1 /* $OpenBSD: s3_lib.c,v 1.246 2023/07/08 16:40:13 beck Exp $ */ 2 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) 3 * All rights reserved. 4 * 5 * This package is an SSL implementation written 6 * by Eric Young (eay@cryptsoft.com). 7 * The implementation was written so as to conform with Netscapes SSL. 8 * 9 * This library is free for commercial and non-commercial use as long as 10 * the following conditions are aheared to. The following conditions 11 * apply to all code found in this distribution, be it the RC4, RSA, 12 * lhash, DES, etc., code; not just the SSL code. The SSL documentation 13 * included with this distribution is covered by the same copyright terms 14 * except that the holder is Tim Hudson (tjh@cryptsoft.com). 15 * 16 * Copyright remains Eric Young's, and as such any Copyright notices in 17 * the code are not to be removed. 18 * If this package is used in a product, Eric Young should be given attribution 19 * as the author of the parts of the library used. 20 * This can be in the form of a textual message at program startup or 21 * in documentation (online or textual) provided with the package. 22 * 23 * Redistribution and use in source and binary forms, with or without 24 * modification, are permitted provided that the following conditions 25 * are met: 26 * 1. Redistributions of source code must retain the copyright 27 * notice, this list of conditions and the following disclaimer. 28 * 2. Redistributions in binary form must reproduce the above copyright 29 * notice, this list of conditions and the following disclaimer in the 30 * documentation and/or other materials provided with the distribution. 31 * 3. All advertising materials mentioning features or use of this software 32 * must display the following acknowledgement: 33 * "This product includes cryptographic software written by 34 * Eric Young (eay@cryptsoft.com)" 35 * The word 'cryptographic' can be left out if the rouines from the library 36 * being used are not cryptographic related :-). 37 * 4. If you include any Windows specific code (or a derivative thereof) from 38 * the apps directory (application code) you must include an acknowledgement: 39 * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)" 40 * 41 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND 42 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 43 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 44 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE 45 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 46 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 47 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 48 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 49 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 50 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 51 * SUCH DAMAGE. 52 * 53 * The licence and distribution terms for any publically available version or 54 * derivative of this code cannot be changed. i.e. this code cannot simply be 55 * copied and put under another distribution licence 56 * [including the GNU Public Licence.] 57 */ 58 /* ==================================================================== 59 * Copyright (c) 1998-2007 The OpenSSL Project. All rights reserved. 60 * 61 * Redistribution and use in source and binary forms, with or without 62 * modification, are permitted provided that the following conditions 63 * are met: 64 * 65 * 1. Redistributions of source code must retain the above copyright 66 * notice, this list of conditions and the following disclaimer. 