1 /* $OpenBSD: s3_lib.c,v 1.257 2024/07/23 14:40:53 jsing Exp $ */ 2 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) 3 * All rights reserved. 4 * 5 * This package is an SSL implementation written 6 * by Eric Young (eay@cryptsoft.com). 7 * The implementation was written so as to conform with Netscapes SSL. 8 * 9 * This library is free for commercial and non-commercial use as long as 10 * the following conditions are aheared to. The following conditions 11 * apply to all code found in this distribution, be it the RC4, RSA, 12 * lhash, DES, etc., code; not just the SSL code. The SSL documentation 13 * included with this distribution is covered by the same copyright terms 14 * except that the holder is Tim Hudson (tjh@cryptsoft.com). 15 * 16 * Copyright remains Eric Young's, and as such any Copyright notices in 17 * the code are not to be removed. 18 * If this package is used in a product, Eric Young should be given attribution 19 * as the author of the parts of the library used. 20 * This can be in the form of a textual message at program startup or 21 * in documentation (online or textual) provided with the package. 22 * 23 * Redistribution and use in source and binary forms, with or without 24 * modification, are permitted provided that the following conditions 25 * are met: 26 * 1. Redistributions of source code must retain the copyright 27 * notice, this list of conditions and the following disclaimer. 28 * 2. Redistributions in binary form must reproduce the above copyright 29 * notice, this list of conditions and the following disclaimer in the 30 * documentation and/or other materials provided with the distribution. 31 * 3. All advertising materials mentioning features or use of this software 32 * must display the following acknowledgement: 33 * "This product includes cryptographic software written by 34 * Eric Young (eay@cryptsoft.com)" 35 * The word 'cryptographic' can be left out if the rouines from the library 36 * being used are not cryptographic related :-). 37 * 4. If you include any Windows specific code (or a derivative thereof) from 38 * the apps directory (application code) you must include an acknowledgement: 39 * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)" 40 * 41 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND 42 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 43 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 44 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE 45 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 46 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 47 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 48 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 49 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 50 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 51 * SUCH DAMAGE. 52 * 53 * The licence and distribution terms for any publically available version or 54 * derivative of this code cannot be changed. i.e. this code cannot simply be 55 * copied and put under another distribution licence 56 * [including the GNU Public Licence.] 57 */ 58 /* ==================================================================== 59 * Copyright (c) 1998-2007 The OpenSSL Project. All rights reserved. 60 * 61 * Redistribution and use in source and binary forms, with or without 62 * modification, are permitted provided that the following conditions 63 * are met: 64 * 65 * 1. Redistributions of source code must retain the above copyright 66 * notice, this list of conditions and the following disclaimer. 67 * 68 * 2. Redistributions in binary form must reproduce the above copyright 69 * notice, this list of conditions and the following disclaimer in 70 * the documentation and/or other materials provided with the 71 * distribution. 72 * 73 * 3. All advertising materials mentioning features or use of this 74 * software must display the following acknowledgment: 75 * "This product includes software developed by the OpenSSL Project 76 * for use in the OpenSSL Toolkit. (http://www.openssl.org/)" 77 * 78 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to 79 * endorse or promote products derived from this software without 80 * prior written permission. For written permission, please contact 81 * openssl-core@openssl.org. 82 * 83 * 5. Products derived from this software may not be called "OpenSSL" 84 * nor may "OpenSSL" appear in their names without prior written 85 * permission of the OpenSSL Project. 86 * 87 * 6. Redistributions of any form whatsoever must retain the following 88 * acknowledgment: 89 * "This product includes software developed by the OpenSSL Project 90 * for use in the OpenSSL Toolkit (http://www.openssl.org/)" 91 * 92 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY 93 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 94 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR 95 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR 96 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, 97 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT 98 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; 99 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 100 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, 101 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) 102 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED 103 * OF THE POSSIBILITY OF SUCH DAMAGE. 104 * ==================================================================== 105 * 106 * This product includes cryptographic software written by Eric Young 107 * (eay@cryptsoft.com). This product includes software written by Tim 108 * Hudson (tjh@cryptsoft.com). 109 * 110 */ 111 /* ==================================================================== 112 * Copyright 2002 Sun Microsystems, Inc. ALL RIGHTS RESERVED. 113 * 114 * Portions of the attached software ("Contribution") are developed by 115 * SUN MICROSYSTEMS, INC., and are contributed to the OpenSSL project. 116 * 117 * The Contribution is licensed pursuant to the OpenSSL open source 118 * license provided above. 119 * 120 * ECC cipher suite support in OpenSSL originally written by 121 * Vipul Gupta and Sumit Gupta of Sun Microsystems Laboratories. 122 * 123 */ 124 /* ==================================================================== 125 * Copyright 2005 Nokia. All rights reserved. 126 * 127 * The portions of the attached software ("Contribution") is developed by 128 * Nokia Corporation and is licensed pursuant to the OpenSSL open source 129 * license. 130 * 131 * The Contribution, originally written by Mika Kousa and Pasi Eronen of 132 * Nokia Corporation, consists of the "PSK" (Pre-Shared Key) ciphersuites 133 * support (see RFC 4279) to OpenSSL. 134 * 135 * No patent licenses or other rights except those expressly stated in 136 * the OpenSSL open source license shall be deemed granted or received 137 * expressly, by implication, estoppel, or otherwise. 138 * 139 * No assurances are provided by Nokia that the Contribution does not 140 * infringe the patent or other intellectual property rights of any third 141 * party or that the license provides you with all the necessary rights 142 * to make use of the Contribution. 143 * 144 * THE SOFTWARE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. IN 145 * ADDITION TO THE DISCLAIMERS INCLUDED IN THE LICENSE, NOKIA 146 * SPECIFICALLY DISCLAIMS ANY LIABILITY FOR CLAIMS BROUGHT BY YOU OR ANY 147 * OTHER ENTITY BASED ON INFRINGEMENT OF INTELLECTUAL PROPERTY RIGHTS OR 148 * OTHERWISE. 149 */ 150 151 #include <limits.h> 152 #include <stdio.h> 153 #include <stdlib.h> 154 155 #include <openssl/bn.h> 156 #include <openssl/curve25519.h> 157 #include <openssl/dh.h> 158 #include <openssl/md5.h> 159 #include <openssl/objects.h> 160 #include <openssl/opensslconf.h> 161 162 #include "bytestring.h" 163 #include "dtls_local.h" 164 #include "ssl_local.h" 165 #include "ssl_sigalgs.h" 166 #include "ssl_tlsext.h" 167 #include "tls_content.h" 168 169 #define SSL3_NUM_CIPHERS (sizeof(ssl3_ciphers) / sizeof(SSL_CIPHER)) 170 171 /* list of available SSLv3 ciphers (sorted by id) */ 172 const SSL_CIPHER ssl3_ciphers[] = { 173 174 /* 175 * SSLv3 RSA cipher suites (RFC 6101, appendix A.6). 