aNULL, 1136 .algorithm_enc = SSL_AES128, 1137 .algorithm_mac = SSL_SHA1, 1138 .algorithm_ssl = SSL_TLSV1, 1139 .algo_strength = SSL_HIGH, 1140 .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF, 1141 .strength_bits = 128, 1142 .alg_bits = 128, 1143 }, 1144 1145 /* Cipher C019 */ 1146 { 1147 .valid = 1, 1148 .name = TLS1_TXT_ECDH_anon_WITH_AES_256_CBC_SHA, 1149 .id = TLS1_CK_ECDH_anon_WITH_AES_256_CBC_SHA, 1150 .algorithm_mkey = SSL_kECDHE, 1151 .algorithm_auth = SSL_aNULL, 1152 .algorithm_enc = SSL_AES256, 1153 .algorithm_mac = SSL_SHA1, 1154 .algorithm_ssl = SSL_TLSV1, 1155 .algo_strength = SSL_HIGH, 1156 .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF, 1157 .strength_bits = 256, 1158 .alg_bits = 256, 1159 }, 1160 1161 1162 /* HMAC based TLS v1.2 ciphersuites from RFC5289 */ 1163 1164 /* Cipher C023 */ 1165 { 1166 .valid = 1, 1167 .name = TLS1_TXT_ECDHE_ECDSA_WITH_AES_128_SHA256, 1168 .id = TLS1_CK_ECDHE_ECDSA_WITH_AES_128_SHA256, 1169 .algorithm_mkey = SSL_kECDHE, 1170 .algorithm_auth = SSL_aECDSA, 1171 .algorithm_enc = SSL_AES128, 1172 .algorithm_mac = SSL_SHA256, 1173 .algorithm_ssl = SSL_TLSV1_2, 1174 .algo_strength = SSL_HIGH, 1175 .algorithm2 = SSL_HANDSHAKE_MAC_SHA256|TLS1_PRF_SHA256, 1176 .strength_bits = 128, 1177 .alg_bits = 128, 1178 }, 1179 1180 /* Cipher C024 */ 1181 { 1182 .valid = 1, 1183 .name = TLS1_TXT_ECDHE_ECDSA_WITH_AES_256_SHA384, 1184 .id = TLS1_CK_ECDHE_ECDSA_WITH_AES_256_SHA384, 1185 .algorithm_mkey = SSL_kECDHE, 1186 .algorithm_auth = SSL_aECDSA, 1187 .algorithm_enc = SSL_AES256, 1188 .algorithm_mac = SSL_SHA384, 1189 .algorithm_ssl = SSL_TLSV1_2, 1190 .algo_strength = SSL_HIGH, 1191 .algorithm2 = SSL_HANDSHAKE_MAC_SHA384|TLS1_PRF_SHA384, 1192 .strength_bits = 256, 1193 .alg_bits = 256, 1194 }, 1195 1196 /* Cipher C027 */ 1197 { 1198 .valid = 1, 1199 .name = TLS1_TXT_ECDHE_RSA_WITH_AES_128_SHA256, 1200 .id = TLS1_CK_ECDHE_RSA_WITH_AES_128_SHA256, 1201 .algorithm_mkey = SSL_kECDHE, 1202 .algorithm_auth = SSL_aRSA, 1203 .algorithm_enc = SSL_AES128, 1204 .algorithm_mac = SSL_SHA256, 1205 .algorithm_ssl = SSL_TLSV1_2, 1206 .algo_strength = SSL_HIGH, 1207 .algorithm2 = SSL_HANDSHAKE_MAC_SHA256|TLS1_PRF_SHA256, 1208 .strength_bits = 128, 1209 .alg_bits = 128, 1210 }, 1211 1212 /* Cipher C028 */ 1213 { 1214 .valid = 1, 1215 .name = TLS1_TXT_ECDHE_RSA_WITH_AES_256_SHA384, 1216 .id = TLS1_CK_ECDHE_RSA_WITH_AES_256_SHA384, 1217 .algorithm_mkey = SSL_kECDHE, 1218 .algorithm_auth = SSL_aRSA, 1219 .algorithm_enc = SSL_AES256, 1220 .algorithm_mac = SSL_SHA384, 1221 .algorithm_ssl = SSL_TLSV1_2, 1222 .algo_strength = SSL_HIGH, 1223 .algorithm2 = SSL_HANDSHAKE_MAC_SHA384|TLS1_PRF_SHA384, 1224 .strength_bits = 256, 1225 .alg_bits = 256, 1226 }, 1227 1228 /* GCM based TLS v1.2 ciphersuites from RFC5289 */ 1229 1230 /* Cipher C02B */ 1231 { 1232 .valid = 1, 1233 .name = TLS1_TXT_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, 1234 .id = TLS1_CK_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, 1235 .algorithm_mkey = SSL_kECDHE, 1236 .algorithm_auth = SSL_aECDSA, 1237 .algorithm_enc = SSL_AES128GCM, 1238 .algorithm_mac = SSL_AEAD, 1239 .algorithm_ssl = SSL_TLSV1_2, 1240 .algo_strength = SSL_HIGH, 1241 .algorithm2 = SSL_HANDSHAKE_MAC_SHA256|TLS1_PRF_SHA256| 1242 SSL_CIPHER_ALGORITHM2_AEAD|FIXED_NONCE_LEN(4)| 1243 SSL_CIPHER_ALGORITHM2_VARIABLE_NONCE_IN_RECORD, 1244 .strength_bits = 128, 1245 .alg_bits = 128, 1246 }, 1247 1248 /* Cipher C02C */ 1249 { 1250 .valid = 1, 1251 .name = TLS1_TXT_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, 1252 .id = TLS1_CK_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, 1253 .algorithm_mkey = SSL_kECDHE, 1254 .algorithm_auth = SSL_aECDSA, 1255 .algorithm_enc = SSL_AES256GCM, 1256 .algorithm_mac = SSL_AEAD, 1257 .algorithm_ssl = SSL_TLSV1_2, 1258 .algo_strength = SSL_HIGH, 1259 .algorithm2 = SSL_HANDSHAKE_MAC_SHA384|TLS1_PRF_SHA384| 1260 SSL_CIPHER_ALGORITHM2_AEAD|FIXED_NONCE_LEN(4)| 1261 SSL_CIPHER_ALGORITHM2_VARIABLE_NONCE_IN_RECORD, 1262 .strength_bits = 256, 1263 .alg_bits = 256, 1264 }, 1265 1266 /* Cipher C02F */ 1267 { 1268 .valid = 1, 1269 .name = TLS1_TXT_ECDHE_RSA_WITH_AES_128_GCM_SHA256, 1270 .id = TLS1_CK_ECDHE_RSA_WITH_AES_128_GCM_SHA256, 1271 .algorithm_mkey = SSL_kECDHE, 1272 .algorithm_auth = SSL_aRSA, 1273 .algorithm_enc = SSL_AES128GCM, 1274 .algorithm_mac = SSL_AEAD, 1275 .algorithm_ssl = SSL_TLSV1_2, 1276 .algo_strength = SSL_HIGH, 1277 .algorithm2 = SSL_HANDSHAKE_MAC_SHA256|TLS1_PRF_SHA256| 1278 SSL_CIPHER_ALGORITHM2_AEAD|FIXED_NONCE_LEN(4)| 1279 SSL_CIPHER_ALGORITHM2_VARIABLE_NONCE_IN_RECORD, 1280 .strength_bits = 128, 1281 .alg_bits = 128, 1282 }, 1283 1284 /* Cipher C030 */ 1285 { 1286 .valid = 1, 1287 .name = TLS1_TXT_ECDHE_RSA_WITH_AES_256_GCM_SHA384, 1288 .id = TLS1_CK_ECDHE_RSA_WITH_AES_256_GCM_SHA384, 1289 .algorithm_mkey = SSL_kECDHE, 1290 .algorithm_auth = SSL_aRSA, 1291 .algorithm_enc = SSL_AES256GCM, 1292 .algorithm_mac = SSL_AEAD, 1293 .algorithm_ssl = SSL_TLSV1_2, 1294 .algo_strength = SSL_HIGH, 1295 .algorithm2 = SSL_HANDSHAKE_MAC_SHA384|TLS1_PRF_SHA384| 1296 SSL_CIPHER_ALGORITHM2_AEAD|FIXED_NONCE_LEN(4)| 1297 SSL_CIPHER_ALGORITHM2_VARIABLE_NONCE_IN_RECORD, 1298 .strength_bits = 256, 1299 .alg_bits = 256, 1300 }, 1301 1302 /* Cipher CC13 */ 1303 { 1304 .valid = 1, 1305 .name = TLS1_TXT_ECDHE_RSA_WITH_CHACHA20_POLY1305_OLD, 1306 .id = TLS1_CK_ECDHE_RSA_CHACHA20_POLY1305_OLD, 1307 .algorithm_mkey = SSL_kECDHE, 1308 .algorithm_auth = SSL_aRSA, 1309 .algorithm_enc = SSL_CHACHA20POLY1305_OLD, 1310 .algorithm_mac = SSL_AEAD, 1311 .algorithm_ssl = SSL_TLSV1_2, 1312 .algo_strength = SSL_HIGH, 1313 .algorithm2 = SSL_HANDSHAKE_MAC_SHA256|TLS1_PRF_SHA256| 1314 SSL_CIPHER_ALGORITHM2_AEAD|FIXED_NONCE_LEN(0), 1315 .strength_bits = 256, 1316 .alg_bits = 256, 1317 }, 1318 1319 /* Cipher CC14 */ 1320 { 1321 .valid = 1, 1322 .name = TLS1_TXT_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_OLD, 1323 .id = TLS1_CK_ECDHE_ECDSA_CHACHA20_POLY1305_OLD, 1324 .algorithm_mkey = SSL_kECDHE, 1325 .algorithm_auth = SSL_aECDSA, 1326 .algorithm_enc = SSL_CHACHA20POLY1305_OLD, 1327 .algorithm_mac = SSL_AEAD, 1328 .algorithm_ssl = SSL_TLSV1_2, 1329 .algo_strength = SSL_HIGH, 1330 .algorithm2 = SSL_HANDSHAKE_MAC_SHA256|TLS1_PRF_SHA256| 1331 SSL_CIPHER_ALGORITHM2_AEAD|FIXED_NONCE_LEN(0), 1332 .strength_bits = 256, 1333 .alg_bits = 256, 1334 }, 1335 1336 /* Cipher CC15 */ 1337 { 1338 .valid = 1, 1339 .name = TLS1_TXT_DHE_RSA_WITH_CHACHA20_POLY1305_OLD, 1340 .id = TLS1_CK_DHE_RSA_CHACHA20_POLY1305_OLD, 1341 .algorithm_mkey = SSL_kDHE, 1342 .algorithm_auth = SSL_aRSA, 1343 .algorithm_enc = SSL_CHACHA20POLY1305_OLD, 1344 .algorithm_mac = SSL_AEAD, 1345 .algorithm_ssl = SSL_TLSV1_2, 1346 .algo_strength = SSL_HIGH, 1347 .algorithm2 = SSL_HANDSHAKE_MAC_SHA256|TLS1_PRF_SHA256| 1348 SSL_CIPHER_ALGORITHM2_AEAD|FIXED_NONCE_LEN(0), 1349 .strength_bits = 256, 1350 .alg_bits = 256, 1351 }, 1352 1353 /* Cipher CCA8 */ 1354 { 1355 .valid = 1, 1356 .name = TLS1_TXT_ECDHE_RSA_WITH_CHACHA20_POLY1305, 1357 .id = TLS1_CK_ECDHE_RSA_CHACHA20_POLY1305, 1358 .algorithm_mkey = SSL_kECDHE, 1359 .algorithm_auth = SSL_aRSA, 1360 .algorithm_enc = SSL_CHACHA20POLY1305, 1361 .algorithm_mac = SSL_AEAD, 1362 .algorithm_ssl = SSL_TLSV1_2, 1363 .algo_strength = SSL_HIGH, 1364 .algorithm2 = SSL_HANDSHAKE_MAC_SHA256|TLS1_PRF_SHA256| 1365 SSL_CIPHER_ALGORITHM2_AEAD|FIXED_NONCE_LEN(12), 1366 .strength_bits = 256, 1367 .alg_bits = 256, 1368 }, 1369 1370 /* Cipher CCA9 */ 1371 { 1372 .valid = 1, 1373 .name = TLS1_TXT_ECDHE_ECDSA_WITH_CHACHA20_POLY1305, 1374 .id = TLS1_CK_ECDHE_ECDSA_CHACHA20_POLY1305, 1375 .algorithm_mkey = SSL_kECDHE, 1376 .algorithm_auth = SSL_aECDSA, 1377 .algorithm_enc = SSL_CHACHA20POLY1305, 1378 .algorithm_mac = SSL_AEAD, 1379 .algorithm_ssl = SSL_TLSV1_2, 1380 .algo_strength = SSL_HIGH, 1381 .algorithm2 = SSL_HANDSHAKE_MAC_SHA256|TLS1_PRF_SHA256| 1382 SSL_CIPHER_ALGORITHM2_AEAD|FIXED_NONCE_LEN(12), 1383 .strength_bits = 256, 1384 .alg_bits = 256, 1385 }, 1386 1387 /* Cipher CCAA */ 1388 { 1389 .valid = 1, 1390 .name = TLS1_TXT_DHE_RSA_WITH_CHACHA20_POLY1305, 1391 .id = TLS1_CK_DHE_RSA_CHACHA20_POLY1305, 1392 .algorithm_mkey = SSL_kDHE, 1393 .algorithm_auth = SSL_aRSA, 1394 .algorithm_enc = SSL_CHACHA20POLY1305, 1395 .algorithm_mac = SSL_AEAD, 1396 .algorithm_ssl = SSL_TLSV1_2, 1397 .algo_strength = SSL_HIGH, 1398 .algorithm2 = SSL_HANDSHAKE_MAC_SHA256|TLS1_PRF_SHA256| 1399 SSL_CIPHER_ALGORITHM2_AEAD|FIXED_NONCE_LEN(12), 1400 .strength_bits = 256, 1401 .alg_bits = 256, 1402 }, 1403 1404 /* Cipher FF85 FIXME IANA */ 1405 { 1406 .valid = 1, 1407 .name = "GOST2012256-GOST89-GOST89", 1408 .id = 0x300ff85, /* FIXME IANA */ 1409 .algorithm_mkey = SSL_kGOST, 1410 .algorithm_auth = SSL_aGOST01, 1411 .algorithm_enc = SSL_eGOST2814789CNT, 1412 .algorithm_mac = SSL_GOST89MAC, 1413 .algorithm_ssl = SSL_TLSV1, 1414 .algo_strength = SSL_HIGH, 1415 .algorithm2 = SSL_HANDSHAKE_MAC_STREEBOG256|TLS1_PRF_STREEBOG256| 1416 TLS1_STREAM_MAC, 1417 .strength_bits = 256, 1418 .alg_bits = 256 1419 }, 1420 1421 /* Cipher FF87 FIXME IANA */ 1422 { 1423 .valid = 1, 1424 .name = "GOST2012256-NULL-STREEBOG256", 1425 .id = 0x300ff87, /* FIXME IANA */ 1426 .algorithm_mkey = SSL_kGOST, 1427 .algorithm_auth = SSL_aGOST01, 1428 .algorithm_enc = SSL_eNULL, 1429 .algorithm_mac = SSL_STREEBOG256, 1430 .algorithm_ssl = SSL_TLSV1, 1431 .algo_strength = SSL_STRONG_NONE, 1432 .algorithm2 = SSL_HANDSHAKE_MAC_STREEBOG256|TLS1_PRF_STREEBOG256, 1433 .strength_bits = 0, 1434 .alg_bits = 0 1435 }, 1436 1437 1438 /* end of list */ 1439 }; 1440 1441 int 1442 ssl3_num_ciphers(void) 1443 { 1444 return (SSL3_NUM_CIPHERS); 1445 } 1446 1447 const SSL_CIPHER * 1448 ssl3_get_cipher(unsigned int u) 1449 { 1450 if (u < SSL3_NUM_CIPHERS) 1451 return (&(ssl3_ciphers[SSL3_NUM_CIPHERS - 1 - u])); 1452 else 1453 return (NULL); 1454 } 1455 1456 const SSL_CIPHER * 1457 ssl3_get_cipher_by_id(unsigned int id) 1458 { 1459 const SSL_CIPHER *cp; 1460 SSL_CIPHER c; 1461 1462 c.id = id; 1463 cp = OBJ_bsearch_ssl_cipher_id(&c, ssl3_ciphers, SSL3_NUM_CIPHERS); 1464 if (cp != NULL && cp->valid == 1) 1465 return (cp); 1466 1467 return (NULL); 1468 } 1469 1470 const SSL_CIPHER * 1471 ssl3_get_cipher_by_value(uint16_t value) 1472 { 1473 return ssl3_get_cipher_by_id(SSL3_CK_ID | value); 1474 } 1475 1476 uint16_t 1477 ssl3_cipher_get_value(const SSL_CIPHER *c) 1478 { 1479 return (c->id & SSL3_CK_VALUE_MASK); 1480 } 1481 1482 int 1483 ssl3_pending(const SSL *s) 1484 { 1485 if (s->internal->rstate == SSL_ST_READ_BODY) 1486 return 0; 1487 1488 return (S3I(s)->rrec.type == SSL3_RT_APPLICATION_DATA) ? 1489 S3I(s)->rrec.length : 0; 1490 } 1491 1492 int 1493 ssl3_handshake_msg_hdr_len(SSL *s) 1494 { 1495 return (SSL_IS_DTLS(s) ? DTLS1_HM_HEADER_LENGTH : 1496 SSL3_HM_HEADER_LENGTH); 1497 } 1498 1499 unsigned char * 1500 ssl3_handshake_msg_start(SSL *s, uint8_t msg_type) 1501 { 1502 unsigned char *d, *p; 1503 1504 d = p = (unsigned char *)s->internal->init_buf->data; 1505 1506 /* Handshake message type and length. */ 1507 *(p++) = msg_type; 1508 l2n3(0, p); 1509 1510 return (d + ssl3_handshake_msg_hdr_len(s)); 1511 } 1512 1513 void 1514 ssl3_handshake_msg_finish(SSL *s, unsigned int len) 1515 { 1516 unsigned char *d, *p; 1517 uint8_t msg_type; 1518 1519 d = p = (unsigned char *)s->internal->init_buf->data; 1520 1521 /* Handshake message length. */ 1522 msg_type = *(p++); 1523 l2n3(len, p); 1524 1525 s->internal->init_num = ssl3_handshake_msg_hdr_len(s) + (int)len; 1526 s->internal->init_off = 0; 1527 1528 if (SSL_IS_DTLS(s)) { 1529 dtls1_set_message_header(s, msg_type, len, 0, len); 1530 dtls1_buffer_message(s, 0); 1531 } 1532 } 1533 1534 int 1535 ssl3_handshake_msg_start_cbb(SSL *s, CBB *handshake, CBB *body, 1536 uint8_t msg_type) 1537 { 1538 int ret = 0; 1539 1540 if (!CBB_init(handshake, SSL3_RT_MAX_PLAIN_LENGTH)) 1541 goto err; 1542 if (!CBB_add_u8(handshake, msg_type)) 1543 goto err; 1544 if (SSL_IS_DTLS(s)) { 1545 unsigned char *data; 1546 1547 if (!CBB_add_space(handshake, &data, DTLS1_HM_HEADER_LENGTH - 1548 SSL3_HM_HEADER_LENGTH)) 1549 goto err; 1550 } 1551 if (!CBB_add_u24_length_prefixed(handshake, body)) 1552 goto err; 1553 1554 ret = 1; 1555 1556 err: 1557 return (ret); 1558 } 1559 1560 int 1561 ssl3_handshake_msg_finish_cbb(SSL *s, CBB *handshake) 1562 { 1563 unsigned char *data = NULL; 1564 size_t outlen; 1565 int ret = 0; 1566 1567 if (!CBB_finish(handshake, &data, &outlen)) 1568 goto err; 1569 1570 if (outlen > INT_MAX) 1571 goto err; 1572 1573 if (!BUF_MEM_grow_clean(s->internal->init_buf, outlen)) 1574 goto err; 1575 1576 memcpy(s->internal->init_buf->data, data, outlen); 1577 1578 s->internal->init_num = (int)outlen; 1579 s->internal->init_off = 0; 1580 1581 if (SSL_IS_DTLS(s)) { 1582 unsigned long len; 1583 uint8_t msg_type; 1584 CBS cbs; 1585 1586 CBS_init(&cbs, data, outlen); 1587 if (!CBS_get_u8(&cbs, &msg_type)) 1588 goto err; 1589 1590 len = outlen - ssl3_handshake_msg_hdr_len(s); 1591 1592 dtls1_set_message_header(s, msg_type, len, 0, len); 1593 dtls1_buffer_message(s, 0); 1594 } 1595 1596 ret = 1; 1597 1598 err: 1599 free(data); 1600 1601 return (ret); 1602 } 1603 1604 int 1605 ssl3_handshake_write(SSL *s) 1606 { 1607 if (SSL_IS_DTLS(s)) 1608 return dtls1_do_write(s, SSL3_RT_HANDSHAKE); 1609 1610 return ssl3_do_write(s, SSL3_RT_HANDSHAKE); 1611 } 1612 1613 int 1614 ssl3_new(SSL *s) 1615 { 1616 if ((s->s3 = calloc(1, sizeof(*s->s3))) == NULL) 1617 return (0); 1618 if ((S3I(s) = calloc(1, sizeof(*S3I(s)))) == NULL) { 1619 free(s->s3); 1620 return (0); 1621 } 1622 1623 s->method->internal->ssl_clear(s); 1624 1625 return (1); 1626 } 1627 1628 void 1629 ssl3_free(SSL *s) 1630 { 1631 if (s == NULL) 1632 return; 1633 1634 tls1_cleanup_key_block(s); 1635 ssl3_release_read_buffer(s); 1636 ssl3_release_write_buffer(s); 1637 1638 DH_free(S3I(s)->tmp.dh); 1639 EC_KEY_free(S3I(s)->tmp.ecdh); 1640 1641 freezero(S3I(s)->tmp.x25519, X25519_KEY_LENGTH); 1642 1643 sk_X509_NAME_pop_free(S3I(s)->tmp.ca_names, X509_NAME_free); 1644 1645 BIO_free(S3I(s)->handshake_buffer); 1646 1647 tls1_handshake_hash_free(s); 1648 1649 free(S3I(s)->alpn_selected); 