67 * 68 * 2. Redistributions in binary form must reproduce the above copyright 69 * notice, this list of conditions and the following disclaimer in 70 * the documentation and/or other materials provided with the 71 * distribution. 72 * 73 * 3. All advertising materials mentioning features or use of this 74 * software must display the following acknowledgment: 75 * "This product includes software developed by the OpenSSL Project 76 * for use in the OpenSSL Toolkit. (http://www.openssl.org/)" 77 * 78 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to 79 * endorse or promote products derived from this software without 80 * prior written permission. For written permission, please contact 81 * openssl-core@openssl.org. 82 * 83 * 5. Products derived from this software may not be called "OpenSSL" 84 * nor may "OpenSSL" appear in their names without prior written 85 * permission of the OpenSSL Project. 86 * 87 * 6. Redistributions of any form whatsoever must retain the following 88 * acknowledgment: 89 * "This product includes software developed by the OpenSSL Project 90 * for use in the OpenSSL Toolkit (http://www.openssl.org/)" 91 * 92 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY 93 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 94 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR 95 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR 96 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, 97 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT 98 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; 99 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 100 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, 101 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) 102 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED 103 * OF THE POSSIBILITY OF SUCH DAMAGE. 104 * ==================================================================== 105 * 106 * This product includes cryptographic software written by Eric Young 107 * (eay@cryptsoft.com). This product includes software written by Tim 108 * Hudson (tjh@cryptsoft.com). 109 * 110 */ 111 /* ==================================================================== 112 * Copyright 2002 Sun Microsystems, Inc. ALL RIGHTS RESERVED. 113 * 114 * Portions of the attached software ("Contribution") are developed by 115 * SUN MICROSYSTEMS, INC., and are contributed to the OpenSSL project. 116 * 117 * The Contribution is licensed pursuant to the OpenSSL open source 118 * license provided above. 119 * 120 * ECC cipher suite support in OpenSSL originally written by 121 * Vipul Gupta and Sumit Gupta of Sun Microsystems Laboratories. 122 * 123 */ 124 /* ==================================================================== 125 * Copyright 2005 Nokia. All rights reserved. 126 * 127 * The portions of the attached software ("Contribution") is developed by 128 * Nokia Corporation and is licensed pursuant to the OpenSSL open source 129 * license. 130 * 131 * The Contribution, originally written by Mika Kousa and Pasi Eronen of 132 * Nokia Corporation, consists of the "PSK" (Pre-Shared Key) ciphersuites 133 * support (see RFC 4279) to OpenSSL. 134 * 135 * No patent licenses or other rights except those expressly stated in 136 * the OpenSSL open source license shall be deemed granted or received 137 * expressly, by implication, estoppel, or otherwise. 138 * 139 * No assurances are provided by Nokia that the Contribution does not 140 * infringe the patent or other intellectual property rights of any third 141 * party or that the license provides you with all the necessary rights 142 * to make use of the Contribution. 