176 */ 177 { 178 .value = 0x0001, 179 .name = SSL3_TXT_RSA_NULL_MD5, 180 .algorithm_mkey = SSL_kRSA, 181 .algorithm_auth = SSL_aRSA, 182 .algorithm_enc = SSL_eNULL, 183 .algorithm_mac = SSL_MD5, 184 .algorithm_ssl = SSL_SSLV3, 185 .algo_strength = SSL_STRONG_NONE, 186 .algorithm2 = SSL_HANDSHAKE_MAC_SHA256, 187 .strength_bits = 0, 188 .alg_bits = 0, 189 }, 190 { 191 .value = 0x0002, 192 .name = SSL3_TXT_RSA_NULL_SHA, 193 .algorithm_mkey = SSL_kRSA, 194 .algorithm_auth = SSL_aRSA, 195 .algorithm_enc = SSL_eNULL, 196 .algorithm_mac = SSL_SHA1, 197 .algorithm_ssl = SSL_SSLV3, 198 .algo_strength = SSL_STRONG_NONE, 199 .algorithm2 = SSL_HANDSHAKE_MAC_SHA256, 200 .strength_bits = 0, 201 .alg_bits = 0, 202 }, 203 { 204 .value = 0x0004, 205 .name = SSL3_TXT_RSA_RC4_128_MD5, 206 .algorithm_mkey = SSL_kRSA, 207 .algorithm_auth = SSL_aRSA, 208 .algorithm_enc = SSL_RC4, 209 .algorithm_mac = SSL_MD5, 210 .algorithm_ssl = SSL_SSLV3, 211 .algo_strength = SSL_LOW, 212 .algorithm2 = SSL_HANDSHAKE_MAC_SHA256, 213 .strength_bits = 128, 214 .alg_bits = 128, 215 }, 216 { 217 .value = 0x0005, 218 .name = SSL3_TXT_RSA_RC4_128_SHA, 219 .algorithm_mkey = SSL_kRSA, 220 .algorithm_auth = SSL_aRSA, 221 .algorithm_enc = SSL_RC4, 222 .algorithm_mac = SSL_SHA1, 223 .algorithm_ssl = SSL_SSLV3, 224 .algo_strength = SSL_LOW, 225 .algorithm2 = SSL_HANDSHAKE_MAC_SHA256, 226 .strength_bits = 128, 227 .alg_bits = 128, 228 }, 229 { 230 .value = 0x000a, 231 .name = SSL3_TXT_RSA_DES_192_CBC3_SHA, 232 .algorithm_mkey = SSL_kRSA, 233 .algorithm_auth = SSL_aRSA, 234 .algorithm_enc = SSL_3DES, 235 .algorithm_mac = SSL_SHA1, 236 .algorithm_ssl = SSL_SSLV3, 237 .algo_strength = SSL_MEDIUM, 238 .algorithm2 = SSL_HANDSHAKE_MAC_SHA256, 239 .strength_bits = 112, 240 .alg_bits = 168, 241 }, 242 243 /* 244 * SSLv3 DHE cipher suites (RFC 6101, appendix A.6). 245 */ 246 { 247 .value = 0x0016, 248 .name = SSL3_TXT_EDH_RSA_DES_192_CBC3_SHA, 249 .algorithm_mkey = SSL_kDHE, 250 .algorithm_auth = SSL_aRSA, 251 .algorithm_enc = SSL_3DES, 252 .algorithm_mac = SSL_SHA1, 253 .algorithm_ssl = SSL_SSLV3, 254 .algo_strength = SSL_MEDIUM, 255 .algorithm2 = SSL_HANDSHAKE_MAC_SHA256, 256 .strength_bits = 112, 257 .alg_bits = 168, 258 }, 259 { 260 .value = 0x0018, 261 .name = SSL3_TXT_ADH_RC4_128_MD5, 262 .algorithm_mkey = SSL_kDHE, 263 .algorithm_auth = SSL_aNULL, 264 .algorithm_enc = SSL_RC4, 265 .algorithm_mac = SSL_MD5, 266 .algorithm_ssl = SSL_SSLV3, 267 .algo_strength = SSL_LOW, 268 .algorithm2 = SSL_HANDSHAKE_MAC_SHA256, 269 .strength_bits = 128, 270 .alg_bits = 128, 271 }, 272 { 273 .value = 0x001b, 274 .name = SSL3_TXT_ADH_DES_192_CBC_SHA, 275 .algorithm_mkey = SSL_kDHE, 276 .algorithm_auth = SSL_aNULL, 277 .algorithm_enc = SSL_3DES, 278 .algorithm_mac = SSL_SHA1, 279 .algorithm_ssl = SSL_SSLV3, 280 .algo_strength = SSL_MEDIUM, 281 .algorithm2 = SSL_HANDSHAKE_MAC_SHA256, 282 .strength_bits = 112, 283 .alg_bits = 168, 284 }, 285 286 /* 287 * TLSv1.0 AES cipher suites (RFC 3268). 288 */ 289 { 290 .value = 0x002f, 291 .name = TLS1_TXT_RSA_WITH_AES_128_SHA, 292 .algorithm_mkey = SSL_kRSA, 293 .algorithm_auth = SSL_aRSA, 294 .algorithm_enc = SSL_AES128, 295 .algorithm_mac = SSL_SHA1, 296 .algorithm_ssl = SSL_TLSV1, 297 .algo_strength = SSL_HIGH, 298 .algorithm2 = SSL_HANDSHAKE_MAC_SHA256, 299 .strength_bits = 128, 300 .alg_bits = 128, 301 }, 302 { 303 .value = 0x0033, 304 .name = TLS1_TXT_DHE_RSA_WITH_AES_128_SHA, 305 .algorithm_mkey = SSL_kDHE, 306 .algorithm_auth = SSL_aRSA, 307 .algorithm_enc = SSL_AES128, 308 .algorithm_mac = SSL_SHA1, 309 .algorithm_ssl = SSL_TLSV1, 310 .algo_strength = SSL_HIGH, 311 .algorithm2 = SSL_HANDSHAKE_MAC_SHA256, 312 .strength_bits = 128, 313 .alg_bits = 128, 314 }, 315 { 316 .value = 0x0034, 317 .name = TLS1_TXT_ADH_WITH_AES_128_SHA, 318 .algorithm_mkey = SSL_kDHE, 319 .algorithm_auth = SSL_aNULL, 320 .algorithm_enc = SSL_AES128, 321 .algorithm_mac = SSL_SHA1, 322 .algorithm_ssl = SSL_TLSV1, 323 .algo_strength = SSL_HIGH, 324 .algorithm2 = SSL_HANDSHAKE_MAC_SHA256, 325 .strength_bits = 128, 326 .alg_bits = 128, 327 }, 328 { 329 .value = 0x0035, 330 .name = TLS1_TXT_RSA_WITH_AES_256_SHA, 331 .algorithm_mkey = SSL_kRSA, 332 .algorithm_auth = SSL_aRSA, 333 .algorithm_enc = SSL_AES256, 334 .algorithm_mac = SSL_SHA1, 335 .algorithm_ssl = SSL_TLSV1, 336 .algo_strength = SSL_HIGH, 337 .algorithm2 = SSL_HANDSHAKE_MAC_SHA256, 338 .strength_bits = 256, 339 .alg_bits = 256, 340 }, 341 { 342 .value = 0x0039, 343 .name = TLS1_TXT_DHE_RSA_WITH_AES_256_SHA, 344 .algorithm_mkey = SSL_kDHE, 345 .algorithm_auth = SSL_aRSA, 346 .algorithm_enc = SSL_AES256, 347 .algorithm_mac = SSL_SHA1, 348 .algorithm_ssl = SSL_TLSV1, 349 .algo_strength = SSL_HIGH, 350 .algorithm2 = SSL_HANDSHAKE_MAC_SHA256, 351 .strength_bits = 256, 352 .alg_bits = 256, 353 }, 354 { 355 .value = 0x003a, 356 .name = TLS1_TXT_ADH_WITH_AES_256_SHA, 357 .algorithm_mkey = SSL_kDHE, 358 .algorithm_auth = SSL_aNULL, 359 .algorithm_enc = SSL_AES256, 360 .algorithm_mac = SSL_SHA1, 361 .algorithm_ssl = SSL_TLSV1, 362 .algo_strength = SSL_HIGH, 363 .algorithm2 = SSL_HANDSHAKE_MAC_SHA256, 364 .strength_bits = 256, 365 .alg_bits = 256, 366 }, 367 368 /* 369 * TLSv1.2 RSA cipher suites (RFC 5246, appendix A.5). 370 */ 371 { 372 .value = 0x003b, 373 .name = TLS1_TXT_RSA_WITH_NULL_SHA256, 374 .algorithm_mkey = SSL_kRSA, 375 .algorithm_auth = SSL_aRSA, 376 .algorithm_enc = SSL_eNULL, 377 .algorithm_mac = SSL_SHA256, 378 .algorithm_ssl = SSL_TLSV1_2, 379 .algo_strength = SSL_STRONG_NONE, 380 .algorithm2 = SSL_HANDSHAKE_MAC_SHA256, 381 .strength_bits = 0, 382 .alg_bits = 0, 383 }, 384 { 385 .value = 0x003c, 386 .name = TLS1_TXT_RSA_WITH_AES_128_SHA256, 387 .algorithm_mkey = SSL_kRSA, 388 .algorithm_auth = SSL_aRSA, 389 .algorithm_enc = SSL_AES128, 390 .algorithm_mac = SSL_SHA256, 391 .algorithm_ssl = SSL_TLSV1_2, 392 .algo_strength = SSL_HIGH, 393 .algorithm2 = SSL_HANDSHAKE_MAC_SHA256, 394 .strength_bits = 128, 395 .alg_bits = 128, 396 }, 397 { 398 .value = 0x003d, 399 .name = TLS1_TXT_RSA_WITH_AES_256_SHA256, 400 .algorithm_mkey = SSL_kRSA, 401 .algorithm_auth = SSL_aRSA, 402 .algorithm_enc = SSL_AES256, 403 .algorithm_mac = SSL_SHA256, 404 .algorithm_ssl = SSL_TLSV1_2, 405 .algo_strength = SSL_HIGH, 406 .algorithm2 = SSL_HANDSHAKE_MAC_SHA256, 407 .strength_bits = 256, 408 .alg_bits = 256, 409 }, 410 411 #ifndef OPENSSL_NO_CAMELLIA 412 /* 413 * TLSv1.0 Camellia 128 bit cipher suites (RFC 4132). 414 */ 415 { 416 .value = 0x0041, 417 .name = TLS1_TXT_RSA_WITH_CAMELLIA_128_CBC_SHA, 418 .algorithm_mkey = SSL_kRSA, 419 .algorithm_auth = SSL_aRSA, 420 .algorithm_enc = SSL_CAMELLIA128, 421 .algorithm_mac = SSL_SHA1, 422 .algorithm_ssl = SSL_TLSV1, 423 .algo_strength = SSL_HIGH, 424 .algorithm2 = SSL_HANDSHAKE_MAC_SHA256, 425 .strength_bits = 128, 426 .alg_bits = 128, 427 }, 428 { 429 .value = 0x0045, 430 .name = TLS1_TXT_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA, 431 .algorithm_mkey = SSL_kDHE, 432 .algorithm_auth = SSL_aRSA, 433 .algorithm_enc = SSL_CAMELLIA128, 434 .algorithm_mac = SSL_SHA1, 435 .algorithm_ssl = SSL_TLSV1, 436 .algo_strength = SSL_HIGH, 437 .algorithm2 = SSL_HANDSHAKE_MAC_SHA256, 438 .strength_bits = 128, 439 .alg_bits = 128, 440 }, 441 { 442 .value = 0x0046, 443 .name = TLS1_TXT_ADH_WITH_CAMELLIA_128_CBC_SHA, 444 .algorithm_mkey = SSL_kDHE, 445 .algorithm_auth = SSL_aNULL, 446 .algorithm_enc = SSL_CAMELLIA128, 447 .algorithm_mac = SSL_SHA1, 448 .algorithm_ssl = SSL_TLSV1, 449 .algo_strength = SSL_HIGH, 450 .algorithm2 = SSL_HANDSHAKE_MAC_SHA256, 451 .strength_bits = 128, 452 .alg_bits = 128, 453 }, 454 #endif /* OPENSSL_NO_CAMELLIA */ 455 456 /* 457 * TLSv1.2 DHE cipher suites (RFC 5246, appendix A.5). 458 */ 459 { 460 .value = 0x0067, 461 .name = TLS1_TXT_DHE_RSA_WITH_AES_128_SHA256, 462 .algorithm_mkey = SSL_kDHE, 463 .algorithm_auth = SSL_aRSA, 464 .algorithm_enc = SSL_AES128, 465 .algorithm_mac = SSL_SHA256, 466 .algorithm_ssl = SSL_TLSV1_2, 467 .algo_strength = SSL_HIGH, 468 .algorithm2 = SSL_HANDSHAKE_MAC_SHA256, 469 .strength_bits = 128, 470 .alg_bits = 128, 471 }, 472 { 473 .value = 0x006b, 474 .name = TLS1_TXT_DHE_RSA_WITH_AES_256_SHA256, 475 .algorithm_mkey = SSL_kDHE, 476 .algorithm_auth = SSL_aRSA, 477 .algorithm_enc = SSL_AES256, 478 .algorithm_mac = SSL_SHA256, 479 .algorithm_ssl = SSL_TLSV1_2, 480 .algo_strength = SSL_HIGH, 481 .algorithm2 = SSL_HANDSHAKE_MAC_SHA256, 482 .strength_bits = 256, 483 .alg_bits = 256, 484 }, 485 { 486 .value = 0x006c, 487 .name = TLS1_TXT_ADH_WITH_AES_128_SHA256, 488 .algorithm_mkey = SSL_kDHE, 489 .algorithm_auth = SSL_aNULL, 490 .algorithm_enc = SSL_AES128, 491 .algorithm_mac = SSL_SHA256, 492 .algorithm_ssl = SSL_TLSV1_2, 493 .algo_strength = SSL_HIGH, 494 .algorithm2 = SSL_HANDSHAKE_MAC_SHA256, 495 .strength_bits = 128, 496 .alg_bits = 128, 497 }, 498 { 499 .value = 0x006d, 500 .name = TLS1_TXT_ADH_WITH_AES_256_SHA256, 501 .algorithm_mkey = SSL_kDHE, 502 .algorithm_auth = SSL_aNULL, 503 .algorithm_enc = SSL_AES256, 504 .algorithm_mac = SSL_SHA256, 505 .algorithm_ssl = SSL_TLSV1_2, 506 .algo_strength = SSL_HIGH, 507 .algorithm2 = SSL_HANDSHAKE_MAC_SHA256, 508 .strength_bits = 256, 509 .alg_bits = 256, 510 }, 511 512 #ifndef OPENSSL_NO_CAMELLIA 513 /* 514 * TLSv1.0 Camellia 256 bit cipher suites (RFC 4132). 