1650 1651 freezero(S3I(s), sizeof(*S3I(s))); 1652 freezero(s->s3, sizeof(*s->s3)); 1653 1654 s->s3 = NULL; 1655 } 1656 1657 void 1658 ssl3_clear(SSL *s) 1659 { 1660 struct ssl3_state_internal_st *internal; 1661 unsigned char *rp, *wp; 1662 size_t rlen, wlen; 1663 1664 tls1_cleanup_key_block(s); 1665 sk_X509_NAME_pop_free(S3I(s)->tmp.ca_names, X509_NAME_free); 1666 1667 DH_free(S3I(s)->tmp.dh); 1668 S3I(s)->tmp.dh = NULL; 1669 EC_KEY_free(S3I(s)->tmp.ecdh); 1670 S3I(s)->tmp.ecdh = NULL; 1671 1672 freezero(S3I(s)->tmp.x25519, X25519_KEY_LENGTH); 1673 S3I(s)->tmp.x25519 = NULL; 1674 1675 rp = s->s3->rbuf.buf; 1676 wp = s->s3->wbuf.buf; 1677 rlen = s->s3->rbuf.len; 1678 wlen = s->s3->wbuf.len; 1679 1680 BIO_free(S3I(s)->handshake_buffer); 1681 S3I(s)->handshake_buffer = NULL; 1682 1683 tls1_handshake_hash_free(s); 1684 1685 free(S3I(s)->alpn_selected); 1686 S3I(s)->alpn_selected = NULL; 1687 1688 memset(S3I(s), 0, sizeof(*S3I(s))); 1689 internal = S3I(s); 1690 memset(s->s3, 0, sizeof(*s->s3)); 1691 S3I(s) = internal; 1692 1693 s->s3->rbuf.buf = rp; 1694 s->s3->wbuf.buf = wp; 1695 s->s3->rbuf.len = rlen; 1696 s->s3->wbuf.len = wlen; 1697 1698 ssl_free_wbio_buffer(s); 1699 1700 /* Not needed... */ 1701 S3I(s)->renegotiate = 0; 1702 S3I(s)->total_renegotiations = 0; 1703 S3I(s)->num_renegotiations = 0; 1704 S3I(s)->in_read_app_data = 0; 1705 1706 s->internal->packet_length = 0; 1707 s->version = TLS1_VERSION; 1708 1709 free(s->internal->next_proto_negotiated); 1710 s->internal->next_proto_negotiated = NULL; 1711 s->internal->next_proto_negotiated_len = 0; 1712 } 1713 1714 static long 1715 ssl_ctrl_get_server_tmp_key(SSL *s, EVP_PKEY **pkey_tmp) 1716 { 1717 EVP_PKEY *pkey = NULL; 1718 EC_GROUP *group = NULL; 1719 EC_POINT *point = NULL; 1720 EC_KEY *ec_key = NULL; 1721 BIGNUM *order = NULL; 1722 SESS_CERT *sc; 1723 int ret = 0; 1724 1725 *pkey_tmp = NULL; 1726 1727 if (s->server != 0) 1728 return 0; 1729 if (s->session == NULL || SSI(s)->sess_cert == NULL) 1730 return 0; 1731 1732 sc = SSI(s)->sess_cert; 1733 1734 if ((pkey = EVP_PKEY_new()) == NULL) 1735 return 0; 1736 1737 if (sc->peer_dh_tmp != NULL) { 1738 ret = EVP_PKEY_set1_DH(pkey, sc->peer_dh_tmp); 1739 } else if (sc->peer_ecdh_tmp) { 1740 ret = EVP_PKEY_set1_EC_KEY(pkey, sc->peer_ecdh_tmp); 1741 } else if (sc->peer_x25519_tmp != NULL) { 1742 /* Fudge up an EC_KEY that looks like X25519... */ 1743 if ((group = EC_GROUP_new(EC_GFp_mont_method())) == NULL) 1744 goto err; 1745 if ((point = EC_POINT_new(group)) == NULL) 1746 goto err; 1747 if ((order = BN_new()) == NULL) 1748 goto err; 1749 if (!BN_set_bit(order, 252)) 1750 goto err; 1751 if (!EC_GROUP_set_generator(group, point, order, NULL)) 1752 goto err; 1753 EC_GROUP_set_curve_name(group, NID_X25519); 1754 if ((ec_key = EC_KEY_new()) == NULL) 1755 goto err; 1756 if (!EC_KEY_set_group(ec_key, group)) 1757 goto err; 1758 ret = EVP_PKEY_set1_EC_KEY(pkey, ec_key); 1759 } 1760 1761 if (ret == 1) { 1762 *pkey_tmp = pkey; 1763 pkey = NULL; 1764 } 1765 1766 err: 1767 EVP_PKEY_free(pkey); 1768 EC_GROUP_free(group); 1769 EC_POINT_free(point); 1770 EC_KEY_free(ec_key); 1771 BN_free(order); 1772 1773 return (ret); 1774 } 1775 1776 long 1777 ssl3_ctrl(SSL *s, int cmd, long larg, void *parg) 1778 { 1779 int ret = 0; 1780 1781 if (cmd == SSL_CTRL_SET_TMP_DH || cmd == SSL_CTRL_SET_TMP_DH_CB) { 1782 if (!ssl_cert_inst(&s->cert)) { 1783 SSLerror(s, ERR_R_MALLOC_FAILURE); 1784 return (0); 1785 } 1786 } 1787 1788 switch (cmd) { 1789 case SSL_CTRL_GET_SESSION_REUSED: 1790 ret = s->internal->hit; 1791 break; 1792 case SSL_CTRL_GET_CLIENT_CERT_REQUEST: 1793 break; 1794 case SSL_CTRL_GET_NUM_RENEGOTIATIONS: 1795 ret = S3I(s)->num_renegotiations; 1796 break; 1797 case SSL_CTRL_CLEAR_NUM_RENEGOTIATIONS: 1798 ret = S3I(s)->num_renegotiations; 1799 S3I(s)->num_renegotiations = 0; 1800 break; 1801 case SSL_CTRL_GET_TOTAL_RENEGOTIATIONS: 1802 ret = S3I(s)->total_renegotiations; 1803 break; 1804 case SSL_CTRL_GET_FLAGS: 1805 ret = (int)(s->s3->flags); 1806 break; 1807 case SSL_CTRL_NEED_TMP_RSA: 1808 ret = 0; 1809 break; 1810 case SSL_CTRL_SET_TMP_RSA: 1811 case SSL_CTRL_SET_TMP_RSA_CB: 1812 SSLerror(s, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED); 1813 break; 1814 case SSL_CTRL_SET_TMP_DH: 1815 { 1816 DH *dh = (DH *)parg; 1817 if (dh == NULL) { 1818 SSLerror(s, ERR_R_PASSED_NULL_PARAMETER); 1819 return (ret); 1820 } 1821 if ((dh = DHparams_dup(dh)) == NULL) { 1822 SSLerror(s, ERR_R_DH_LIB); 1823 return (ret); 1824 } 1825 DH_free(s->cert->dh_tmp); 1826 s->cert->dh_tmp = dh; 1827 ret = 1; 1828 } 1829 break; 1830 1831 case SSL_CTRL_SET_TMP_DH_CB: 1832 SSLerror(s, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED); 1833 return (ret); 1834 1835 case SSL_CTRL_SET_DH_AUTO: 1836 s->cert->dh_tmp_auto = larg; 1837 return 1; 1838 1839 case SSL_CTRL_SET_TMP_ECDH: 1840 { 1841 EC_KEY *ecdh = NULL; 1842 1843 if (parg == NULL) { 1844 SSLerror(s, ERR_R_PASSED_NULL_PARAMETER); 1845 return (ret); 1846 } 1847 if (!EC_KEY_up_ref((EC_KEY *)parg)) { 1848 SSLerror(s, ERR_R_ECDH_LIB); 1849 return (ret); 1850 } 1851 ecdh = (EC_KEY *)parg; 1852 if (!