143 * 144 * THE SOFTWARE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. IN 145 * ADDITION TO THE DISCLAIMERS INCLUDED IN THE LICENSE, NOKIA 146 * SPECIFICALLY DISCLAIMS ANY LIABILITY FOR CLAIMS BROUGHT BY YOU OR ANY 147 * OTHER ENTITY BASED ON INFRINGEMENT OF INTELLECTUAL PROPERTY RIGHTS OR 148 * OTHERWISE. 149 */ 150 151 #include <limits.h> 152 #include <stdio.h> 153 154 #include <openssl/bn.h> 155 #include <openssl/curve25519.h> 156 #include <openssl/dh.h> 157 #include <openssl/md5.h> 158 #include <openssl/objects.h> 159 #include <openssl/opensslconf.h> 160 161 #include "bytestring.h" 162 #include "dtls_local.h" 163 #include "ssl_local.h" 164 #include "ssl_sigalgs.h" 165 #include "ssl_tlsext.h" 166 #include "tls_content.h" 167 168 #define SSL3_NUM_CIPHERS (sizeof(ssl3_ciphers) / sizeof(SSL_CIPHER)) 169 170 /* 171 * FIXED_NONCE_LEN is a macro that provides in the correct value to set the 172 * fixed nonce length in algorithms2. It is the inverse of the 173 * SSL_CIPHER_AEAD_FIXED_NONCE_LEN macro. 174 */ 175 #define FIXED_NONCE_LEN(x) (((x / 2) & 0xf) << 24) 176 177 /* list of available SSLv3 ciphers (sorted by id) */ 178 const SSL_CIPHER ssl3_ciphers[] = { 179 180 /* The RSA ciphers */ 181 /* Cipher 01 */ 182 { 183 .valid = 1, 184 .name = SSL3_TXT_RSA_NULL_MD5, 185 .id = SSL3_CK_RSA_NULL_MD5, 186 .algorithm_mkey = SSL_kRSA, 187 .algorithm_auth = SSL_aRSA, 188 .algorithm_enc = SSL_eNULL, 189 .algorithm_mac = SSL_MD5, 190 .algorithm_ssl = SSL_SSLV3, 191 .algo_strength = SSL_STRONG_NONE, 192 .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF, 193 .strength_bits = 0, 194 .alg_bits = 0, 195 }, 196 197 /* Cipher 02 */ 198 { 199 .valid = 1, 200 .name = SSL3_TXT_RSA_NULL_SHA, 201 .id = SSL3_CK_RSA_NULL_SHA, 202 .algorithm_mkey = SSL_kRSA, 203 .algorithm_auth = SSL_aRSA, 204 .algorithm_enc = SSL_eNULL, 205 .algorithm_mac = SSL_SHA1, 206 .algorithm_ssl = SSL_SSLV3, 207 .algo_strength = SSL_STRONG_NONE, 208 .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF, 209 .strength_bits = 0, 210 .alg_bits = 0, 211 }, 212 213 /* Cipher 04 */ 214 { 215 .valid = 1, 216 .name = SSL3_TXT_RSA_RC4_128_MD5, 217 .id = SSL3_CK_RSA_RC4_128_MD5, 218 .algorithm_mkey = SSL_kRSA, 219 .algorithm_auth = SSL_aRSA, 220 .algorithm_enc = SSL_RC4, 221 .algorithm_mac = SSL_MD5, 222 .algorithm_ssl = SSL_SSLV3, 223 .algo_strength = SSL_LOW, 224 .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF, 225 .strength_bits = 128, 226 .alg_bits = 128, 227 }, 228 229 /* Cipher 05 */ 230 { 231 .valid = 1, 232 .name = SSL3_TXT_RSA_RC4_128_SHA, 233 .id = SSL3_CK_RSA_RC4_128_SHA, 234 .algorithm_mkey = SSL_kRSA, 235 .algorithm_auth = SSL_aRSA, 236 .algorithm_enc = SSL_RC4, 237 .algorithm_mac = SSL_SHA1, 238 .algorithm_ssl = SSL_SSLV3, 239 .algo_strength = SSL_LOW, 240 .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF, 241 .strength_bits = 128, 242 .alg_bits = 128, 243 }, 244 245 /* Cipher 0A */ 246 { 247 .valid = 1, 248 .name = SSL3_TXT_RSA_DES_192_CBC3_SHA, 249 .id = SSL3_CK_RSA_DES_192_CBC3_SHA, 250 .algorithm_mkey = SSL_kRSA, 251 .algorithm_auth = SSL_aRSA, 252 .algorithm_enc = SSL_3DES, 253 .algorithm_mac = SSL_SHA1, 254 .algorithm_ssl = SSL_SSLV3, 255 .algo_strength = SSL_MEDIUM, 256 .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF, 257 .strength_bits = 112, 258 .alg_bits = 168, 259 }, 260 261 /* 262 * Ephemeral DH (DHE) ciphers. 263 */ 264 265 /* Cipher 16 */ 266 { 267 .valid = 1, 268 .name = SSL3_TXT_EDH_RSA_DES_192_CBC3_SHA, 269 .id = SSL3_CK_EDH_RSA_DES_192_CBC3_SHA, 270 .algorithm_mkey = SSL_kDHE, 271 .algorithm_auth = SSL_aRSA, 272 .algorithm_enc = SSL_3DES, 273 .algorithm_mac = SSL_SHA1, 274 .algorithm_ssl = SSL_SSLV3, 275 .algo_strength = SSL_MEDIUM, 276 .