515 */ 516 { 517 .value = 0x0084, 518 .name = TLS1_TXT_RSA_WITH_CAMELLIA_256_CBC_SHA, 519 .algorithm_mkey = SSL_kRSA, 520 .algorithm_auth = SSL_aRSA, 521 .algorithm_enc = SSL_CAMELLIA256, 522 .algorithm_mac = SSL_SHA1, 523 .algorithm_ssl = SSL_TLSV1, 524 .algo_strength = SSL_HIGH, 525 .algorithm2 = SSL_HANDSHAKE_MAC_SHA256, 526 .strength_bits = 256, 527 .alg_bits = 256, 528 }, 529 { 530 .value = 0x0088, 531 .name = TLS1_TXT_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA, 532 .algorithm_mkey = SSL_kDHE, 533 .algorithm_auth = SSL_aRSA, 534 .algorithm_enc = SSL_CAMELLIA256, 535 .algorithm_mac = SSL_SHA1, 536 .algorithm_ssl = SSL_TLSV1, 537 .algo_strength = SSL_HIGH, 538 .algorithm2 = SSL_HANDSHAKE_MAC_SHA256, 539 .strength_bits = 256, 540 .alg_bits = 256, 541 }, 542 { 543 .value = 0x0089, 544 .name = TLS1_TXT_ADH_WITH_CAMELLIA_256_CBC_SHA, 545 .algorithm_mkey = SSL_kDHE, 546 .algorithm_auth = SSL_aNULL, 547 .algorithm_enc = SSL_CAMELLIA256, 548 .algorithm_mac = SSL_SHA1, 549 .algorithm_ssl = SSL_TLSV1, 550 .algo_strength = SSL_HIGH, 551 .algorithm2 = SSL_HANDSHAKE_MAC_SHA256, 552 .strength_bits = 256, 553 .alg_bits = 256, 554 }, 555 #endif /* OPENSSL_NO_CAMELLIA */ 556 557 /* 558 * TLSv1.2 AES GCM cipher suites (RFC 5288). 559 */ 560 { 561 .value = 0x009c, 562 .name = TLS1_TXT_RSA_WITH_AES_128_GCM_SHA256, 563 .algorithm_mkey = SSL_kRSA, 564 .algorithm_auth = SSL_aRSA, 565 .algorithm_enc = SSL_AES128GCM, 566 .algorithm_mac = SSL_AEAD, 567 .algorithm_ssl = SSL_TLSV1_2, 568 .algo_strength = SSL_HIGH, 569 .algorithm2 = SSL_HANDSHAKE_MAC_SHA256, 570 .strength_bits = 128, 571 .alg_bits = 128, 572 }, 573 { 574 .value = 0x009d, 575 .name = TLS1_TXT_RSA_WITH_AES_256_GCM_SHA384, 576 .algorithm_mkey = SSL_kRSA, 577 .algorithm_auth = SSL_aRSA, 578 .algorithm_enc = SSL_AES256GCM, 579 .algorithm_mac = SSL_AEAD, 580 .algorithm_ssl = SSL_TLSV1_2, 581 .algo_strength = SSL_HIGH, 582 .algorithm2 = SSL_HANDSHAKE_MAC_SHA384, 583 .strength_bits = 256, 584 .alg_bits = 256, 585 }, 586 { 587 .value = 0x009e, 588 .name = TLS1_TXT_DHE_RSA_WITH_AES_128_GCM_SHA256, 589 .algorithm_mkey = SSL_kDHE, 590 .algorithm_auth = SSL_aRSA, 591 .algorithm_enc = SSL_AES128GCM, 592 .algorithm_mac = SSL_AEAD, 593 .algorithm_ssl = SSL_TLSV1_2, 594 .algo_strength = SSL_HIGH, 595 .algorithm2 = SSL_HANDSHAKE_MAC_SHA256, 596 .strength_bits = 128, 597 .alg_bits = 128, 598 }, 599 { 600 .value = 0x009f, 601 .name = TLS1_TXT_DHE_RSA_WITH_AES_256_GCM_SHA384, 602 .algorithm_mkey = SSL_kDHE, 603 .algorithm_auth = SSL_aRSA, 604 .algorithm_enc = SSL_AES256GCM, 605 .algorithm_mac = SSL_AEAD, 606 .algorithm_ssl = SSL_TLSV1_2, 607 .algo_strength = SSL_HIGH, 608 .algorithm2 = SSL_HANDSHAKE_MAC_SHA384, 609 .strength_bits = 256, 610 .alg_bits = 256, 611 }, 612 { 613 .value = 0x00a6, 614 .name = TLS1_TXT_ADH_WITH_AES_128_GCM_SHA256, 615 .algorithm_mkey = SSL_kDHE, 616 .algorithm_auth = SSL_aNULL, 617 .algorithm_enc = SSL_AES128GCM, 618 .algorithm_mac = SSL_AEAD, 619 .algorithm_ssl = SSL_TLSV1_2, 620 .algo_strength = SSL_HIGH, 621 .algorithm2 = SSL_HANDSHAKE_MAC_SHA256, 622 .strength_bits = 128, 623 .alg_bits = 128, 624 }, 625 { 626 .value = 0x00a7, 627 .name = TLS1_TXT_ADH_WITH_AES_256_GCM_SHA384, 628 .algorithm_mkey = SSL_kDHE, 629 .algorithm_auth = SSL_aNULL, 630 .algorithm_enc = SSL_AES256GCM, 631 .algorithm_mac = SSL_AEAD, 632 .algorithm_ssl = SSL_TLSV1_2, 633 .algo_strength = SSL_HIGH, 634 .algorithm2 = SSL_HANDSHAKE_MAC_SHA384, 635 .strength_bits = 256, 636 .alg_bits = 256, 637 }, 638 639 #ifndef OPENSSL_NO_CAMELLIA 640 /* 641 * TLSv1.2 Camellia SHA-256 cipher suites (RFC 5932). 642 */ 643 { 644 .value = 0x00ba, 645 .name = TLS1_TXT_RSA_WITH_CAMELLIA_128_CBC_SHA256, 646 .algorithm_mkey = SSL_kRSA, 647 .algorithm_auth = SSL_aRSA, 648 .algorithm_enc = SSL_CAMELLIA128, 649 .algorithm_mac = SSL_SHA256, 650 .algorithm_ssl = SSL_TLSV1_2, 651 .algo_strength = SSL_HIGH, 652 .algorithm2 = SSL_HANDSHAKE_MAC_SHA256, 653 .strength_bits = 128, 654 .alg_bits = 128, 655 }, 656 { 657 .value = 0x000be, 658 .name = TLS1_TXT_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA256, 659 .algorithm_mkey = SSL_kDHE, 660 .algorithm_auth = SSL_aRSA, 661 .algorithm_enc = SSL_CAMELLIA128, 662 .algorithm_mac = SSL_SHA256, 663 .algorithm_ssl = SSL_TLSV1_2, 664 .algo_strength = SSL_HIGH, 665 .algorithm2 = SSL_HANDSHAKE_MAC_SHA256, 666 .strength_bits = 128, 667 .alg_bits = 128, 668 }, 669 { 670 .value = 0x00bf, 671 .name = TLS1_TXT_ADH_WITH_CAMELLIA_128_CBC_SHA256, 672 .algorithm_mkey = SSL_kDHE, 673 .algorithm_auth = SSL_aNULL, 674 .algorithm_enc = SSL_CAMELLIA128, 675 .algorithm_mac = SSL_SHA256, 676 .algorithm_ssl = SSL_TLSV1_2, 677 .algo_strength = SSL_HIGH, 678 .algorithm2 = SSL_HANDSHAKE_MAC_SHA256, 679 .strength_bits = 128, 680 .alg_bits = 128, 681 }, 682 { 683 .value = 0x00c0, 684 .name = TLS1_TXT_RSA_WITH_CAMELLIA_256_CBC_SHA256, 685 .algorithm_mkey = SSL_kRSA, 686 .algorithm_auth = SSL_aRSA, 687 .algorithm_enc = SSL_CAMELLIA256, 688 .algorithm_mac = SSL_SHA256, 689 .algorithm_ssl = SSL_TLSV1_2, 690 .algo_strength = SSL_HIGH, 691 .algorithm2 = SSL_HANDSHAKE_MAC_SHA256, 692 .strength_bits = 256, 693 .alg_bits = 256, 694 }, 695 { 696 .value = 0x00c4, 697 .name = TLS1_TXT_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA256, 698 .algorithm_mkey = SSL_kDHE, 699 .algorithm_auth = SSL_aRSA, 700 .algorithm_enc = SSL_CAMELLIA256, 701 .algorithm_mac = SSL_SHA256, 702 .algorithm_ssl = SSL_TLSV1_2, 703 .algo_strength = SSL_HIGH, 704 .algorithm2 = SSL_HANDSHAKE_MAC_SHA256, 705 .strength_bits = 256, 706 .alg_bits = 256, 707 }, 708 { 709 .value = 0x00c5, 710 .name = TLS1_TXT_ADH_WITH_CAMELLIA_256_CBC_SHA256, 711 .algorithm_mkey = SSL_kDHE, 712 .algorithm_auth = SSL_aNULL, 713 .algorithm_enc = SSL_CAMELLIA256, 714 .algorithm_mac = SSL_SHA256, 715 .algorithm_ssl = SSL_TLSV1_2, 716 .algo_strength = SSL_HIGH, 717 .algorithm2 = SSL_HANDSHAKE_MAC_SHA256, 718 .strength_bits = 256, 719 .alg_bits = 256, 720 }, 721 #endif /* OPENSSL_NO_CAMELLIA */ 722 723 #ifdef LIBRESSL_HAS_TLS1_3 724 /* 725 * TLSv1.3 cipher suites (RFC 8446). 726 */ 727 { 728 .value = 0x1301, 729 .name = TLS1_3_RFC_AES_128_GCM_SHA256, 730 .algorithm_mkey = SSL_kTLS1_3, 731 .algorithm_auth = SSL_aTLS1_3, 732 .algorithm_enc = SSL_AES128GCM, 733 .algorithm_mac = SSL_AEAD, 734 .algorithm_ssl = SSL_TLSV1_3, 735 .algo_strength = SSL_HIGH, 736 .algorithm2 = SSL_HANDSHAKE_MAC_SHA256, /* XXX */ 737 .strength_bits = 128, 738 .alg_bits = 128, 739 }, 740 { 741 .value = 0x1302, 742 .name = TLS1_3_RFC_AES_256_GCM_SHA384, 743 .algorithm_mkey = SSL_kTLS1_3, 744 .algorithm_auth = SSL_aTLS1_3, 745 .algorithm_enc = SSL_AES256GCM, 746 .algorithm_mac = SSL_AEAD, 747 .algorithm_ssl = SSL_TLSV1_3, 748 .algo_strength = SSL_HIGH, 749 .algorithm2 = SSL_HANDSHAKE_MAC_SHA384, /* XXX */ 750 .strength_bits = 256, 751 .alg_bits = 256, 752 }, 753 { 754 .value = 0x1303, 755 .name = TLS1_3_RFC_CHACHA20_POLY1305_SHA256, 756 .algorithm_mkey = SSL_kTLS1_3, 757 .algorithm_auth = SSL_aTLS1_3, 758 .algorithm_enc = SSL_CHACHA20POLY1305, 759 .algorithm_mac = SSL_AEAD, 760 .algorithm_ssl = SSL_TLSV1_3, 761 .algo_strength = SSL_HIGH, 762 .algorithm2 = SSL_HANDSHAKE_MAC_SHA256, /* XXX */ 763 .strength_bits = 256, 764 .alg_bits = 256, 765 }, 766 #endif 767 768 /* 769 * TLSv1.0 Elliptic Curve cipher suites (RFC 4492, section 6). 770 */ 771 { 772 .value = 0xc006, 773 .name = TLS1_TXT_ECDHE_ECDSA_WITH_NULL_SHA, 774 .algorithm_mkey = SSL_kECDHE, 775 .algorithm_auth = SSL_aECDSA, 776 .algorithm_enc = SSL_eNULL, 777 .algorithm_mac = SSL_SHA1, 778 .algorithm_ssl = SSL_TLSV1, 779 .algo_strength = SSL_STRONG_NONE, 780 .algorithm2 = SSL_HANDSHAKE_MAC_SHA256, 781 .strength_bits = 0, 782 .alg_bits = 0, 783 }, 784 { 785 .value = 0xc007, 786 .name = TLS1_TXT_ECDHE_ECDSA_WITH_RC4_128_SHA, 787 .algorithm_mkey = SSL_kECDHE, 788 .algorithm_auth = SSL_aECDSA, 789 .algorithm_enc = SSL_RC4, 790 .algorithm_mac = SSL_SHA1, 791 .algorithm_ssl = SSL_TLSV1, 792 .algo_strength = SSL_LOW, 793 .algorithm2 = SSL_HANDSHAKE_MAC_SHA256, 794 .strength_bits = 128, 795 .alg_bits = 128, 796 }, 797 { 798 .value = 0xc008, 799 .name = TLS1_TXT_ECDHE_ECDSA_WITH_DES_192_CBC3_SHA, 800 .algorithm_mkey = SSL_kECDHE, 801 .algorithm_auth = SSL_aECDSA, 802 .algorithm_enc = SSL_3DES, 803 .algorithm_mac = SSL_SHA1, 804 .algorithm_ssl = SSL_TLSV1, 805 .algo_strength = SSL_MEDIUM, 806 .algorithm2 = SSL_HANDSHAKE_MAC_SHA256, 807 .strength_bits = 112, 808 .alg_bits = 168, 809 }, 810 { 811 .value = 0xc009, 812 .name = TLS1_TXT_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, 813 .algorithm_mkey = SSL_kECDHE, 814 .algorithm_auth = SSL_aECDSA, 815 .algorithm_enc = SSL_AES128, 816 .algorithm_mac = SSL_SHA1, 817 .algorithm_ssl = SSL_TLSV1, 818 .algo_strength = SSL_HIGH, 819 .algorithm2 = SSL_HANDSHAKE_MAC_SHA256, 820 .strength_bits = 128, 821 .alg_bits = 128, 822 }, 823 { 824 .value = 0xc00a, 825 .name = TLS1_TXT_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, 826 .algorithm_mkey = SSL_kECDHE, 827 .algorithm_auth = SSL_aECDSA, 828 .algorithm_enc = SSL_AES256, 829 .algorithm_mac = SSL_SHA1, 830 .algorithm_ssl = SSL_TLSV1, 831 .algo_strength = SSL_HIGH, 832 .algorithm2 = SSL_HANDSHAKE_MAC_SHA256, 833 .strength_bits = 256, 834 .alg_bits = 256, 835 }, 836 { 837 .value = 0xc010, 838 .name = TLS1_TXT_ECDHE_RSA_WITH_NULL_SHA, 839 .algorithm_mkey = SSL_kECDHE, 840 .algorithm_auth = SSL_aRSA, 841 .algorithm_enc = SSL_eNULL, 842 .algorithm_mac = SSL_SHA1, 843 .algorithm_ssl = SSL_TLSV1, 844 .algo_strength = SSL_STRONG_NONE, 845 .algorithm2 = SSL_HANDSHAKE_MAC_SHA256, 846 .strength_bits = 0, 847 .alg_bits = 0, 848 }, 849 { 850 .value = 0xc011, 851 .name = TLS1_TXT_ECDHE_RSA_WITH_RC4_128_SHA, 852 .algorithm_mkey = SSL_kECDHE, 853 .algorithm_auth = SSL_aRSA, 854 .algorithm_enc = SSL_RC4, 855 .algorithm_mac = SSL_SHA1, 856 .algorithm_ssl = SSL_TLSV1, 857 .algo_strength = SSL_LOW, 858 .algorithm2 = SSL_HANDSHAKE_MAC_SHA256, 859 .strength_bits = 128, 860 .alg_bits = 128, 861 }, 862 { 863 .value = 0xc012, 864 .name = TLS1_TXT_ECDHE_RSA_WITH_DES_192_CBC3_SHA, 865 .algorithm_mkey = SSL_kECDHE, 866 .algorithm_auth = SSL_aRSA, 867 .algorithm_enc = SSL_3DES, 868 .algorithm_mac = SSL_SHA1, 869 .algorithm_ssl = SSL_TLSV1, 870 .algo_strength = SSL_MEDIUM, 871 .algorithm2 = SSL_HANDSHAKE_MAC_SHA256, 872 .strength_bits = 112, 873 .alg_bits = 168, 874 }, 875 { 876 .value = 0xc013, 877 .name = TLS1_TXT_ECDHE_RSA_WITH_AES_128_CBC_SHA, 878 .algorithm_mkey = SSL_kECDHE, 879 .algorithm_auth = SSL_aRSA, 880 .algorithm_enc = SSL_AES128, 881 .algorithm_mac = SSL_SHA1, 882 .algorithm_ssl = SSL_TLSV1, 883 .algo_strength = SSL_HIGH, 884 .algorithm2 = SSL_HANDSHAKE_MAC_SHA256, 885 .strength_bits = 128, 886 .alg_bits = 128, 887 }, 888 { 889 .value = 0xc014, 890 .name = TLS1_TXT_ECDHE_RSA_WITH_AES_256_CBC_SHA, 891 .algorithm_mkey = SSL_kECDHE, 892 .algorithm_auth = SSL_aRSA, 893 .algorithm_enc = SSL_AES256, 894 .algorithm_mac = SSL_SHA1, 895 .algorithm_ssl = SSL_TLSV1, 896 .algo_strength = SSL_HIGH, 897 .algorithm2 = SSL_HANDSHAKE_MAC_SHA256, 898 .strength_bits = 256, 899 .alg_bits = 256, 900 }, 901 { 902 .value = 0xc015, 903 .name = TLS1_TXT_ECDH_anon_WITH_NULL_SHA, 904 .algorithm_mkey = SSL_kECDHE, 905 .algorithm_auth = SSL_aNULL, 906 .algorithm_enc = SSL_eNULL, 907 .algorithm_mac = SSL_SHA1, 908 .algorithm_ssl = SSL_TLSV1, 909 .algo_strength = SSL_STRONG_NONE, 910 .algorithm2 = SSL_HANDSHAKE_MAC_SHA256, 911 .strength_bits = 0, 912 .alg_bits = 0, 913 }, 914 { 915 .value = 0xc016, 916 .name = TLS1_TXT_ECDH_anon_WITH_RC4_128_SHA, 917 .algorithm_mkey = SSL_kECDHE, 918 .algorithm_auth = SSL_aNULL, 919 .algorithm_enc = SSL_RC4, 920 .algorithm_mac = SSL_SHA1, 921 .algorithm_ssl = SSL_TLSV1, 922 .algo_strength = SSL_LOW, 923 .algorithm2 = SSL_HANDSHAKE_MAC_SHA256, 924 .strength_bits = 128, 925 .alg_bits = 128, 926 }, 927 { 928 .value = 0xc017, 929 .name = TLS1_TXT_ECDH_anon_WITH_DES_192_CBC3_SHA, 930 .algorithm_mkey = SSL_kECDHE, 931 .algorithm_auth = SSL_aNULL, 932 .algorithm_enc = SSL_3DES, 933 .algorithm_mac = SSL_SHA1, 934 .algorithm_ssl = SSL_TLSV1, 935 .algo_strength = SSL_MEDIUM, 936 .algorithm2 = SSL_HANDSHAKE_MAC_SHA256, 937 .strength_bits = 112, 938 .alg_bits = 168, 939 }, 940 { 941 .value = 0xc018, 942 .name = TLS1_TXT_ECDH_anon_WITH_AES_128_CBC_SHA, 943 .algorithm_mkey = SSL_kECDHE, 944 .algorithm_auth = SSL_aNULL, 945 .algorithm_enc = SSL_AES128, 946 .algorithm_mac = SSL_SHA1, 947 .algorithm_ssl = SSL_TLSV1, 948 .algo_strength = SSL_HIGH, 949 .algorithm2 = SSL_HANDSHAKE_MAC_SHA256, 950 .strength_bits = 128, 951 .alg_bits = 128, 952 }, 953 { 954 .value = 0xc019, 955 .name = TLS1_TXT_ECDH_anon_WITH_AES_256_CBC_SHA, 956 .algorithm_mkey = SSL_kECDHE, 957 .algorithm_auth = SSL_aNULL, 958 .algorithm_enc = SSL_AES256, 959 .algorithm_mac = SSL_SHA1, 960 .algorithm_ssl = SSL_TLSV1, 961 .algo_strength = SSL_HIGH, 962 .algorithm2 = SSL_HANDSHAKE_MAC_SHA256, 963 .strength_bits = 256, 964 .alg_bits = 256, 965 }, 966 967 /* 968 * TLSv1.2 Elliptic Curve HMAC cipher suites (RFC 5289, section 3.1). 969 */ 970 { 971 .value = 0xc023, 972 .name = TLS1_TXT_ECDHE_ECDSA_WITH_AES_128_SHA256, 973 .algorithm_mkey = SSL_kECDHE, 974 .algorithm_auth = SSL_aECDSA, 975 .algorithm_enc = SSL_AES128, 976 .algorithm_mac = SSL_SHA256, 977 .algorithm_ssl = SSL_TLSV1_2, 978 .algo_strength = SSL_HIGH, 979 .algorithm2 = SSL_HANDSHAKE_MAC_SHA256, 980 .strength_bits = 128, 981 .alg_bits = 128, 982 }, 983 { 984 .value = 0xc024, 985 .name = TLS1_TXT_ECDHE_ECDSA_WITH_AES_256_SHA384, 986 .algorithm_mkey = SSL_kECDHE, 987 .algorithm_auth = SSL_aECDSA, 988 .algorithm_enc = SSL_AES256, 989 .algorithm_mac = SSL_SHA384, 990 .algorithm_ssl = SSL_TLSV1_2, 991 .algo_strength = SSL_HIGH, 992 .algorithm2 = SSL_HANDSHAKE_MAC_SHA384, 993 .strength_bits = 256, 994 .alg_bits = 256, 995 }, 996 { 997 .value = 0xc027, 998 .name = TLS1_TXT_ECDHE_RSA_WITH_AES_128_SHA256, 999 .algorithm_mkey = SSL_kECDHE, 1000 .algorithm_auth = SSL_aRSA, 1001 .algorithm_enc = SSL_AES128, 1002 .algorithm_mac = SSL_SHA256, 1003 .algorithm_ssl = SSL_TLSV1_2, 1004 .algo_strength = SSL_HIGH, 1005 .algorithm2 = SSL_HANDSHAKE_MAC_SHA256, 1006 .strength_bits = 128, 1007 .alg_bits = 128, 1008 }, 1009 { 1010 .value = 0xc028, 1011 .name = TLS1_TXT_ECDHE_RSA_WITH_AES_256_SHA384, 1012 .algorithm_mkey = SSL_kECDHE, 1013 .algorithm_auth = SSL_aRSA, 1014 .algorithm_enc = SSL_AES256, 1015 .algorithm_mac = SSL_SHA384, 1016 .algorithm_ssl = SSL_TLSV1_2, 1017 .algo_strength = SSL_HIGH, 1018 .algorithm2 = SSL_HANDSHAKE_MAC_SHA384, 1019 .strength_bits = 256, 1020 .alg_bits = 256, 1021 }, 1022 1023 /* 1024 * TLSv1.2 Elliptic Curve GCM cipher suites (RFC 5289, section 3.2). 1025 */ 1026 { 1027 .value = 0xc02b, 1028 .name = TLS1_TXT_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, 1029 .algorithm_mkey = SSL_kECDHE, 1030 .algorithm_auth = SSL_aECDSA, 1031 .algorithm_enc = SSL_AES128GCM, 1032 .algorithm_mac = SSL_AEAD, 1033 .algorithm_ssl = SSL_TLSV1_2, 1034 .algo_strength = SSL_HIGH, 1035 .algorithm2 = SSL_HANDSHAKE_MAC_SHA256, 1036 .strength_bits = 128, 1037 .alg_bits = 128, 1038 }, 1039 { 1040 .value = 0xc02c, 1041 .name = TLS1_TXT_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, 1042 .algorithm_mkey = SSL_kECDHE, 1043 .algorithm_auth = SSL_aECDSA, 1044 .algorithm_enc = SSL_AES256GCM, 1045 .algorithm_mac = SSL_AEAD, 1046 .algorithm_ssl = SSL_TLSV1_2, 1047 .algo_strength = SSL_HIGH, 1048 .algorithm2 = SSL_HANDSHAKE_MAC_SHA384, 1049 .strength_bits = 256, 1050 .alg_bits = 256, 1051 }, 1052 { 1053 .value = 0xc02f, 1054 .name = TLS1_TXT_ECDHE_RSA_WITH_AES_128_GCM_SHA256, 1055 .algorithm_mkey = SSL_kECDHE, 1056 .algorithm_auth = SSL_aRSA, 1057 .algorithm_enc = SSL_AES128GCM, 1058 .algorithm_mac = SSL_AEAD, 1059 .algorithm_ssl = SSL_TLSV1_2, 1060 .algo_strength = SSL_HIGH, 1061 .algorithm2 = SSL_HANDSHAKE_MAC_SHA256, 1062 .strength_bits = 128, 1063 .alg_bits = 128, 1064 }, 1065 { 1066 .value = 0xc030, 1067 .name = TLS1_TXT_ECDHE_RSA_WITH_AES_256_GCM_SHA384, 1068 .algorithm_mkey = SSL_kECDHE, 1069 .algorithm_auth = SSL_aRSA, 1070 .algorithm_enc = SSL_AES256GCM, 1071 .algorithm_mac = SSL_AEAD, 1072 .algorithm_ssl = SSL_TLSV1_2, 1073 .algo_strength = SSL_HIGH, 1074 .algorithm2 = SSL_HANDSHAKE_MAC_SHA384, 1075 .strength_bits = 256, 1076 .alg_bits = 256, 1077 }, 1078 1079 /* 1080 * TLSv1.2 ChaCha20-Poly1305 cipher suites (RFC 7905). 