(s->internal->options & SSL_OP_SINGLE_ECDH_USE)) { 1853 if (!EC_KEY_generate_key(ecdh)) { 1854 EC_KEY_free(ecdh); 1855 SSLerror(s, ERR_R_ECDH_LIB); 1856 return (ret); 1857 } 1858 } 1859 EC_KEY_free(s->cert->ecdh_tmp); 1860 s->cert->ecdh_tmp = ecdh; 1861 ret = 1; 1862 } 1863 break; 1864 case SSL_CTRL_SET_TMP_ECDH_CB: 1865 { 1866 SSLerror(s, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED); 1867 return (ret); 1868 } 1869 break; 1870 case SSL_CTRL_SET_TLSEXT_HOSTNAME: 1871 if (larg == TLSEXT_NAMETYPE_host_name) { 1872 free(s->tlsext_hostname); 1873 s->tlsext_hostname = NULL; 1874 1875 ret = 1; 1876 if (parg == NULL) 1877 break; 1878 if (strlen((char *)parg) > TLSEXT_MAXLEN_host_name) { 1879 SSLerror(s, SSL_R_SSL3_EXT_INVALID_SERVERNAME); 1880 return 0; 1881 } 1882 if ((s->tlsext_hostname = strdup((char *)parg)) 1883 == NULL) { 1884 SSLerror(s, ERR_R_INTERNAL_ERROR); 1885 return 0; 1886 } 1887 } else { 1888 SSLerror(s, SSL_R_SSL3_EXT_INVALID_SERVERNAME_TYPE); 1889 return 0; 1890 } 1891 break; 1892 case SSL_CTRL_SET_TLSEXT_DEBUG_ARG: 1893 s->internal->tlsext_debug_arg = parg; 1894 ret = 1; 1895 break; 1896 1897 case SSL_CTRL_SET_TLSEXT_STATUS_REQ_TYPE: 1898 s->tlsext_status_type = larg; 1899 ret = 1; 1900 break; 1901 1902 case SSL_CTRL_GET_TLSEXT_STATUS_REQ_EXTS: 1903 *(STACK_OF(X509_EXTENSION) **)parg = s->internal->tlsext_ocsp_exts; 1904 ret = 1; 1905 break; 1906 1907 case SSL_CTRL_SET_TLSEXT_STATUS_REQ_EXTS: 1908 s->internal->tlsext_ocsp_exts = parg; 1909 ret = 1; 1910 break; 1911 1912 case SSL_CTRL_GET_TLSEXT_STATUS_REQ_IDS: 1913 *(STACK_OF(OCSP_RESPID) **)parg = s->internal->tlsext_ocsp_ids; 1914 ret = 1; 1915 break; 1916 1917 case SSL_CTRL_SET_TLSEXT_STATUS_REQ_IDS: 1918 s->internal->tlsext_ocsp_ids = parg; 1919 ret = 1; 1920 break; 1921 1922 case SSL_CTRL_GET_TLSEXT_STATUS_REQ_OCSP_RESP: 1923 *(unsigned char **)parg = s->internal->tlsext_ocsp_resp; 1924 return s->internal->tlsext_ocsp_resplen; 1925 1926 case SSL_CTRL_SET_TLSEXT_STATUS_REQ_OCSP_RESP: 1927 free(s->internal->tlsext_ocsp_resp); 1928 s->internal->tlsext_ocsp_resp = parg; 1929 s->internal->tlsext_ocsp_resplen = larg; 1930 ret = 1; 1931 break; 1932 1933 case SSL_CTRL_SET_ECDH_AUTO: 1934 s->cert->ecdh_tmp_auto = larg; 1935 ret = 1; 1936 break; 1937 1938 case SSL_CTRL_SET_GROUPS: 1939 return SSL_set1_groups(s, parg, larg); 1940 1941 case SSL_CTRL_SET_GROUPS_LIST: 1942 return SSL_set1_groups_list(s, parg); 1943 1944 case SSL_CTRL_GET_SERVER_TMP_KEY: 1945 ret = ssl_ctrl_get_server_tmp_key(s, parg); 1946 break; 1947 1948 case SSL_CTRL_SET_MIN_PROTO_VERSION: 1949 if (larg < 0 || larg > UINT16_MAX) 1950 return (0); 1951 return SSL_set_min_proto_version(s, larg); 1952 1953 case SSL_CTRL_SET_MAX_PROTO_VERSION: 1954 if (larg < 0 || larg > UINT16_MAX) 1955 return (0); 1956 return SSL_set_max_proto_version(s, larg); 1957 1958 default: 1959 break; 1960 } 1961 1962 return (ret); 1963 } 1964 1965 int 1966 SSL_set1_groups(SSL *s, const int *groups, size_t groups_len) 1967 { 1968 return tls1_set_groups(&s->internal->tlsext_supportedgroups, 1969 &s->internal->tlsext_supportedgroups_length, groups, groups_len); 1970 } 1971 1972 int 1973 SSL_set1_groups_list(SSL *s, const char *groups) 1974 { 1975 return tls1_set_groups_list(&s->internal->tlsext_supportedgroups, 1976 &s->internal->tlsext_supportedgroups_length, groups); 1977 } 1978 1979 long 1980 ssl3_callback_ctrl(SSL *s, int cmd, void (*fp)(void)) 1981 { 1982 int ret = 0; 1983 1984 if (cmd == SSL_CTRL_SET_TMP_DH_CB) { 1985 if (!ssl_cert_inst(&s->cert)) { 1986 SSLerror(s, ERR_R_MALLOC_FAILURE); 1987 return (0); 1988 } 1989 } 1990 1991 switch (cmd) { 1992 case SSL_CTRL_SET_TMP_RSA_CB: 1993 SSLerror(s, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED); 1994 break; 1995 case SSL_CTRL_SET_TMP_DH_CB: 1996 s->cert->dh_tmp_cb = (DH *(*)(SSL *, int, int))fp; 1997 break; 1998 case SSL_CTRL_SET_TMP_ECDH_CB: 1999 s->cert->ecdh_tmp_cb = (EC_KEY *(*)(SSL *, int, int))fp; 2000 break; 2001 case SSL_CTRL_SET_TLSEXT_DEBUG_CB: 2002 s->internal->tlsext_debug_cb = (void (*)(SSL *, int , int, 2003 unsigned char *, int, void *))fp; 2004 break; 2005 default: 2006 break; 2007 } 2008 return (ret); 2009 } 2010 2011 long 2012 ssl3_ctx_ctrl(SSL_CTX *ctx, int cmd, long larg, void *parg) 2013 { 2014 CERT *cert; 2015 2016 cert = ctx->internal->cert; 