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF, 277 .strength_bits = 112, 278 .alg_bits = 168, 279 }, 280 281 /* Cipher 18 */ 282 { 283 .valid = 1, 284 .name = SSL3_TXT_ADH_RC4_128_MD5, 285 .id = SSL3_CK_ADH_RC4_128_MD5, 286 .algorithm_mkey = SSL_kDHE, 287 .algorithm_auth = SSL_aNULL, 288 .algorithm_enc = SSL_RC4, 289 .algorithm_mac = SSL_MD5, 290 .algorithm_ssl = SSL_SSLV3, 291 .algo_strength = SSL_LOW, 292 .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF, 293 .strength_bits = 128, 294 .alg_bits = 128, 295 }, 296 297 /* Cipher 1B */ 298 { 299 .valid = 1, 300 .name = SSL3_TXT_ADH_DES_192_CBC_SHA, 301 .id = SSL3_CK_ADH_DES_192_CBC_SHA, 302 .algorithm_mkey = SSL_kDHE, 303 .algorithm_auth = SSL_aNULL, 304 .algorithm_enc = SSL_3DES, 305 .algorithm_mac = SSL_SHA1, 306 .algorithm_ssl = SSL_SSLV3, 307 .algo_strength = SSL_MEDIUM, 308 .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF, 309 .strength_bits = 112, 310 .alg_bits = 168, 311 }, 312 313 /* 314 * AES ciphersuites. 315 */ 316 317 /* Cipher 2F */ 318 { 319 .valid = 1, 320 .name = TLS1_TXT_RSA_WITH_AES_128_SHA, 321 .id = TLS1_CK_RSA_WITH_AES_128_SHA, 322 .algorithm_mkey = SSL_kRSA, 323 .algorithm_auth = SSL_aRSA, 324 .algorithm_enc = SSL_AES128, 325 .algorithm_mac = SSL_SHA1, 326 .algorithm_ssl = SSL_TLSV1, 327 .algo_strength = SSL_HIGH, 328 .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF, 329 .strength_bits = 128, 330 .alg_bits = 128, 331 }, 332 333 /* Cipher 33 */ 334 { 335 .valid = 1, 336 .name = TLS1_TXT_DHE_RSA_WITH_AES_128_SHA, 337 .id = TLS1_CK_DHE_RSA_WITH_AES_128_SHA, 338 .algorithm_mkey = SSL_kDHE, 339 .algorithm_auth = SSL_aRSA, 340 .algorithm_enc = SSL_AES128, 341 .algorithm_mac = SSL_SHA1, 342 .algorithm_ssl = SSL_TLSV1, 343 .algo_strength = SSL_HIGH, 344 .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF, 345 .strength_bits = 128, 346 .alg_bits = 128, 347 }, 348 349 /* Cipher 34 */ 350 { 351 .valid = 1, 352 .name = TLS1_TXT_ADH_WITH_AES_128_SHA, 353 .id = TLS1_CK_ADH_WITH_AES_128_SHA, 354 .algorithm_mkey = SSL_kDHE, 355 .algorithm_auth = SSL_aNULL, 356 .algorithm_enc = SSL_AES128, 357 .algorithm_mac = SSL_SHA1, 358 .algorithm_ssl = SSL_TLSV1, 359 .algo_strength = SSL_HIGH, 360 .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF, 361 .strength_bits = 128, 362 .alg_bits = 128, 363 }, 364 365 /* Cipher 35 */ 366 { 367 .valid = 1, 368 .name = TLS1_TXT_RSA_WITH_AES_256_SHA, 369 .id = TLS1_CK_RSA_WITH_AES_256_SHA, 370 .algorithm_mkey = SSL_kRSA, 371 .algorithm_auth = SSL_aRSA, 372 .algorithm_enc = SSL_AES256, 373 .algorithm_mac = SSL_SHA1, 374 .algorithm_ssl = SSL_TLSV1, 375 .algo_strength = SSL_HIGH, 376 .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF, 377 .strength_bits = 256, 378 .alg_bits = 256, 379 }, 380 381 /* Cipher 39 */ 382 { 383 .valid = 1, 384 .name = TLS1_TXT_DHE_RSA_WITH_AES_256_SHA, 385 .id = TLS1_CK_DHE_RSA_WITH_AES_256_SHA, 386 .algorithm_mkey = SSL_kDHE, 387 .algorithm_auth = SSL_aRSA, 388 .algorithm_enc = SSL_AES256, 389 .algorithm_mac = SSL_SHA1, 390 .algorithm_ssl = SSL_TLSV1, 391 .algo_strength = SSL_HIGH, 392 .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF, 393 .strength_bits = 256, 394 .alg_bits = 256, 395 }, 396 397 /* Cipher 3A */ 398 { 399 .valid = 1, 400 .name = TLS1_TXT_ADH_WITH_AES_256_SHA, 401 .id = TLS1_CK_ADH_WITH_AES_256_SHA, 402 .algorithm_mkey = SSL_kDHE, 403 .algorithm_auth = SSL_aNULL, 404 .algorithm_enc = SSL_AES256, 405 .algorithm_mac = SSL_SHA1, 406 .algorithm_ssl = SSL_TLSV1, 407 .algo_strength = SSL_HIGH, 408 .