1081 */ 1082 { 1083 .value = 0xcca8, 1084 .name = TLS1_TXT_ECDHE_RSA_WITH_CHACHA20_POLY1305, 1085 .algorithm_mkey = SSL_kECDHE, 1086 .algorithm_auth = SSL_aRSA, 1087 .algorithm_enc = SSL_CHACHA20POLY1305, 1088 .algorithm_mac = SSL_AEAD, 1089 .algorithm_ssl = SSL_TLSV1_2, 1090 .algo_strength = SSL_HIGH, 1091 .algorithm2 = SSL_HANDSHAKE_MAC_SHA256, 1092 .strength_bits = 256, 1093 .alg_bits = 256, 1094 }, 1095 { 1096 .value = 0xcca9, 1097 .name = TLS1_TXT_ECDHE_ECDSA_WITH_CHACHA20_POLY1305, 1098 .algorithm_mkey = SSL_kECDHE, 1099 .algorithm_auth = SSL_aECDSA, 1100 .algorithm_enc = SSL_CHACHA20POLY1305, 1101 .algorithm_mac = SSL_AEAD, 1102 .algorithm_ssl = SSL_TLSV1_2, 1103 .algo_strength = SSL_HIGH, 1104 .algorithm2 = SSL_HANDSHAKE_MAC_SHA256, 1105 .strength_bits = 256, 1106 .alg_bits = 256, 1107 }, 1108 { 1109 .value = 0xccaa, 1110 .name = TLS1_TXT_DHE_RSA_WITH_CHACHA20_POLY1305, 1111 .algorithm_mkey = SSL_kDHE, 1112 .algorithm_auth = SSL_aRSA, 1113 .algorithm_enc = SSL_CHACHA20POLY1305, 1114 .algorithm_mac = SSL_AEAD, 1115 .algorithm_ssl = SSL_TLSV1_2, 1116 .algo_strength = SSL_HIGH, 1117 .algorithm2 = SSL_HANDSHAKE_MAC_SHA256, 1118 .strength_bits = 256, 1119 .alg_bits = 256, 1120 }, 1121 }; 1122 1123 int 1124 ssl3_num_ciphers(void) 1125 { 1126 return (SSL3_NUM_CIPHERS); 1127 } 1128 1129 const SSL_CIPHER * 1130 ssl3_get_cipher_by_index(int idx) 1131 { 1132 if (idx < 0 || idx >= SSL3_NUM_CIPHERS) 1133 return NULL; 1134 1135 return &ssl3_ciphers[idx]; 1136 } 1137 1138 static int 1139 ssl3_cipher_value_cmp(const void *value, const void *cipher) 1140 { 1141 uint16_t a = *(const uint16_t *)value; 1142 uint16_t b = ((const SSL_CIPHER *)cipher)->value; 1143 1144 return a < b ? -1 : a > b; 1145 } 1146 1147 const SSL_CIPHER * 1148 ssl3_get_cipher_by_value(uint16_t value) 1149 { 1150 return bsearch(&value, ssl3_ciphers, SSL3_NUM_CIPHERS, 1151 sizeof(ssl3_ciphers[0]), ssl3_cipher_value_cmp); 1152 } 1153 1154 int 1155 ssl3_pending(const SSL *s) 1156 { 1157 if (s->s3->rcontent == NULL) 1158 return 0; 1159 if (tls_content_type(s->s3->rcontent) != SSL3_RT_APPLICATION_DATA) 1160 return 0; 1161 1162 return tls_content_remaining(s->s3->rcontent); 1163 } 1164 1165 int 1166 ssl3_handshake_msg_hdr_len(SSL *s) 1167 { 1168 return (SSL_is_dtls(s) ? DTLS1_HM_HEADER_LENGTH : 1169 SSL3_HM_HEADER_LENGTH); 1170 } 1171 1172 int 1173 ssl3_handshake_msg_start(SSL *s, CBB *handshake, CBB *body, uint8_t msg_type) 1174 { 1175 int ret = 0; 1176 1177 if (!CBB_init(handshake, SSL3_RT_MAX_PLAIN_LENGTH)) 1178 goto err; 1179 if (!CBB_add_u8(handshake, msg_type)) 1180 goto err; 1181 if (SSL_is_dtls(s)) { 1182 unsigned char *data; 1183 1184 if (!CBB_add_space(handshake, &data, DTLS1_HM_HEADER_LENGTH - 1185 SSL3_HM_HEADER_LENGTH)) 1186 goto err; 1187 } 1188 if (!CBB_add_u24_length_prefixed(handshake, body)) 1189 goto err; 1190 1191 ret = 1; 1192 1193 err: 1194 return (ret); 1195 } 1196 1197 int 1198 ssl3_handshake_msg_finish(SSL *s, CBB *handshake) 1199 { 1200 unsigned char *data = NULL; 1201 size_t outlen; 1202 int ret = 0; 1203 1204 if (!CBB_finish(handshake, &data, &outlen)) 1205 goto err; 1206 1207 if (outlen > INT_MAX) 1208 goto err; 1209 1210 if (!BUF_MEM_grow_clean(s->init_buf, outlen)) 1211 goto err; 1212 1213 memcpy(s->init_buf->data, data, outlen); 1214 1215 s->init_num = (int)outlen; 1216 s->init_off = 0; 1217 1218 if (SSL_is_dtls(s)) { 1219 unsigned long len; 1220 uint8_t msg_type; 1221 CBS cbs; 1222 1223 CBS_init(&cbs, data, outlen); 1224 if (!CBS_get_u8(&cbs, &msg_type)) 1225 goto err; 1226 1227 len = outlen - ssl3_handshake_msg_hdr_len(s); 1228 1229 dtls1_set_message_header(s, msg_type, len, 0, len); 1230 dtls1_buffer_message(s, 0); 1231 } 1232 1233 ret = 1; 1234 1235 err: 1236 free(data); 1237 1238 return (ret); 1239 } 1240 1241 int 1242 ssl3_handshake_write(SSL *s) 1243 { 1244 return ssl3_record_write(s, SSL3_RT_HANDSHAKE); 1245 } 1246 1247 int 1248 ssl3_record_write(SSL *s, int type) 1249 { 1250 if (SSL_is_dtls(s)) 1251 return dtls1_do_write(s, type); 1252 1253 return ssl3_do_write(s, type); 1254 } 1255 1256 int 1257 ssl3_new(SSL *s) 1258 { 1259 if ((s->s3 = calloc(1, sizeof(*s->s3))) == NULL) 1260 return (0); 1261 1262 s->method->ssl_clear(s); 1263 1264 return (1); 1265 } 1266 1267 void 1268 ssl3_free(SSL *s) 1269 { 1270 if (s == NULL) 1271 return; 1272 1273 tls1_cleanup_key_block(s); 1274 ssl3_release_read_buffer(s); 1275 ssl3_release_write_buffer(s); 1276 1277 tls_content_free(s->s3->rcontent); 1278 1279 tls_buffer_free(s->s3->alert_fragment); 1280 tls_buffer_free(s->s3->handshake_fragment); 1281 1282 freezero(s->s3->hs.sigalgs, s->s3->hs.sigalgs_len); 1283 1284 sk_SSL_CIPHER_free(s->s3->hs.client_ciphers); 1285 sk_X509_pop_free(s->s3->hs.peer_certs, X509_free); 1286 sk_X509_pop_free(s->s3->hs.peer_certs_no_leaf, X509_free); 1287 sk_X509_pop_free(s->s3->hs.verified_chain, X509_free); 1288 tls_key_share_free(s->s3->hs.key_share); 1289 1290 tls13_secrets_destroy(s->s3->hs.tls13.secrets); 1291 freezero(s->s3->hs.tls13.cookie, s->s3->hs.tls13.cookie_len); 1292 tls13_clienthello_hash_clear(&s->s3->hs.tls13); 1293 1294 tls_buffer_free(s->s3->hs.tls13.quic_read_buffer); 1295 1296 sk_X509_NAME_pop_free(s->s3->hs.tls12.ca_names, X509_NAME_free); 1297 1298 tls1_transcript_free(s); 1299 tls1_transcript_hash_free(s); 1300 1301 free(s->s3->alpn_selected); 1302 1303 freezero(s->s3->peer_quic_transport_params, 1304 s->s3->peer_quic_transport_params_len); 1305 1306 freezero(s->s3, sizeof(*s->s3)); 1307 1308 s->s3 = NULL; 1309 } 1310 1311 void 1312 ssl3_clear(SSL *s) 1313 { 1314 unsigned char *rp, *wp; 1315 size_t rlen, wlen; 1316 1317 tls1_cleanup_key_block(s); 1318 sk_X509_NAME_pop_free(s->s3->hs.tls12.ca_names, X509_NAME_free); 1319 1320 tls_buffer_free(s->s3->alert_fragment); 1321 s->s3->alert_fragment = NULL; 1322 tls_buffer_free(s->s3->handshake_fragment); 1323 s->s3->handshake_fragment = NULL; 1324 1325 freezero(s->s3->hs.sigalgs, s->s3->hs.sigalgs_len); 1326 s->s3->hs.sigalgs = NULL; 1327 s->s3->hs.sigalgs_len = 0; 1328 1329 sk_SSL_CIPHER_free(s->s3->hs.client_ciphers); 1330 s->s3->hs.client_ciphers = NULL; 1331 sk_X509_pop_free(s->s3->hs.peer_certs, X509_free); 1332 s->s3->hs.peer_certs = NULL; 1333 sk_X509_pop_free(s->s3->hs.peer_certs_no_leaf, X509_free); 1334 s->s3->hs.peer_certs_no_leaf = NULL; 1335 sk_X509_pop_free(s->s3->hs.verified_chain, X509_free); 1336 s->s3->hs.verified_chain = NULL; 1337 1338 tls_key_share_free(s->s3->hs.key_share); 1339 s->s3->hs.key_share = NULL; 1340 1341 tls13_secrets_destroy(s->s3->hs.tls13.secrets); 1342 s->s3->hs.tls13.secrets = NULL; 1343 freezero(s->s3->hs.tls13.cookie, s->s3->hs.tls13.cookie_len); 1344 s->s3->hs.tls13.cookie = NULL; 1345 s->s3->hs.tls13.cookie_len = 0; 1346 tls13_clienthello_hash_clear(&s->s3->hs.tls13); 1347 1348 tls_buffer_free(s->s3->hs.tls13.quic_read_buffer); 1349 s->s3->hs.tls13.quic_read_buffer = NULL; 1350 s->s3->hs.tls13.quic_read_level = ssl_encryption_initial; 1351 s->s3->hs.tls13.quic_write_level = ssl_encryption_initial; 1352 1353 s->s3->hs.extensions_seen = 0; 1354 1355 rp = s->s3->rbuf.buf; 1356 wp = s->s3->wbuf.buf; 1357 rlen = s->s3->rbuf.len; 1358 wlen = s->s3->wbuf.len; 1359 1360 tls_content_free(s->s3->rcontent); 1361 s->s3->rcontent = NULL; 1362 1363 tls1_transcript_free(s); 1364 tls1_transcript_hash_free(s); 1365 1366 free(s->s3->alpn_selected); 1367 s->s3->alpn_selected = NULL; 1368 s->s3->alpn_selected_len = 0; 1369 1370 freezero(s->s3->peer_quic_transport_params, 1371 s->s3->peer_quic_transport_params_len); 1372 s->s3->peer_quic_transport_params = NULL; 1373 s->s3->peer_quic_transport_params_len = 0; 1374 1375 memset(s->s3, 0, sizeof(*s->s3)); 1376 1377 s->s3->rbuf.buf = rp; 1378 s->s3->wbuf.buf = wp; 1379 s->s3->rbuf.len = rlen; 1380 s->s3->wbuf.len = wlen; 1381 1382 ssl_free_wbio_buffer(s); 1383 1384 /* Not needed... */ 1385 s->s3->renegotiate = 0; 1386 s->s3->total_renegotiations = 0; 1387 s->s3->num_renegotiations = 0; 1388 s->s3->in_read_app_data = 0; 1389 1390 s->packet_length = 0; 1391 s->version = TLS1_2_VERSION; 1392 1393 s->s3->hs.state = SSL_ST_BEFORE|((s->server) ? SSL_ST_ACCEPT : SSL_ST_CONNECT); 1394 } 1395 1396 long 1397 _SSL_get_shared_group(SSL *s, long n) 1398 { 1399 size_t count; 1400 int nid; 1401 1402 /* OpenSSL document that they return -1 for clients. They return 0. */ 1403 if (!s->server) 1404 return 0; 1405 1406 if (n == -1) { 1407 if (!tls1_count_shared_groups(s, &count)) 1408 return 0; 1409 1410 if (count > LONG_MAX) 1411 count = LONG_MAX; 1412 1413 return count; 1414 } 1415 1416 /* Undocumented special case added for Suite B profile support. */ 1417 if (n == -2) 1418 n = 0; 1419 1420 if (n < 0) 1421 return 0; 1422 1423 if (!tls1_get_shared_group_by_index(s, n, &nid)) 1424 return NID_undef; 1425 1426 return nid; 1427 } 1428 1429 long 1430 _SSL_get_peer_tmp_key(SSL *s, EVP_PKEY **key) 1431 { 1432 EVP_PKEY *pkey = NULL; 1433 int ret = 0; 1434 1435 *key = NULL; 1436 1437 if (s->s3->hs.key_share == NULL) 1438 goto err; 1439 1440 if ((pkey = EVP_PKEY_new()) == NULL) 1441 goto err; 1442 if (!tls_key_share_peer_pkey(s->s3->hs.key_share, pkey)) 1443 goto err; 1444 1445 *key = pkey; 1446 pkey = NULL; 1447 1448 ret = 1; 1449 1450 err: 1451 EVP_PKEY_free(pkey); 1452 1453 return (ret); 1454 } 1455 1456 static int 1457 _SSL_session_reused(SSL *s) 1458 { 1459 return s->hit; 1460 } 1461 1462 static int 1463 _SSL_num_renegotiations(SSL *s) 1464 { 1465 return s->s3->num_renegotiations; 1466 } 1467 1468 static int 1469 _SSL_clear_num_renegotiations(SSL *s) 1470 { 1471 int renegs; 1472 1473 renegs = s->s3->num_renegotiations; 1474 s->s3->num_renegotiations = 0; 1475 1476 return renegs; 1477 } 1478 1479 static int 1480 _SSL_total_renegotiations(SSL *s) 1481 { 1482 return s->s3->total_renegotiations; 1483 } 1484 1485 static int 1486 _SSL_set_tmp_dh(SSL *s, DH *dh) 1487 { 1488 DH *dhe_params; 1489 1490 if (dh == NULL) { 1491 SSLerror(s, ERR_R_PASSED_NULL_PARAMETER); 1492 return 0; 1493 } 1494 1495 if (!ssl_security_dh(s, dh)) { 1496 SSLerror(s, SSL_R_DH_KEY_TOO_SMALL); 1497 return 0; 1498 } 1499 1500 if ((dhe_params = DHparams_dup(dh)) == NULL) { 1501 SSLerror(s, ERR_R_DH_LIB); 1502 return 0; 1503 } 1504 1505 DH_free(s->cert->dhe_params); 1506 s->cert->dhe_params = dhe_params; 1507 1508 return 1; 1509 } 1510 1511 static int 1512 _SSL_set_dh_auto(SSL *s, int state) 1513 { 1514 s->cert->dhe_params_auto = state; 1515 return 1; 1516 } 1517 1518 static int 1519 _SSL_set_tmp_ecdh(SSL *s, EC_KEY *ecdh) 1520 { 1521 const EC_GROUP *group; 1522 int nid; 1523 1524 if (ecdh == NULL) 1525 return 0; 1526 if ((group = EC_KEY_get0_group(ecdh)) == NULL) 1527 return 0; 1528 1529 nid = EC_GROUP_get_curve_name(group); 1530 return SSL_set1_groups(s, &nid, 1); 1531 } 1532 1533 static int 1534 _SSL_set_ecdh_auto(SSL *s, int state) 1535 { 1536 return 1; 1537 } 1538 1539 static int 1540 _SSL_set_tlsext_host_name(SSL *s, const char *name) 1541 { 1542 int is_ip; 1543 CBS cbs; 1544 1545 free(s->tlsext_hostname); 1546 s->tlsext_hostname = NULL; 1547 1548 if (name == NULL) 1549 return 1; 1550 1551 CBS_init(&cbs, name, strlen(name)); 1552 1553 if (!tlsext_sni_is_valid_hostname(&cbs, &is_ip)) { 1554 SSLerror(s, SSL_R_SSL3_EXT_INVALID_SERVERNAME); 1555 return 0; 1556 } 1557 if ((s->tlsext_hostname = strdup(name)) == NULL) { 1558 SSLerror(s, ERR_R_INTERNAL_ERROR); 1559 return 0; 1560 } 1561 1562 return 1; 1563 } 1564 1565 static int 1566 _SSL_set_tlsext_debug_arg(SSL *s, void *arg) 1567 { 1568 s->tlsext_debug_arg = arg; 1569 return 1; 1570 } 1571 1572 static int 1573 _SSL_get_tlsext_status_type(SSL *s) 1574 { 1575 return s->tlsext_status_type; 1576 } 1577 1578 static int 1579 _SSL_set_tlsext_status_type(SSL *s, int type) 1580 { 1581 s->tlsext_status_type = type; 1582 return 1; 1583 } 1584 1585 static int 1586 _SSL_get_tlsext_status_exts(SSL *s, STACK_OF(X509_EXTENSION) **exts) 1587 { 1588 *exts = s->tlsext_ocsp_exts; 1589 return 1; 1590 } 1591 1592 static int 1593 _SSL_set_tlsext_status_exts(SSL *s, STACK_OF(X509_EXTENSION) *exts) 1594 { 1595 /* XXX - leak... */ 1596 s->tlsext_ocsp_exts = exts; 1597 return 1; 1598 } 1599 1600 static int 1601 _SSL_get_tlsext_status_ids(SSL *s, STACK_OF(OCSP_RESPID) **ids) 1602 { 1603 *ids = s->tlsext_ocsp_ids; 1604 return 1; 1605 } 1606 1607 static int 1608 _SSL_set_tlsext_status_ids(SSL *s, STACK_OF(OCSP_RESPID) *ids) 1609 { 1610 /* XXX - leak... */ 1611 s->tlsext_ocsp_ids = ids; 1612 return 1; 1613 } 1614 1615 static int 1616 _SSL_get_tlsext_status_ocsp_resp(SSL *s, unsigned char **resp) 1617 { 1618 if (s->tlsext_ocsp_resp != NULL && 1619 s->tlsext_ocsp_resp_len < INT_MAX) { 1620 *resp = s->tlsext_ocsp_resp; 1621 return (int)s->tlsext_ocsp_resp_len; 1622 } 1623 1624 *resp = NULL; 1625 1626 return -1; 1627 } 1628 1629 static int 1630 _SSL_set_tlsext_status_ocsp_resp(SSL *s, unsigned char *resp, int resp_len) 1631 { 1632 free(s->tlsext_ocsp_resp); 1633 s->tlsext_ocsp_resp = NULL; 1634 s->tlsext_ocsp_resp_len = 0; 1635 1636 if (resp_len < 0) 1637 return 0; 1638 1639 s->tlsext_ocsp_resp = resp; 1640 s->tlsext_ocsp_resp_len = (size_t)resp_len; 1641 1642 return 1; 1643 } 1644 1645 int 1646 SSL_set0_chain(SSL *ssl, STACK_OF(X509) *chain) 1647 { 1648 return ssl_cert_set0_chain(NULL, ssl, chain); 1649 } 1650 LSSL_ALIAS(SSL_set0_chain); 1651 1652 int 1653 SSL_set1_chain(SSL *ssl, STACK_OF(X509) *chain) 1654 { 1655 return ssl_cert_set1_chain(NULL, ssl, chain); 1656 } 1657 LSSL_ALIAS(SSL_set1_chain); 1658 1659 int 1660 SSL_add0_chain_cert(SSL *ssl, X509 *x509) 1661 { 1662 return ssl_cert_add0_chain_cert(NULL, ssl, x509); 1663 } 1664 LSSL_ALIAS(SSL_add0_chain_cert); 1665 1666 int 1667 SSL_add1_chain_cert(SSL *ssl, X509 *x509) 1668 { 1669 return ssl_cert_add1_chain_cert(NULL, ssl, x509); 1670 } 1671 LSSL_ALIAS(SSL_add1_chain_cert); 1672 1673 int 1674 SSL_get0_chain_certs(const SSL *ssl, STACK_OF(X509) **out_chain) 1675 { 1676 *out_chain = NULL; 1677 1678 if (ssl->cert->key != NULL) 1679 *out_chain = ssl->cert->key->chain; 1680 1681 return 1; 1682 } 1683 LSSL_ALIAS(SSL_get0_chain_certs); 1684 1685 int 1686 SSL_clear_chain_certs(SSL *ssl) 1687 { 1688 return ssl_cert_set0_chain(NULL, ssl, NULL); 1689 } 1690 LSSL_ALIAS(SSL_clear_chain_certs); 1691 1692 int 1693 SSL_set1_groups(SSL *s, const int *groups, size_t groups_len) 1694 { 1695 return tls1_set_groups(&s->tlsext_supportedgroups, 1696 &s->tlsext_supportedgroups_length, groups, groups_len); 1697 } 1698 LSSL_ALIAS(SSL_set1_groups); 1699 1700 int 1701 SSL_set1_groups_list(SSL *s, const char *groups) 1702 { 1703 return tls1_set_group_list(&s->tlsext_supportedgroups, 1704 &s->tlsext_supportedgroups_length, groups); 1705 } 1706 LSSL_ALIAS(SSL_set1_groups_list); 1707 1708 static int 1709 _SSL_get_signature_nid(SSL *s, int *nid) 1710 { 1711 const struct ssl_sigalg *sigalg; 1712 1713 if ((sigalg = s->s3->hs.our_sigalg) == NULL) 1714 return 0; 1715 1716 *nid = EVP_MD_type(sigalg->md()); 1717 1718 return 1; 1719 } 1720 1721 static int 1722 _SSL_get_peer_signature_nid(SSL *s, int *nid) 1723 { 1724 const struct ssl_sigalg *sigalg; 1725 1726 if ((sigalg = s->s3->hs.peer_sigalg) == NULL) 1727 return 0; 1728 1729 *nid = EVP_MD_type(sigalg->md()); 1730 1731 return 1; 1732 } 1733 1734 int 1735 SSL_get_signature_type_nid(const SSL *s, int *nid) 1736 { 1737 const struct ssl_sigalg *sigalg; 1738 1739 if ((sigalg = s->s3->hs.our_sigalg) == NULL) 1740 return 0; 1741 1742 *nid = sigalg->key_type; 1743 if (sigalg->key_type == EVP_PKEY_RSA && 1744 (sigalg->flags & SIGALG_FLAG_RSA_PSS)) 1745 *nid = EVP_PKEY_RSA_PSS; 1746 1747 return 1; 1748 } 1749 LSSL_ALIAS(SSL_get_signature_type_nid); 1750 1751 int 1752 SSL_get_peer_signature_type_nid(const SSL *s, int *nid) 1753 { 1754 const struct ssl_sigalg *sigalg; 1755 1756 if ((sigalg = s->s3->hs.peer_sigalg) == NULL) 1757 return 0; 1758 1759 *nid = sigalg->key_type; 1760 if (sigalg->key_type == EVP_PKEY_RSA && 1761 (sigalg->flags & SIGALG_FLAG_RSA_PSS)) 1762 *nid = EVP_PKEY_RSA_PSS; 1763 1764 return 1; 1765 } 1766 LSSL_ALIAS(SSL_get_peer_signature_type_nid); 1767 1768 long 1769 ssl3_ctrl(SSL *s, int cmd, long larg, void *parg) 1770 { 1771 switch (cmd) { 1772 case SSL_CTRL_GET_SESSION_REUSED: 1773 return _SSL_session_reused(s); 1774 1775 case SSL_CTRL_GET_NUM_RENEGOTIATIONS: 1776 return _SSL_num_renegotiations(s); 1777 1778 case SSL_CTRL_CLEAR_NUM_RENEGOTIATIONS: 1779 return _SSL_clear_num_renegotiations(s); 1780 1781 case SSL_CTRL_GET_TOTAL_RENEGOTIATIONS: 1782 return _SSL_total_renegotiations(s); 1783 1784 case SSL_CTRL_SET_TMP_DH: 1785 return _SSL_set_tmp_dh(s, parg); 1786 1787 case SSL_CTRL_SET_TMP_DH_CB: 1788 SSLerror(s, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED); 1789 return 0; 1790 1791 case SSL_CTRL_SET_DH_AUTO: 1792 return _SSL_set_dh_auto(s, larg); 1793 1794 case SSL_CTRL_SET_TMP_ECDH: 1795 return _SSL_set_tmp_ecdh(s, parg); 1796 1797 case SSL_CTRL_SET_TMP_ECDH_CB: 1798 SSLerror(s, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED); 1799 return 0; 1800 1801 case SSL_CTRL_SET_ECDH_AUTO: 1802 return _SSL_set_ecdh_auto(s, larg); 1803 1804 case SSL_CTRL_SET_TLSEXT_HOSTNAME: 1805 if (larg != TLSEXT_NAMETYPE_host_name) { 1806 SSLerror(s, SSL_R_SSL3_EXT_INVALID_SERVERNAME_TYPE); 1807 return 0; 1808 } 1809 return _SSL_set_tlsext_host_name(s, parg); 1810 1811 case SSL_CTRL_SET_TLSEXT_DEBUG_ARG: 1812 return _SSL_set_tlsext_debug_arg(s, parg); 1813 1814 case SSL_CTRL_GET_TLSEXT_STATUS_REQ_TYPE: 1815 return _SSL_get_tlsext_status_type(s); 1816 1817 case SSL_CTRL_SET_TLSEXT_STATUS_REQ_TYPE: 1818 return _SSL_set_tlsext_status_type(s, larg); 1819 1820 case SSL_CTRL_GET_TLSEXT_STATUS_REQ_EXTS: 1821 return _SSL_get_tlsext_status_exts(s, parg); 1822 1823 case SSL_CTRL_SET_TLSEXT_STATUS_REQ_EXTS: 1824 return _SSL_set_tlsext_status_exts(s, parg); 1825 1826 case SSL_CTRL_GET_TLSEXT_STATUS_REQ_IDS: 1827 return _SSL_get_tlsext_status_ids(s, parg); 1828 1829 case SSL_CTRL_SET_TLSEXT_STATUS_REQ_IDS: 1830 return _SSL_set_tlsext_status_ids(s, parg); 1831 1832 case SSL_CTRL_GET_TLSEXT_STATUS_REQ_OCSP_RESP: 1833 return _SSL_get_tlsext_status_ocsp_resp(s, parg); 1834 1835 case SSL_CTRL_SET_TLSEXT_STATUS_REQ_OCSP_RESP: 1836 return _SSL_set_tlsext_status_ocsp_resp(s, parg, larg); 1837 1838 case SSL_CTRL_CHAIN: 1839 if (larg == 0) 1840 return SSL_set0_chain(s, (STACK_OF(X509) *)parg); 1841 else 1842 return SSL_set1_chain(s, (STACK_OF(X509) *)parg); 1843 1844 case SSL_CTRL_CHAIN_CERT: 1845 if (larg == 0) 1846 return SSL_add0_chain_cert(s, (X509 *)parg); 1847 else 1848 return SSL_add1_chain_cert(s, (X509 *)parg); 1849 1850 case SSL_CTRL_GET_CHAIN_CERTS: 1851 return SSL_get0_chain_certs(s, (STACK_OF(X509) **)parg); 1852 1853 case SSL_CTRL_SET_GROUPS: 1854 return SSL_set1_groups(s, parg, larg); 1855 1856 case SSL_CTRL_SET_GROUPS_LIST: 1857 return SSL_set1_groups_list(s, parg); 1858 1859 case SSL_CTRL_GET_SHARED_GROUP: 1860 return _SSL_get_shared_group(s, larg); 1861 1862 /* XXX - rename to SSL_CTRL_GET_PEER_TMP_KEY and remove server check. */ 1863 case SSL_CTRL_GET_SERVER_TMP_KEY: 1864 if (s->server != 0) 1865 return 0; 1866 return _SSL_get_peer_tmp_key(s, parg); 1867 1868 case SSL_CTRL_GET_MIN_PROTO_VERSION: 1869 return SSL_get_min_proto_version(s); 1870 1871 case SSL_CTRL_GET_MAX_PROTO_VERSION: 1872 return SSL_get_max_proto_version(s); 1873 1874 case SSL_CTRL_SET_MIN_PROTO_VERSION: 1875 if (larg < 0 || larg > UINT16_MAX) 1876 return 0; 1877 return SSL_set_min_proto_version(s, larg); 1878 1879 case SSL_CTRL_SET_MAX_PROTO_VERSION: 1880 if (larg < 0 || larg > UINT16_MAX) 1881 return 0; 1882 return SSL_set_max_proto_version(s, larg); 1883 1884 case SSL_CTRL_GET_SIGNATURE_NID: 1885 return _SSL_get_signature_nid(s, parg); 1886 1887 case SSL_CTRL_GET_PEER_SIGNATURE_NID: 1888 return _SSL_get_peer_signature_nid(s, parg); 1889 1890 /* 1891 * Legacy controls that should eventually be removed. 