2017 2018 switch (cmd) { 2019 case SSL_CTRL_NEED_TMP_RSA: 2020 return (0); 2021 case SSL_CTRL_SET_TMP_RSA: 2022 case SSL_CTRL_SET_TMP_RSA_CB: 2023 SSLerrorx(ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED); 2024 return (0); 2025 case SSL_CTRL_SET_TMP_DH: 2026 { 2027 DH *new = NULL, *dh; 2028 2029 dh = (DH *)parg; 2030 if ((new = DHparams_dup(dh)) == NULL) { 2031 SSLerrorx(ERR_R_DH_LIB); 2032 return 0; 2033 } 2034 DH_free(cert->dh_tmp); 2035 cert->dh_tmp = new; 2036 return 1; 2037 } 2038 /*break; */ 2039 2040 case SSL_CTRL_SET_TMP_DH_CB: 2041 SSLerrorx(ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED); 2042 return (0); 2043 2044 case SSL_CTRL_SET_DH_AUTO: 2045 ctx->internal->cert->dh_tmp_auto = larg; 2046 return (1); 2047 2048 case SSL_CTRL_SET_TMP_ECDH: 2049 { 2050 EC_KEY *ecdh = NULL; 2051 2052 if (parg == NULL) { 2053 SSLerrorx(ERR_R_ECDH_LIB); 2054 return 0; 2055 } 2056 ecdh = EC_KEY_dup((EC_KEY *)parg); 2057 if (ecdh == NULL) { 2058 SSLerrorx(ERR_R_EC_LIB); 2059 return 0; 2060 } 2061 if (!(ctx->internal->options & SSL_OP_SINGLE_ECDH_USE)) { 2062 if (!EC_KEY_generate_key(ecdh)) { 2063 EC_KEY_free(ecdh); 2064 SSLerrorx(ERR_R_ECDH_LIB); 2065 return 0; 2066 } 2067 } 2068 2069 EC_KEY_free(cert->ecdh_tmp); 2070 cert->ecdh_tmp = ecdh; 2071 return 1; 2072 } 2073 /* break; */ 2074 case SSL_CTRL_SET_TMP_ECDH_CB: 2075 { 2076 SSLerrorx(ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED); 2077 return (0); 2078 } 2079 break; 2080 case SSL_CTRL_SET_TLSEXT_SERVERNAME_ARG: 2081 ctx->internal->tlsext_servername_arg = parg; 2082 break; 2083 case SSL_CTRL_SET_TLSEXT_TICKET_KEYS: 2084 case SSL_CTRL_GET_TLSEXT_TICKET_KEYS: 2085 { 2086 unsigned char *keys = parg; 2087 if (!keys) 2088 return 48; 2089 if (larg != 48) { 2090 SSLerrorx(SSL_R_INVALID_TICKET_KEYS_LENGTH); 2091 return 0; 2092 } 2093 if (cmd == SSL_CTRL_SET_TLSEXT_TICKET_KEYS) { 2094 memcpy(ctx->internal->tlsext_tick_key_name, keys, 16); 2095 memcpy(ctx->internal->tlsext_tick_hmac_key, 2096 keys + 16, 16); 2097 memcpy(ctx->internal->tlsext_tick_aes_key, keys + 32, 16); 2098 } else { 2099 memcpy(keys, ctx->internal->tlsext_tick_key_name, 16); 2100 memcpy(keys + 16, 2101 ctx->internal->tlsext_tick_hmac_key, 16); 2102 memcpy(keys + 32, 2103 ctx->internal->tlsext_tick_aes_key, 16); 2104 } 2105 return 1; 2106 } 2107 2108 case SSL_CTRL_SET_TLSEXT_STATUS_REQ_CB_ARG: 2109 ctx->internal->tlsext_status_arg = parg; 2110 return 1; 2111 2112 case SSL_CTRL_SET_ECDH_AUTO: 2113 ctx->internal->cert->ecdh_tmp_auto = larg; 2114 return 1; 2115 2116 /* A Thawte special :-) */ 2117 case SSL_CTRL_EXTRA_CHAIN_CERT: 2118 if (ctx->extra_certs == NULL) { 2119 if ((ctx->extra_certs = sk_X509_new_null()) == NULL) 2120 return (0); 2121 } 2122 sk_X509_push(ctx->extra_certs,(X509 *)parg); 2123 break; 2124 2125 case SSL_CTRL_GET_EXTRA_CHAIN_CERTS: 2126 *(STACK_OF(X509) **)parg = ctx->extra_certs; 2127 break; 2128 2129 case SSL_CTRL_CLEAR_EXTRA_CHAIN_CERTS: 2130 sk_X509_pop_free(ctx->extra_certs, X509_free); 2131 ctx->extra_certs = NULL; 2132 break; 2133 2134 case SSL_CTRL_SET_GROUPS: 2135 return SSL_CTX_set1_groups(ctx, parg, larg); 2136 2137 case SSL_CTRL_SET_GROUPS_LIST: 2138 return SSL_CTX_set1_groups_list(ctx, parg); 2139 2140 case SSL_CTRL_SET_MIN_PROTO_VERSION: 2141 if (larg < 0 || larg > UINT16_MAX) 2142 return (0); 2143 return SSL_CTX_set_min_proto_version(ctx, larg); 2144 2145 case SSL_CTRL_SET_MAX_PROTO_VERSION: 2146 if (larg < 0 || larg > UINT16_MAX) 2147 return (0); 2148 return SSL_CTX_set_max_proto_version(ctx, larg); 2149 2150 default: 2151 return (0); 2152 } 2153 return (1); 2154 } 2155 2156 int 2157 SSL_CTX_set1_groups(SSL_CTX *ctx, const int *groups, size_t groups_len) 2158 { 2159 return tls1_set_groups(&ctx->internal->tlsext_supportedgroups, 2160 &ctx->internal->tlsext_supportedgroups_length, groups, groups_len); 2161 } 2162 2163 int 2164 SSL_CTX_set1_groups_list(SSL_CTX *ctx, const char *groups) 2165 { 2166 return tls1_set_groups_list(&ctx->internal->tlsext_supportedgroups, 2167 &ctx->internal->tlsext_supportedgroups_length, groups); 2168 } 2169 2170 long 2171 ssl3_ctx_callback_ctrl(SSL_CTX *ctx, int cmd, void (*fp)(void)) 2172 { 2173 CERT *cert; 2174 2175 cert = ctx->internal->cert; 2176 2177 switch (cmd) { 2178 case SSL_CTRL_SET_TMP_RSA_CB: 2179 SSLerrorx(ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED); 2180 return (0); 2181 case SSL_CTRL_SET_TMP_DH_CB: 2182 cert->dh_tmp_cb = (DH *(*)(SSL *, int, int))fp; 2183 break; 2184 case SSL_CTRL_SET_TMP_ECDH_CB: 2185 cert->ecdh_tmp_cb = (EC_KEY *(*)(SSL *, int, int))fp; 2186 break; 2187 case SSL_CTRL_SET_TLSEXT_SERVERNAME_CB: 2188 ctx->internal->tlsext_servername_callback = 2189 (int (*)(SSL *, int *, void *))fp; 2190 break; 2191 2192 case SSL_CTRL_SET_TLSEXT_STATUS_REQ_CB: 2193 ctx->internal->tlsext_status_cb = (int (*)(SSL *, void *))fp; 2194 break; 2195 2196 case SSL_CTRL_SET_TLSEXT_TICKET_KEY_CB: 2197 ctx->internal->tlsext_ticket_key_cb = (int (*)(SSL *, unsigned char *, 2198 unsigned char *, EVP_CIPHER_CTX *, HMAC_CTX *, int))fp; 2199 break; 2200 2201 default: 2202 return (0); 2203 } 2204 return (1); 2205 } 2206 2207 /* 2208 * This function needs to check if the ciphers required are actually available. 