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF, 409 .strength_bits = 256, 410 .alg_bits = 256, 411 }, 412 413 /* TLS v1.2 ciphersuites */ 414 /* Cipher 3B */ 415 { 416 .valid = 1, 417 .name = TLS1_TXT_RSA_WITH_NULL_SHA256, 418 .id = TLS1_CK_RSA_WITH_NULL_SHA256, 419 .algorithm_mkey = SSL_kRSA, 420 .algorithm_auth = SSL_aRSA, 421 .algorithm_enc = SSL_eNULL, 422 .algorithm_mac = SSL_SHA256, 423 .algorithm_ssl = SSL_TLSV1_2, 424 .algo_strength = SSL_STRONG_NONE, 425 .algorithm2 = SSL_HANDSHAKE_MAC_SHA256|TLS1_PRF_SHA256, 426 .strength_bits = 0, 427 .alg_bits = 0, 428 }, 429 430 /* Cipher 3C */ 431 { 432 .valid = 1, 433 .name = TLS1_TXT_RSA_WITH_AES_128_SHA256, 434 .id = TLS1_CK_RSA_WITH_AES_128_SHA256, 435 .algorithm_mkey = SSL_kRSA, 436 .algorithm_auth = SSL_aRSA, 437 .algorithm_enc = SSL_AES128, 438 .algorithm_mac = SSL_SHA256, 439 .algorithm_ssl = SSL_TLSV1_2, 440 .algo_strength = SSL_HIGH, 441 .algorithm2 = SSL_HANDSHAKE_MAC_SHA256|TLS1_PRF_SHA256, 442 .strength_bits = 128, 443 .alg_bits = 128, 444 }, 445 446 /* Cipher 3D */ 447 { 448 .valid = 1, 449 .name = TLS1_TXT_RSA_WITH_AES_256_SHA256, 450 .id = TLS1_CK_RSA_WITH_AES_256_SHA256, 451 .algorithm_mkey = SSL_kRSA, 452 .algorithm_auth = SSL_aRSA, 453 .algorithm_enc = SSL_AES256, 454 .algorithm_mac = SSL_SHA256, 455 .algorithm_ssl = SSL_TLSV1_2, 456 .algo_strength = SSL_HIGH, 457 .algorithm2 = SSL_HANDSHAKE_MAC_SHA256|TLS1_PRF_SHA256, 458 .strength_bits = 256, 459 .alg_bits = 256, 460 }, 461 462 #ifndef OPENSSL_NO_CAMELLIA 463 /* Camellia ciphersuites from RFC4132 (128-bit portion) */ 464 465 /* Cipher 41 */ 466 { 467 .valid = 1, 468 .name = TLS1_TXT_RSA_WITH_CAMELLIA_128_CBC_SHA, 469 .id = TLS1_CK_RSA_WITH_CAMELLIA_128_CBC_SHA, 470 .algorithm_mkey = SSL_kRSA, 471 .algorithm_auth = SSL_aRSA, 472 .algorithm_enc = SSL_CAMELLIA128, 473 .algorithm_mac = SSL_SHA1, 474 .algorithm_ssl = SSL_TLSV1, 475 .algo_strength = SSL_HIGH, 476 .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF, 477 .strength_bits = 128, 478 .alg_bits = 128, 479 }, 480 481 /* Cipher 45 */ 482 { 483 .valid = 1, 484 .name = TLS1_TXT_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA, 485 .id = TLS1_CK_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA, 486 .algorithm_mkey = SSL_kDHE, 487 .algorithm_auth = SSL_aRSA, 488 .algorithm_enc = SSL_CAMELLIA128, 489 .algorithm_mac = SSL_SHA1, 490 .algorithm_ssl = SSL_TLSV1, 491 .algo_strength = SSL_HIGH, 492 .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF, 493 .strength_bits = 128, 494 .alg_bits = 128, 495 }, 496 497 /* Cipher 46 */ 498 { 499 .valid = 1, 500 .name = TLS1_TXT_ADH_WITH_CAMELLIA_128_CBC_SHA, 501 .id = TLS1_CK_ADH_WITH_CAMELLIA_128_CBC_SHA, 502 .algorithm_mkey = SSL_kDHE, 503 .algorithm_auth = SSL_aNULL, 504 .algorithm_enc = SSL_CAMELLIA128, 505 .algorithm_mac = SSL_SHA1, 506 .algorithm_ssl = SSL_TLSV1, 507 .algo_strength = SSL_HIGH, 508 .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF, 509 .strength_bits = 128, 510 .alg_bits = 128, 511 }, 512 #endif /* OPENSSL_NO_CAMELLIA */ 513 514 /* TLS v1.2 ciphersuites */ 515 /* Cipher 67 */ 516 { 517 .valid = 1, 518 .name = TLS1_TXT_DHE_RSA_WITH_AES_128_SHA256, 519 .id = TLS1_CK_DHE_RSA_WITH_AES_128_SHA256, 520 .algorithm_mkey = SSL_kDHE, 521 .algorithm_auth = SSL_aRSA, 522 .algorithm_enc = SSL_AES128, 523 .algorithm_mac = SSL_SHA256, 524 .algorithm_ssl = SSL_TLSV1_2, 525 .algo_strength = SSL_HIGH, 526 .algorithm2 = SSL_HANDSHAKE_MAC_SHA256|TLS1_PRF_SHA256, 527 .strength_bits = 128, 528 .alg_bits = 128, 529 }, 530 531 /* Cipher 6B */ 532 { 533 .valid = 1, 534 .name = TLS1_TXT_DHE_RSA_WITH_AES_256_SHA256, 535 .id = TLS1_CK_DHE_RSA_WITH_AES_256_SHA256, 536 .algorithm_mkey = SSL_kDHE, 537 .algorithm_auth = SSL_aRSA, 538 .algorithm_enc = SSL_AES256, 539 .algorithm_mac = SSL_SHA256, 540 .algorithm_ssl = SSL_TLSV1_2, 541 .algo_strength = SSL_HIGH, 542 .algorithm2 = SSL_HANDSHAKE_MAC_SHA256|TLS1_PRF_SHA256, 543 .strength_bits = 256, 544 .alg_bits = 256, 545 }, 546 547 /* Cipher 6C */ 548 { 549 .valid = 1, 550 .name = TLS1_TXT_ADH_WITH_AES_128_SHA256, 551 .id = TLS1_CK_ADH_WITH_AES_128_SHA256, 552 .algorithm_mkey = SSL_kDHE, 553 .algorithm_auth = SSL_aNULL, 554 .algorithm_enc = SSL_AES128, 555 .algorithm_mac = SSL_SHA256, 556 .algorithm_ssl = SSL_TLSV1_2, 557 .algo_strength = SSL_HIGH, 558 .algorithm2 = SSL_HANDSHAKE_MAC_SHA256|TLS1_PRF_SHA256, 559 .strength_bits = 128, 560 .alg_bits = 128, 561 }, 562 563 /* Cipher 6D */ 564 { 565 .valid = 1, 566 .name = TLS1_TXT_ADH_WITH_AES_256_SHA256, 567 .id = TLS1_CK_ADH_WITH_AES_256_SHA256, 568 .algorithm_mkey = SSL_kDHE, 569 .algorithm_auth = SSL_aNULL, 570 .algorithm_enc = SSL_AES256, 571 .algorithm_mac = SSL_SHA256, 572 .algorithm_ssl = SSL_TLSV1_2, 573 .algo_strength = SSL_HIGH, 574 .algorithm2 = SSL_HANDSHAKE_MAC_SHA256|TLS1_PRF_SHA256, 575 .strength_bits = 256, 576 .alg_bits = 256, 577 }, 578 579 /* GOST Ciphersuites */ 580 581 /* Cipher 81 */ 582 { 583 .valid = 1, 584 .name = "GOST2001-GOST89-GOST89", 585 .id = 0x3000081, 586 .algorithm_mkey = SSL_kGOST, 587 .algorithm_auth = SSL_aGOST01, 588 .algorithm_enc = SSL_eGOST2814789CNT, 589 .algorithm_mac = SSL_GOST89MAC, 590 .algorithm_ssl = SSL_TLSV1, 591 .algo_strength = SSL_HIGH, 592 .algorithm2 = SSL_HANDSHAKE_MAC_GOST94|TLS1_PRF_GOST94| 593 TLS1_STREAM_MAC, 594 .strength_bits = 256, 595 .alg_bits = 256 596 }, 597 598 /* Cipher 83 */ 599 { 600 .valid = 1, 601 .name = "GOST2001-NULL-GOST94", 602 .id = 0x3000083, 603 .algorithm_mkey = SSL_kGOST, 604 .algorithm_auth = SSL_aGOST01, 605 .algorithm_enc = SSL_eNULL, 606 .algorithm_mac = SSL_GOST94, 607 .algorithm_ssl = SSL_TLSV1, 608 .algo_strength = SSL_STRONG_NONE, 609 .algorithm2 = SSL_HANDSHAKE_MAC_GOST94|TLS1_PRF_GOST94, 610 .strength_bits = 0, 611 .alg_bits = 0 612 }, 613 614 #ifndef OPENSSL_NO_CAMELLIA 615 /* Camellia ciphersuites from RFC4132 (256-bit portion) */ 616 617 /* Cipher 84 */ 618 { 619 .valid = 1, 620 .name = TLS1_TXT_RSA_WITH_CAMELLIA_256_CBC_SHA, 621 .id = TLS1_CK_RSA_WITH_CAMELLIA_256_CBC_SHA, 622 .algorithm_mkey = SSL_kRSA, 623 .algorithm_auth = SSL_aRSA, 624 .algorithm_enc = SSL_CAMELLIA256, 625 .algorithm_mac = SSL_SHA1, 626 .algorithm_ssl = SSL_TLSV1, 627 .algo_strength = SSL_HIGH, 628 .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF, 629 .strength_bits = 256, 630 .alg_bits = 256, 631 }, 632 633 /* Cipher 88 */ 634 { 635 .valid = 1, 636 .name = TLS1_TXT_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA, 637 .id = TLS1_CK_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA, 638 .algorithm_mkey = SSL_kDHE, 639 .algorithm_auth = SSL_aRSA, 640 .algorithm_enc = SSL_CAMELLIA256, 641 .algorithm_mac = SSL_SHA1, 642 .algorithm_ssl = SSL_TLSV1, 643 .algo_strength = SSL_HIGH, 644 .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF, 645 .strength_bits = 256, 646 .alg_bits = 256, 647 }, 648 649 /* Cipher 89 */ 650 { 651 .valid = 1, 652 .name = TLS1_TXT_ADH_WITH_CAMELLIA_256_CBC_SHA, 653 .id = TLS1_CK_ADH_WITH_CAMELLIA_256_CBC_SHA, 654 .algorithm_mkey = SSL_kDHE, 655 .algorithm_auth = SSL_aNULL, 656 .algorithm_enc = SSL_CAMELLIA256, 657 .algorithm_mac = SSL_SHA1, 658 .algorithm_ssl = SSL_TLSV1, 659 .algo_strength = SSL_HIGH, 660 .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF, 661 .strength_bits = 256, 662 .alg_bits = 256, 663 }, 664 #endif /* OPENSSL_NO_CAMELLIA */ 665 666 /* 667 * GCM ciphersuites from RFC5288. 