1892 */ 1893 case SSL_CTRL_GET_CLIENT_CERT_REQUEST: 1894 return 0; 1895 1896 case SSL_CTRL_GET_FLAGS: 1897 return (int)(s->s3->flags); 1898 1899 case SSL_CTRL_NEED_TMP_RSA: 1900 return 0; 1901 1902 case SSL_CTRL_SET_TMP_RSA: 1903 case SSL_CTRL_SET_TMP_RSA_CB: 1904 SSLerror(s, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED); 1905 return 0; 1906 } 1907 1908 return 0; 1909 } 1910 1911 long 1912 ssl3_callback_ctrl(SSL *s, int cmd, void (*fp)(void)) 1913 { 1914 switch (cmd) { 1915 case SSL_CTRL_SET_TMP_RSA_CB: 1916 SSLerror(s, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED); 1917 return 0; 1918 1919 case SSL_CTRL_SET_TMP_DH_CB: 1920 s->cert->dhe_params_cb = (DH *(*)(SSL *, int, int))fp; 1921 return 1; 1922 1923 case SSL_CTRL_SET_TMP_ECDH_CB: 1924 return 1; 1925 1926 case SSL_CTRL_SET_TLSEXT_DEBUG_CB: 1927 s->tlsext_debug_cb = (void (*)(SSL *, int , int, 1928 unsigned char *, int, void *))fp; 1929 return 1; 1930 } 1931 1932 return 0; 1933 } 1934 1935 static int 1936 _SSL_CTX_set_tmp_dh(SSL_CTX *ctx, DH *dh) 1937 { 1938 DH *dhe_params; 1939 1940 if (dh == NULL) { 1941 SSLerrorx(ERR_R_PASSED_NULL_PARAMETER); 1942 return 0; 1943 } 1944 1945 if (!ssl_ctx_security_dh(ctx, dh)) { 1946 SSLerrorx(SSL_R_DH_KEY_TOO_SMALL); 1947 return 0; 1948 } 1949 1950 if ((dhe_params = DHparams_dup(dh)) == NULL) { 1951 SSLerrorx(ERR_R_DH_LIB); 1952 return 0; 1953 } 1954 1955 DH_free(ctx->cert->dhe_params); 1956 ctx->cert->dhe_params = dhe_params; 1957 1958 return 1; 1959 } 1960 1961 static int 1962 _SSL_CTX_set_dh_auto(SSL_CTX *ctx, int state) 1963 { 1964 ctx->cert->dhe_params_auto = state; 1965 return 1; 1966 } 1967 1968 static int 1969 _SSL_CTX_set_tmp_ecdh(SSL_CTX *ctx, EC_KEY *ecdh) 1970 { 1971 const EC_GROUP *group; 1972 int nid; 1973 1974 if (ecdh == NULL) 1975 return 0; 1976 if ((group = EC_KEY_get0_group(ecdh)) == NULL) 1977 return 0; 1978 1979 nid = EC_GROUP_get_curve_name(group); 1980 return SSL_CTX_set1_groups(ctx, &nid, 1); 1981 } 1982 1983 static int 1984 _SSL_CTX_set_ecdh_auto(SSL_CTX *ctx, int state) 1985 { 1986 return 1; 1987 } 1988 1989 static int 1990 _SSL_CTX_set_tlsext_servername_arg(SSL_CTX *ctx, void *arg) 1991 { 1992 ctx->tlsext_servername_arg = arg; 1993 return 1; 1994 } 1995 1996 static int 1997 _SSL_CTX_get_tlsext_ticket_keys(SSL_CTX *ctx, unsigned char *keys, int keys_len) 1998 { 1999 if (keys == NULL) 2000 return 48; 2001 2002 if (keys_len != 48) { 2003 SSLerrorx(SSL_R_INVALID_TICKET_KEYS_LENGTH); 2004 return 0; 2005 } 2006 2007 memcpy(keys, ctx->tlsext_tick_key_name, 16); 2008 memcpy(keys + 16, ctx->tlsext_tick_hmac_key, 16); 2009 memcpy(keys + 32, ctx->tlsext_tick_aes_key, 16); 2010 2011 return 1; 2012 } 2013 2014 static int 2015 _SSL_CTX_set_tlsext_ticket_keys(SSL_CTX *ctx, unsigned char *keys, int keys_len) 2016 { 2017 if (keys == NULL) 2018 return 48; 2019 2020 if (keys_len != 48) { 2021 SSLerrorx(SSL_R_INVALID_TICKET_KEYS_LENGTH); 2022 return 0; 2023 } 2024 2025 memcpy(ctx->tlsext_tick_key_name, keys, 16); 2026 memcpy(ctx->tlsext_tick_hmac_key, keys + 16, 16); 2027 memcpy(ctx->tlsext_tick_aes_key, keys + 32, 16); 2028 2029 return 1; 2030 } 2031 2032 static int 2033 _SSL_CTX_get_tlsext_status_arg(SSL_CTX *ctx, void **arg) 2034 { 2035 *arg = ctx->tlsext_status_arg; 2036 return 1; 2037 } 2038 2039 static int 2040 _SSL_CTX_set_tlsext_status_arg(SSL_CTX *ctx, void *arg) 2041 { 2042 ctx->tlsext_status_arg = arg; 2043 return 1; 2044 } 2045 2046 int 2047 SSL_CTX_set0_chain(SSL_CTX *ctx, STACK_OF(X509) *chain) 2048 { 2049 return ssl_cert_set0_chain(ctx, NULL, chain); 2050 } 2051 LSSL_ALIAS(SSL_CTX_set0_chain); 2052 2053 int 2054 SSL_CTX_set1_chain(SSL_CTX *ctx, STACK_OF(X509) *chain) 2055 { 2056 return ssl_cert_set1_chain(ctx, NULL, chain); 2057 } 2058 LSSL_ALIAS(SSL_CTX_set1_chain); 2059 2060 int 2061 SSL_CTX_add0_chain_cert(SSL_CTX *ctx, X509 *x509) 2062 { 2063 return ssl_cert_add0_chain_cert(ctx, NULL, x509); 2064 } 2065 LSSL_ALIAS(SSL_CTX_add0_chain_cert); 2066 2067 int 2068 SSL_CTX_add1_chain_cert(SSL_CTX *ctx, X509 *x509) 2069 { 2070 return ssl_cert_add1_chain_cert(ctx, NULL, x509); 2071 } 2072 LSSL_ALIAS(SSL_CTX_add1_chain_cert); 2073 2074 int 2075 SSL_CTX_get0_chain_certs(const SSL_CTX *ctx, STACK_OF(X509) **out_chain) 2076 { 2077 *out_chain = NULL; 2078 2079 if (ctx->cert->key != NULL) 2080 *out_chain = ctx->cert->key->chain; 2081 2082 return 1; 2083 } 2084 LSSL_ALIAS(SSL_CTX_get0_chain_certs); 2085 2086 int 2087 SSL_CTX_clear_chain_certs(SSL_CTX *ctx) 2088 { 2089 return ssl_cert_set0_chain(ctx, NULL, NULL); 2090 } 2091 LSSL_ALIAS(SSL_CTX_clear_chain_certs); 2092 2093 static int 2094 _SSL_CTX_add_extra_chain_cert(SSL_CTX *ctx, X509 *cert) 2095 { 2096 if (ctx->extra_certs == NULL) { 2097 if ((ctx->extra_certs = sk_X509_new_null()) == NULL) 2098 return 0; 2099 } 2100 if (sk_X509_push(ctx->extra_certs, cert) == 0) 2101 return 0; 2102 2103 return 1; 2104 } 2105 2106 static int 2107 _SSL_CTX_get_extra_chain_certs(SSL_CTX *ctx, STACK_OF(X509) **certs) 2108 { 2109 *certs = ctx->extra_certs; 2110 if (*certs == NULL) 2111 *certs = ctx->cert->key->chain; 2112 2113 return 1; 2114 } 2115 2116 static int 2117 _SSL_CTX_get_extra_chain_certs_only(SSL_CTX *ctx, STACK_OF(X509) **certs) 2118 { 2119 *certs = ctx->extra_certs; 2120 return 1; 2121 } 2122 2123 static int 2124 _SSL_CTX_clear_extra_chain_certs(SSL_CTX *ctx) 2125 { 2126 sk_X509_pop_free(ctx->extra_certs, X509_free); 2127 ctx->extra_certs = NULL; 2128 return 1; 2129 } 2130 2131 int 2132 SSL_CTX_set1_groups(SSL_CTX *ctx, const int *groups, size_t groups_len) 2133 { 2134 return tls1_set_groups(&ctx->tlsext_supportedgroups, 2135 &ctx->tlsext_supportedgroups_length, groups, groups_len); 2136 } 2137 LSSL_ALIAS(SSL_CTX_set1_groups); 2138 2139 int 2140 SSL_CTX_set1_groups_list(SSL_CTX *ctx, const char *groups) 2141 { 2142 return tls1_set_group_list(&ctx->tlsext_supportedgroups, 2143 &ctx->tlsext_supportedgroups_length, groups); 2144 } 2145 LSSL_ALIAS(SSL_CTX_set1_groups_list); 2146 2147 long 2148 ssl3_ctx_ctrl(SSL_CTX *ctx, int cmd, long larg, void *parg) 2149 { 2150 switch (cmd) { 2151 case SSL_CTRL_SET_TMP_DH: 2152 return _SSL_CTX_set_tmp_dh(ctx, parg); 2153 2154 case SSL_CTRL_SET_TMP_DH_CB: 2155 SSLerrorx(ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED); 2156 return 0; 2157 2158 case SSL_CTRL_SET_DH_AUTO: 2159 return _SSL_CTX_set_dh_auto(ctx, larg); 2160 2161 case SSL_CTRL_SET_TMP_ECDH: 2162 return _SSL_CTX_set_tmp_ecdh(ctx, parg); 2163 2164 case SSL_CTRL_SET_TMP_ECDH_CB: 2165 SSLerrorx(ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED); 2166 return 0; 2167 2168 case SSL_CTRL_SET_ECDH_AUTO: 2169 return _SSL_CTX_set_ecdh_auto(ctx, larg); 2170 2171 case SSL_CTRL_SET_TLSEXT_SERVERNAME_ARG: 2172 return _SSL_CTX_set_tlsext_servername_arg(ctx, parg); 2173 2174 case SSL_CTRL_GET_TLSEXT_TICKET_KEYS: 2175 return _SSL_CTX_get_tlsext_ticket_keys(ctx, parg, larg); 2176 2177 case SSL_CTRL_SET_TLSEXT_TICKET_KEYS: 2178 return _SSL_CTX_set_tlsext_ticket_keys(ctx, parg, larg); 2179 2180 case SSL_CTRL_GET_TLSEXT_STATUS_REQ_CB_ARG: 2181 return _SSL_CTX_get_tlsext_status_arg(ctx, parg); 2182 2183 case SSL_CTRL_SET_TLSEXT_STATUS_REQ_CB_ARG: 2184 return _SSL_CTX_set_tlsext_status_arg(ctx, parg); 2185 2186 case SSL_CTRL_CHAIN: 2187 if (larg == 0) 2188 return SSL_CTX_set0_chain(ctx, (STACK_OF(X509) *)parg); 2189 else 2190 return SSL_CTX_set1_chain(ctx, (STACK_OF(X509) *)parg); 2191 2192 case SSL_CTRL_CHAIN_CERT: 2193 if (larg == 0) 2194 return SSL_CTX_add0_chain_cert(ctx, (X509 *)parg); 2195 else 2196 return SSL_CTX_add1_chain_cert(ctx, (X509 *)parg); 2197 2198 case SSL_CTRL_GET_CHAIN_CERTS: 2199 return SSL_CTX_get0_chain_certs(ctx, (STACK_OF(X509) **)parg); 2200 2201 case SSL_CTRL_EXTRA_CHAIN_CERT: 2202 return _SSL_CTX_add_extra_chain_cert(ctx, parg); 2203 2204 case SSL_CTRL_GET_EXTRA_CHAIN_CERTS: 2205 if (larg == 0) 2206 return _SSL_CTX_get_extra_chain_certs(ctx, parg); 2207 else 2208 return _SSL_CTX_get_extra_chain_certs_only(ctx, parg); 2209 2210 case SSL_CTRL_CLEAR_EXTRA_CHAIN_CERTS: 2211 return _SSL_CTX_clear_extra_chain_certs(ctx); 2212 2213 case SSL_CTRL_SET_GROUPS: 2214 return SSL_CTX_set1_groups(ctx, parg, larg); 2215 2216 case SSL_CTRL_SET_GROUPS_LIST: 2217 return SSL_CTX_set1_groups_list(ctx, parg); 2218 2219 case SSL_CTRL_GET_MIN_PROTO_VERSION: 2220 return SSL_CTX_get_min_proto_version(ctx); 2221 2222 case SSL_CTRL_GET_MAX_PROTO_VERSION: 2223 return SSL_CTX_get_max_proto_version(ctx); 2224 2225 case SSL_CTRL_SET_MIN_PROTO_VERSION: 2226 if (larg < 0 || larg > UINT16_MAX) 2227 return 0; 2228 return SSL_CTX_set_min_proto_version(ctx, larg); 2229 2230 case SSL_CTRL_SET_MAX_PROTO_VERSION: 2231 if (larg < 0 || larg > UINT16_MAX) 2232 return 0; 2233 return SSL_CTX_set_max_proto_version(ctx, larg); 2234 2235 /* 2236 * Legacy controls that should eventually be removed. 