2209 */ 2210 const SSL_CIPHER * 2211 ssl3_get_cipher_by_char(const unsigned char *p) 2212 { 2213 CBS cipher; 2214 uint16_t cipher_value; 2215 2216 /* We have to assume it is at least 2 bytes due to existing API. */ 2217 CBS_init(&cipher, p, 2); 2218 if (!CBS_get_u16(&cipher, &cipher_value)) 2219 return NULL; 2220 2221 return ssl3_get_cipher_by_value(cipher_value); 2222 } 2223 2224 int 2225 ssl3_put_cipher_by_char(const SSL_CIPHER *c, unsigned char *p) 2226 { 2227 if (p != NULL) { 2228 if ((c->id & ~SSL3_CK_VALUE_MASK) != SSL3_CK_ID) 2229 return (0); 2230 s2n(ssl3_cipher_get_value(c), p); 2231 } 2232 return (2); 2233 } 2234 2235 SSL_CIPHER * 2236 ssl3_choose_cipher(SSL *s, STACK_OF(SSL_CIPHER) *clnt, 2237 STACK_OF(SSL_CIPHER) *srvr) 2238 { 2239 unsigned long alg_k, alg_a, mask_k, mask_a; 2240 STACK_OF(SSL_CIPHER) *prio, *allow; 2241 SSL_CIPHER *c, *ret = NULL; 2242 int i, ii, ok; 2243 CERT *cert; 2244 2245 /* Let's see which ciphers we can support */ 2246 cert = s->cert; 2247 2248 /* 2249 * Do not set the compare functions, because this may lead to a 2250 * reordering by "id". We want to keep the original ordering. 2251 * We may pay a price in performance during sk_SSL_CIPHER_find(), 2252 * but would have to pay with the price of sk_SSL_CIPHER_dup(). 2253 */ 2254 2255 if (s->internal->options & SSL_OP_CIPHER_SERVER_PREFERENCE) { 2256 prio = srvr; 2257 allow = clnt; 2258 } else { 2259 prio = clnt; 2260 allow = srvr; 2261 } 2262 2263 for (i = 0; i < sk_SSL_CIPHER_num(prio); i++) { 2264 c = sk_SSL_CIPHER_value(prio, i); 2265 2266 /* Skip TLS v1.2 only ciphersuites if not supported. */ 2267 if ((c->algorithm_ssl & SSL_TLSV1_2) && 2268 !SSL_USE_TLS1_2_CIPHERS(s)) 2269 continue; 2270 2271 ssl_set_cert_masks(cert, c); 2272 mask_k = cert->mask_k; 2273 mask_a = cert->mask_a; 2274 2275 alg_k = c->algorithm_mkey; 2276 alg_a = c->algorithm_auth; 2277 2278 2279 ok = (alg_k & mask_k) && (alg_a & mask_a); 2280 2281 /* 2282 * If we are considering an ECC cipher suite that uses our 2283 * certificate check it. 2284 */ 2285 if (alg_a & SSL_aECDSA) 2286 ok = ok && tls1_check_ec_server_key(s); 2287 /* 2288 * If we are considering an ECC cipher suite that uses 2289 * an ephemeral EC key check it. 2290 */ 2291 if (alg_k & SSL_kECDHE) 2292 ok = ok && tls1_check_ec_tmp_key(s); 2293 2294 if (!ok) 2295 continue; 2296 ii = sk_SSL_CIPHER_find(allow, c); 2297 if (ii >= 0) { 2298 ret = sk_SSL_CIPHER_value(allow, ii); 2299 break; 2300 } 2301 } 2302 return (ret); 2303 } 2304 2305 int 2306 ssl3_get_req_cert_type(SSL *s, unsigned char *p) 2307 { 2308 int ret = 0; 2309 unsigned long alg_k; 2310 2311 alg_k = S3I(s)->hs.new_cipher->algorithm_mkey; 2312 2313 #ifndef OPENSSL_NO_GOST 2314 if ((alg_k & SSL_kGOST)) { 2315 p[ret++] = TLS_CT_GOST94_SIGN; 2316 p[ret++] = TLS_CT_GOST01_SIGN; 2317 p[ret++] = TLS_CT_GOST12_256_SIGN; 2318 p[ret++] = TLS_CT_GOST12_512_SIGN; 2319 } 2320 #endif 2321 2322 if (alg_k & SSL_kDHE) { 2323 p[ret++] = SSL3_CT_RSA_FIXED_DH; 2324 p[ret++] = SSL3_CT_DSS_FIXED_DH; 2325 } 2326 p[ret++] = SSL3_CT_RSA_SIGN; 2327 p[ret++] = SSL3_CT_DSS_SIGN; 2328 2329 /* 2330 * ECDSA certs can be used with RSA cipher suites as well 2331 * so we don't need to check for SSL_kECDH or SSL_kECDHE. 2332 */ 2333 p[ret++] = TLS_CT_ECDSA_SIGN; 2334 2335 return (ret); 2336 } 2337 2338 int 2339 ssl3_shutdown(SSL *s) 2340 { 2341 int ret; 2342 2343 /* 2344 * Don't do anything much if we have not done the handshake or 2345 * we don't want to send messages :-) 2346 */ 2347 if ((s->internal->quiet_shutdown) || (S3I(s)->hs.state == SSL_ST_BEFORE)) { 2348 s->internal->shutdown = (SSL_SENT_SHUTDOWN|SSL_RECEIVED_SHUTDOWN); 2349 return (1); 2350 } 2351 2352 if (!(s->internal->shutdown & SSL_SENT_SHUTDOWN)) { 2353 s->internal->shutdown|=SSL_SENT_SHUTDOWN; 2354 ssl3_send_alert(s, SSL3_AL_WARNING, SSL_AD_CLOSE_NOTIFY); 2355 /* 2356 * Our shutdown alert has been sent now, and if it still needs 2357 * to be written, s->s3->alert_dispatch will be true 2358 */ 2359 if (s->s3->alert_dispatch) 2360 return(-1); /* return WANT_WRITE */ 2361 } else if (s->s3->alert_dispatch) { 2362 /* resend it if not sent */ 2363 ret = s->method->ssl_dispatch_alert(s); 2364 if (ret == -1) { 2365 /* 2366 * We only get to return -1 here the 2nd/Nth 2367 * invocation, we must have already signalled 2368 * return 0 upon a previous invoation, 2369 * return WANT_WRITE 2370 */ 2371 return (ret); 2372 } 2373 } else if (!