2237 */ 2238 case SSL_CTRL_NEED_TMP_RSA: 2239 return 0; 2240 2241 case SSL_CTRL_SET_TMP_RSA: 2242 case SSL_CTRL_SET_TMP_RSA_CB: 2243 SSLerrorx(ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED); 2244 return 0; 2245 } 2246 2247 return 0; 2248 } 2249 2250 long 2251 ssl3_ctx_callback_ctrl(SSL_CTX *ctx, int cmd, void (*fp)(void)) 2252 { 2253 switch (cmd) { 2254 case SSL_CTRL_SET_TMP_RSA_CB: 2255 SSLerrorx(ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED); 2256 return 0; 2257 2258 case SSL_CTRL_SET_TMP_DH_CB: 2259 ctx->cert->dhe_params_cb = 2260 (DH *(*)(SSL *, int, int))fp; 2261 return 1; 2262 2263 case SSL_CTRL_SET_TMP_ECDH_CB: 2264 return 1; 2265 2266 case SSL_CTRL_SET_TLSEXT_SERVERNAME_CB: 2267 ctx->tlsext_servername_callback = 2268 (int (*)(SSL *, int *, void *))fp; 2269 return 1; 2270 2271 case SSL_CTRL_GET_TLSEXT_STATUS_REQ_CB: 2272 *(int (**)(SSL *, void *))fp = ctx->tlsext_status_cb; 2273 return 1; 2274 2275 case SSL_CTRL_SET_TLSEXT_STATUS_REQ_CB: 2276 ctx->tlsext_status_cb = (int (*)(SSL *, void *))fp; 2277 return 1; 2278 2279 case SSL_CTRL_SET_TLSEXT_TICKET_KEY_CB: 2280 ctx->tlsext_ticket_key_cb = (int (*)(SSL *, unsigned char *, 2281 unsigned char *, EVP_CIPHER_CTX *, HMAC_CTX *, int))fp; 2282 return 1; 2283 } 2284 2285 return 0; 2286 } 2287 2288 SSL_CIPHER * 2289 ssl3_choose_cipher(SSL *s, STACK_OF(SSL_CIPHER) *clnt, 2290 STACK_OF(SSL_CIPHER) *srvr) 2291 { 2292 unsigned long alg_k, alg_a, mask_k, mask_a; 2293 STACK_OF(SSL_CIPHER) *prio, *allow; 2294 SSL_CIPHER *c, *ret = NULL; 2295 int can_use_ecc; 2296 int i, ii, nid, ok; 2297 SSL_CERT *cert; 2298 2299 /* Let's see which ciphers we can support */ 2300 cert = s->cert; 2301 2302 can_use_ecc = tls1_get_supported_group(s, &nid); 2303 2304 /* 2305 * Do not set the compare functions, because this may lead to a 2306 * reordering by "id". We want to keep the original ordering. 2307 * We may pay a price in performance during sk_SSL_CIPHER_find(), 2308 * but would have to pay with the price of sk_SSL_CIPHER_dup(). 2309 */ 2310 2311 if (s->options & SSL_OP_CIPHER_SERVER_PREFERENCE) { 2312 prio = srvr; 2313 allow = clnt; 2314 } else { 2315 prio = clnt; 2316 allow = srvr; 2317 } 2318 2319 for (i = 0; i < sk_SSL_CIPHER_num(prio); i++) { 2320 c = sk_SSL_CIPHER_value(prio, i); 2321 2322 /* Skip TLS v1.2 only ciphersuites if not supported. */ 2323 if ((c->algorithm_ssl & SSL_TLSV1_2) && 2324 !SSL_USE_TLS1_2_CIPHERS(s)) 2325 continue; 2326 2327 /* Skip TLS v1.3 only ciphersuites if not supported. */ 2328 if ((c->algorithm_ssl & SSL_TLSV1_3) && 2329 !SSL_USE_TLS1_3_CIPHERS(s)) 2330 continue; 2331 2332 /* If TLS v1.3, only allow TLS v1.3 ciphersuites. */ 2333 if (SSL_USE_TLS1_3_CIPHERS(s) && 2334 !(c->algorithm_ssl & SSL_TLSV1_3)) 2335 continue; 2336 2337 if (!ssl_security_shared_cipher(s, c)) 2338 continue; 2339 2340 ssl_set_cert_masks(cert, c); 2341 mask_k = cert->mask_k; 2342 mask_a = cert->mask_a; 2343 2344 alg_k = c->algorithm_mkey; 2345 alg_a = c->algorithm_auth; 2346 2347 ok = (alg_k & mask_k) && (alg_a & mask_a); 2348 2349 /* 2350 * If we are considering an ECC cipher suite that uses our 2351 * certificate check it. 2352 */ 2353 if (alg_a & SSL_aECDSA) 2354 ok = ok && tls1_check_ec_server_key(s); 2355 /* 2356 * If we are considering an ECC cipher suite that uses 2357 * an ephemeral EC key check it. 2358 */ 2359 if (alg_k & SSL_kECDHE) 2360 ok = ok && can_use_ecc; 2361 2362 if (!ok) 2363 continue; 2364 ii = sk_SSL_CIPHER_find(allow, c); 2365 if (ii >= 0) { 2366 ret = sk_SSL_CIPHER_value(allow, ii); 2367 break; 2368 } 2369 } 2370 return (ret); 2371 } 2372 2373 #define SSL3_CT_RSA_SIGN 1 2374 #define SSL3_CT_RSA_FIXED_DH 3 2375 #define SSL3_CT_ECDSA_SIGN 64 2376 2377 int 2378 ssl3_get_req_cert_types(SSL *s, CBB *cbb) 2379 { 2380 unsigned long alg_k; 2381 2382 alg_k = s->s3->hs.cipher->algorithm_mkey; 2383 2384 if ((alg_k & SSL_kDHE) != 0) { 2385 if (!CBB_add_u8(cbb, SSL3_CT_RSA_FIXED_DH)) 2386 return 0; 2387 } 2388 2389 if (!CBB_add_u8(cbb, SSL3_CT_RSA_SIGN)) 2390 return 0; 2391 2392 /* 2393 * ECDSA certs can be used with RSA cipher suites as well 2394 * so we don't need to check for SSL_kECDH or SSL_kECDHE. 2395 */ 2396 if (!CBB_add_u8(cbb, SSL3_CT_ECDSA_SIGN)) 2397 return 0; 2398 2399 return 1; 2400 } 2401 2402 int 2403 ssl3_shutdown(SSL *s) 2404 { 2405 int ret; 2406 2407 /* 2408 * Don't do anything much if we have not done the handshake or 2409 * we don't want to send messages :-) 2410 */ 2411 if ((s->quiet_shutdown) || (s->s3->hs.state == SSL_ST_BEFORE)) { 2412 s->shutdown = (SSL_SENT_SHUTDOWN|SSL_RECEIVED_SHUTDOWN); 2413 return (1); 2414 } 2415 2416 if (!(s->shutdown & SSL_SENT_SHUTDOWN)) { 2417 s->shutdown|=SSL_SENT_SHUTDOWN; 2418 ssl3_send_alert(s, SSL3_AL_WARNING, SSL_AD_CLOSE_NOTIFY); 2419 /* 2420 * Our shutdown alert has been sent now, and if it still needs 2421 * to be written, s->s3->alert_dispatch will be true 2422 */ 2423 if (s->s3->alert_dispatch) 2424 return (-1); /* return WANT_WRITE */ 2425 } else if (s->s3->alert_dispatch) { 2426 /* resend it if not sent */ 2427 ret = ssl3_dispatch_alert(s); 2428 if (ret == -1) { 2429 /* 2430 * We only get to return -1 here the 2nd/Nth 2431 * invocation, we must have already signalled 2432 * return 0 upon a previous invoation, 2433 * return WANT_WRITE 2434 */ 2435 return (ret); 2436 } 2437 } else if (!(s->shutdown & SSL_RECEIVED_SHUTDOWN)) { 2438 /* If we are waiting for a close from our peer, we are closed */ 2439 s->method->ssl_read_bytes(s, 0, NULL, 0, 0); 2440 if (!(s->shutdown & SSL_RECEIVED_SHUTDOWN)) { 2441 return (-1); /* return WANT_READ */ 2442 } 2443 } 2444 2445 if ((s->shutdown == (SSL_SENT_SHUTDOWN|SSL_RECEIVED_SHUTDOWN)) && 2446 !s->s3->alert_dispatch) 2447 return (1); 2448 else 2449 return (0); 2450 } 2451 2452 int 2453 ssl3_write(SSL *s, const void *buf, int len) 2454 { 2455 errno = 0; 2456 2457 if (s->s3->renegotiate) 2458 ssl3_renegotiate_check(s); 2459 2460 return s->method->ssl_write_bytes(s, SSL3_RT_APPLICATION_DATA, 2461 buf, len); 2462 } 2463 2464 static int 2465 ssl3_read_internal(SSL *s, void *buf, int len, int peek) 2466 { 2467 int ret; 2468 2469 errno = 0; 2470 if (s->s3->renegotiate) 2471 ssl3_renegotiate_check(s); 2472 s->s3->in_read_app_data = 1; 2473 2474 ret = s->method->ssl_read_bytes(s, SSL3_RT_APPLICATION_DATA, buf, len, 2475 peek); 2476 if ((ret == -1) && (s->s3->in_read_app_data == 2)) { 2477 /* 2478 * ssl3_read_bytes decided to call s->handshake_func, 2479 * which called ssl3_read_bytes to read handshake data. 2480 * However, ssl3_read_bytes actually found application data 2481 * and thinks that application data makes sense here; so disable 2482 * handshake processing and try to read application data again. 2483 */ 2484 s->in_handshake++; 2485 ret = s->method->ssl_read_bytes(s, SSL3_RT_APPLICATION_DATA, 2486 buf, len, peek); 2487 s->in_handshake--; 2488 } else 2489 s->s3->in_read_app_data = 0; 2490 2491 return (ret); 2492 } 2493 2494 int 2495 ssl3_read(SSL *s, void *buf, int len) 2496 { 2497 return ssl3_read_internal(s, buf, len, 0); 2498 } 2499 2500 int 2501 ssl3_peek(SSL *s, void *buf, int len) 2502 { 2503 return ssl3_read_internal(s, buf, len, 1); 2504 } 2505 2506 int 2507 ssl3_renegotiate(SSL *s) 2508 { 2509 if (s->handshake_func == NULL) 2510 return 1; 2511 2512 if (s->s3->flags & SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS) 2513 return 0; 2514 2515 s->s3->renegotiate = 1; 2516 2517 return 1; 2518 } 2519 2520 int 2521 ssl3_renegotiate_check(SSL *s) 2522 { 2523 if (!s->s3->renegotiate) 2524 return 0; 2525 if (SSL_in_init(s) || s->s3->rbuf.left != 0 || s->s3->wbuf.left != 0) 2526 return 0; 2527 2528 s->s3->hs.state = SSL_ST_RENEGOTIATE; 2529 s->s3->renegotiate = 0; 2530 s->s3->num_renegotiations++; 2531 s->s3->total_renegotiations++; 2532 2533 return 1; 2534 } 2535