(s->internal->shutdown & SSL_RECEIVED_SHUTDOWN)) { 2374 /* If we are waiting for a close from our peer, we are closed */ 2375 s->method->internal->ssl_read_bytes(s, 0, NULL, 0, 0); 2376 if (!(s->internal->shutdown & SSL_RECEIVED_SHUTDOWN)) { 2377 return(-1); /* return WANT_READ */ 2378 } 2379 } 2380 2381 if ((s->internal->shutdown == (SSL_SENT_SHUTDOWN|SSL_RECEIVED_SHUTDOWN)) && 2382 !s->s3->alert_dispatch) 2383 return (1); 2384 else 2385 return (0); 2386 } 2387 2388 int 2389 ssl3_write(SSL *s, const void *buf, int len) 2390 { 2391 int ret, n; 2392 2393 #if 0 2394 if (s->internal->shutdown & SSL_SEND_SHUTDOWN) { 2395 s->internal->rwstate = SSL_NOTHING; 2396 return (0); 2397 } 2398 #endif 2399 errno = 0; 2400 if (S3I(s)->renegotiate) 2401 ssl3_renegotiate_check(s); 2402 2403 /* 2404 * This is an experimental flag that sends the 2405 * last handshake message in the same packet as the first 2406 * use data - used to see if it helps the TCP protocol during 2407 * session-id reuse 2408 */ 2409 /* The second test is because the buffer may have been removed */ 2410 if ((s->s3->flags & SSL3_FLAGS_POP_BUFFER) && (s->wbio == s->bbio)) { 2411 /* First time through, we write into the buffer */ 2412 if (S3I(s)->delay_buf_pop_ret == 0) { 2413 ret = ssl3_write_bytes(s, SSL3_RT_APPLICATION_DATA, 2414 buf, len); 2415 if (ret <= 0) 2416 return (ret); 2417 2418 S3I(s)->delay_buf_pop_ret = ret; 2419 } 2420 2421 s->internal->rwstate = SSL_WRITING; 2422 n = BIO_flush(s->wbio); 2423 if (n <= 0) 2424 return (n); 2425 s->internal->rwstate = SSL_NOTHING; 2426 2427 /* We have flushed the buffer, so remove it */ 2428 ssl_free_wbio_buffer(s); 2429 s->s3->flags&= ~SSL3_FLAGS_POP_BUFFER; 2430 2431 ret = S3I(s)->delay_buf_pop_ret; 2432 S3I(s)->delay_buf_pop_ret = 0; 2433 } else { 2434 ret = s->method->internal->ssl_write_bytes(s, 2435 SSL3_RT_APPLICATION_DATA, buf, len); 2436 if (ret <= 0) 2437 return (ret); 2438 } 2439 2440 return (ret); 2441 } 2442 2443 static int 2444 ssl3_read_internal(SSL *s, void *buf, int len, int peek) 2445 { 2446 int ret; 2447 2448 errno = 0; 2449 if (S3I(s)->renegotiate) 2450 ssl3_renegotiate_check(s); 2451 S3I(s)->in_read_app_data = 1; 2452 ret = s->method->internal->ssl_read_bytes(s, 2453 SSL3_RT_APPLICATION_DATA, buf, len, peek); 2454 if ((ret == -1) && (S3I(s)->in_read_app_data == 2)) { 2455 /* 2456 * ssl3_read_bytes decided to call s->internal->handshake_func, which 2457 * called ssl3_read_bytes to read handshake data. 2458 * However, ssl3_read_bytes actually found application data 2459 * and thinks that application data makes sense here; so disable 2460 * handshake processing and try to read application data again. 2461 */ 2462 s->internal->in_handshake++; 2463 ret = s->method->internal->ssl_read_bytes(s, 2464 SSL3_RT_APPLICATION_DATA, buf, len, peek); 2465 s->internal->in_handshake--; 2466 } else 2467 S3I(s)->in_read_app_data = 0; 2468 2469 return (ret); 2470 } 2471 2472 int 2473 ssl3_read(SSL *s, void *buf, int len) 2474 { 2475 return ssl3_read_internal(s, buf, len, 0); 2476 } 2477 2478 int 2479 ssl3_peek(SSL *s, void *buf, int len) 2480 { 2481 return ssl3_read_internal(s, buf, len, 1); 2482 } 2483 2484 int 2485 ssl3_renegotiate(SSL *s) 2486 { 2487 if (s->internal->handshake_func == NULL) 2488 return (1); 2489 2490 if (s->s3->flags & SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS) 2491 return (0); 2492 2493 S3I(s)->renegotiate = 1; 2494 return (1); 2495 } 2496 2497 int 2498 ssl3_renegotiate_check(SSL *s) 2499 { 2500 int ret = 0; 2501 2502 if (S3I(s)->renegotiate) { 2503 if ((s->s3->rbuf.left == 0) && (s->s3->wbuf.left == 0) && 2504 !SSL_in_init(s)) { 2505 /* 2506 * If we are the server, and we have sent 2507 * a 'RENEGOTIATE' message, we need to go 2508 * to SSL_ST_ACCEPT. 2509 */ 2510 /* SSL_ST_ACCEPT */ 2511 S3I(s)->hs.state = SSL_ST_RENEGOTIATE; 2512 S3I(s)->renegotiate = 0; 2513 S3I(s)->num_renegotiations++; 2514 S3I(s)->total_renegotiations++; 2515 ret = 1; 2516 } 2517 } 2518 return (ret); 2519 } 2520 /* 2521 * If we are using default SHA1+MD5 algorithms switch to new SHA256 PRF 2522 * and handshake macs if required. 2523 */ 2524 long 2525 ssl_get_algorithm2(SSL *s) 2526 { 2527 long alg2 = S3I(s)->hs.new_cipher->algorithm2; 2528 2529 if (s->method->internal->ssl3_enc->enc_flags & SSL_ENC_FLAG_SHA256_PRF && 2530 alg2 == (SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF)) 2531 return SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256; 2532 return alg2; 2533 } 2534