668 */ 669 670 /* Cipher 9C */ 671 { 672 .valid = 1, 673 .name = TLS1_TXT_RSA_WITH_AES_128_GCM_SHA256, 674 .id = TLS1_CK_RSA_WITH_AES_128_GCM_SHA256, 675 .algorithm_mkey = SSL_kRSA, 676 .algorithm_auth = SSL_aRSA, 677 .algorithm_enc = SSL_AES128GCM, 678 .algorithm_mac = SSL_AEAD, 679 .algorithm_ssl = SSL_TLSV1_2, 680 .algo_strength = SSL_HIGH, 681 .algorithm2 = SSL_HANDSHAKE_MAC_SHA256|TLS1_PRF_SHA256| 682 FIXED_NONCE_LEN(4)| 683 SSL_CIPHER_ALGORITHM2_VARIABLE_NONCE_IN_RECORD, 684 .strength_bits = 128, 685 .alg_bits = 128, 686 }, 687 688 /* Cipher 9D */ 689 { 690 .valid = 1, 691 .name = TLS1_TXT_RSA_WITH_AES_256_GCM_SHA384, 692 .id = TLS1_CK_RSA_WITH_AES_256_GCM_SHA384, 693 .algorithm_mkey = SSL_kRSA, 694 .algorithm_auth = SSL_aRSA, 695 .algorithm_enc = SSL_AES256GCM, 696 .algorithm_mac = SSL_AEAD, 697 .algorithm_ssl = SSL_TLSV1_2, 698 .algo_strength = SSL_HIGH, 699 .algorithm2 = SSL_HANDSHAKE_MAC_SHA384|TLS1_PRF_SHA384| 700 FIXED_NONCE_LEN(4)| 701 SSL_CIPHER_ALGORITHM2_VARIABLE_NONCE_IN_RECORD, 702 .strength_bits = 256, 703 .alg_bits = 256, 704 }, 705 706 /* Cipher 9E */ 707 { 708 .valid = 1, 709 .name = TLS1_TXT_DHE_RSA_WITH_AES_128_GCM_SHA256, 710 .id = TLS1_CK_DHE_RSA_WITH_AES_128_GCM_SHA256, 711 .algorithm_mkey = SSL_kDHE, 712 .algorithm_auth = SSL_aRSA, 713 .algorithm_enc = SSL_AES128GCM, 714 .algorithm_mac = SSL_AEAD, 715 .algorithm_ssl = SSL_TLSV1_2, 716 .algo_strength = SSL_HIGH, 717 .algorithm2 = SSL_HANDSHAKE_MAC_SHA256|TLS1_PRF_SHA256| 718 FIXED_NONCE_LEN(4)| 719 SSL_CIPHER_ALGORITHM2_VARIABLE_NONCE_IN_RECORD, 720 .strength_bits = 128, 721 .alg_bits = 128, 722 }, 723 724 /* Cipher 9F */ 725 { 726 .valid = 1, 727 .name = TLS1_TXT_DHE_RSA_WITH_AES_256_GCM_SHA384, 728 .id = TLS1_CK_DHE_RSA_WITH_AES_256_GCM_SHA384, 729 .algorithm_mkey = SSL_kDHE, 730 .algorithm_auth = SSL_aRSA, 731 .algorithm_enc = SSL_AES256GCM, 732 .algorithm_mac = SSL_AEAD, 733 .algorithm_ssl = SSL_TLSV1_2, 734 .algo_strength = SSL_HIGH, 735 .algorithm2 = SSL_HANDSHAKE_MAC_SHA384|TLS1_PRF_SHA384| 736 FIXED_NONCE_LEN(4)| 737 SSL_CIPHER_ALGORITHM2_VARIABLE_NONCE_IN_RECORD, 738 .strength_bits = 256, 739 .alg_bits = 256, 740 }, 741 742 /* Cipher A6 */ 743 { 744 .valid = 1, 745 .name = TLS1_TXT_ADH_WITH_AES_128_GCM_SHA256, 746 .id = TLS1_CK_ADH_WITH_AES_128_GCM_SHA256, 747 .algorithm_mkey = SSL_kDHE, 748 .algorithm_auth = SSL_aNULL, 749 .algorithm_enc = SSL_AES128GCM, 750 .algorithm_mac = SSL_AEAD, 751 .algorithm_ssl = SSL_TLSV1_2, 752 .algo_strength = SSL_HIGH, 753 .algorithm2 = SSL_HANDSHAKE_MAC_SHA256|TLS1_PRF_SHA256| 754 FIXED_NONCE_LEN(4)| 755 SSL_CIPHER_ALGORITHM2_VARIABLE_NONCE_IN_RECORD, 756 .strength_bits = 128, 757 .alg_bits = 128, 758 }, 759 760 /* Cipher A7 */ 761 { 762 .valid = 1, 763 .name = TLS1_TXT_ADH_WITH_AES_256_GCM_SHA384, 764 .id = TLS1_CK_ADH_WITH_AES_256_GCM_SHA384, 765 .algorithm_mkey = SSL_kDHE, 766 .algorithm_auth = SSL_aNULL, 767 .algorithm_enc = SSL_AES256GCM, 768 .algorithm_mac = SSL_AEAD, 769 .algorithm_ssl = SSL_TLSV1_2, 770 .algo_strength = SSL_HIGH, 771 .algorithm2 = SSL_HANDSHAKE_MAC_SHA384|TLS1_PRF_SHA384| 772 FIXED_NONCE_LEN(4)| 773 SSL_CIPHER_ALGORITHM2_VARIABLE_NONCE_IN_RECORD, 774 .strength_bits = 256, 775 .alg_bits = 256, 776 }, 777 778 #ifndef OPENSSL_NO_CAMELLIA 779 /* TLS 1.2 Camellia SHA-256 ciphersuites from RFC5932 */ 780 781 /* Cipher BA */ 782 { 783 .valid = 1, 784 .name = TLS1_TXT_RSA_WITH_CAMELLIA_128_CBC_SHA256, 785 .id = TLS1_CK_RSA_WITH_CAMELLIA_128_CBC_SHA256, 786 .algorithm_mkey = SSL_kRSA, 787 .algorithm_auth = SSL_aRSA, 788 .algorithm_enc = SSL_CAMELLIA128, 789 .algorithm_mac = SSL_SHA256, 790 .algorithm_ssl = SSL_TLSV1_2, 791 .algo_strength = SSL_HIGH, 792 .algorithm2 = SSL_HANDSHAKE_MAC_SHA256|TLS1_PRF_SHA256, 793 .strength_bits = 128, 794 .alg_bits = 128, 795 }, 796 797 /* Cipher BE */ 798 { 799 .valid = 1, 800 .name = TLS1_TXT_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA256, 801 .id = TLS1_CK_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA256, 802 .algorithm_mkey = SSL_kDHE, 803 .algorithm_auth = SSL_aRSA, 804 .algorithm_enc = SSL_CAMELLIA128, 805 .algorithm_mac = SSL_SHA256, 806 .algorithm_ssl = SSL_TLSV1_2, 807 .algo_strength = SSL_HIGH, 808 .algorithm2 = SSL_HANDSHAKE_MAC_SHA256|TLS1_PRF_SHA256, 809 .strength_bits = 128, 810 .alg_bits = 128, 811 }, 812 813 /* Cipher BF */ 814 { 815 .valid = 1, 816 .name = TLS1_TXT_ADH_WITH_CAMELLIA_128_CBC_SHA256, 817 .id = TLS1_CK_ADH_WITH_CAMELLIA_128_CBC_SHA256, 818 .algorithm_mkey = SSL_kDHE, 819 .algorithm_auth = SSL_aNULL, 820 .algorithm_enc = SSL_CAMELLIA128, 821 .algorithm_mac = SSL_SHA256, 822 .algorithm_ssl = SSL_TLSV1_2, 823 .algo_strength = SSL_HIGH, 824 .algorithm2 = SSL_HANDSHAKE_MAC_SHA256|TLS1_PRF_SHA256, 825 .strength_bits = 128, 826 .alg_bits = 128, 827 }, 828 829 /* Cipher C0 */ 830 { 831 .valid = 1, 832 .name = TLS1_TXT_RSA_WITH_CAMELLIA_256_CBC_SHA256, 833 .id = TLS1_CK_RSA_WITH_CAMELLIA_256_CBC_SHA256, 834 .algorithm_mkey = SSL_kRSA, 835 .algorithm_auth = SSL_aRSA, 836 .algorithm_enc = SSL_CAMELLIA256, 837 .algorithm_mac = SSL_SHA256, 838 .algorithm_ssl = SSL_TLSV1_2, 839 .algo_strength = SSL_HIGH, 840 .algorithm2 = SSL_HANDSHAKE_MAC_SHA256|TLS1_PRF_SHA256, 841 .strength_bits = 256, 842 .alg_bits = 256, 843 }, 844 845 /* Cipher C4 */ 846 { 847 .valid = 1, 848 .name = TLS1_TXT_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA256, 849 .id = TLS1_CK_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA256, 850 .algorithm_mkey = SSL_kDHE, 851 .algorithm_auth = SSL_aRSA, 852 .algorithm_enc = SSL_CAMELLIA256, 853 .algorithm_mac = SSL_SHA256, 854 .algorithm_ssl = SSL_TLSV1_2, 855 .algo_strength = SSL_HIGH, 856 .algorithm2 = SSL_HANDSHAKE_MAC_SHA256|TLS1_PRF_SHA256, 857 .strength_bits = 256, 858 .alg_bits = 256, 859 }, 860 861 /* Cipher C5 */ 862 { 863 .valid = 1, 864 .name = TLS1_TXT_ADH_WITH_CAMELLIA_256_CBC_SHA256, 865 .id = TLS1_CK_ADH_WITH_CAMELLIA_256_CBC_SHA256, 866 .algorithm_mkey = SSL_kDHE, 867 .algorithm_auth = SSL_aNULL, 868 .algorithm_enc = SSL_CAMELLIA256, 869 .algorithm_mac = SSL_SHA256, 870 .algorithm_ssl = SSL_TLSV1_2, 871 .algo_strength = SSL_HIGH, 872 .algorithm2 = SSL_HANDSHAKE_MAC_SHA256|TLS1_PRF_SHA256, 873 .strength_bits = 256, 874 .alg_bits = 256, 875 }, 876 #endif /* OPENSSL_NO_CAMELLIA */ 877 878 /* 879 * TLSv1.3 cipher suites. 880 */ 881 882 #ifdef LIBRESSL_HAS_TLS1_3 883 /* Cipher 1301 */ 884 { 885 .valid = 1, 886 .name = TLS1_3_RFC_AES_128_GCM_SHA256, 887 .id = TLS1_3_CK_AES_128_GCM_SHA256, 888 .algorithm_mkey = SSL_kTLS1_3, 889 .algorithm_auth = SSL_aTLS1_3, 890 .algorithm_enc = SSL_AES128GCM, 891 .algorithm_mac = SSL_AEAD, 892 .algorithm_ssl = SSL_TLSV1_3, 893 .algo_strength = SSL_HIGH, 894 .algorithm2 = SSL_HANDSHAKE_MAC_SHA256, /* XXX */ 895 .strength_bits = 128, 896 .alg_bits = 128, 897 }, 898 899 /* Cipher 1302 */ 900 { 901 .valid = 1, 902 .name = TLS1_3_RFC_AES_256_GCM_SHA384, 903 .id = TLS1_3_CK_AES_256_GCM_SHA384, 904 .algorithm_mkey = SSL_kTLS1_3, 905 .algorithm_auth = SSL_aTLS1_3, 906 .algorithm_enc = SSL_AES256GCM, 907 .algorithm_mac = SSL_AEAD, 908 .algorithm_ssl = SSL_TLSV1_3, 909 .algo_strength = SSL_HIGH, 910 .algorithm2 = SSL_HANDSHAKE_MAC_SHA384, /* XXX */ 911 .strength_bits = 256, 912 .alg_bits = 256, 913 }, 914 915 /* Cipher 1303 */ 916 { 917 .valid = 1, 918 .name = TLS1_3_RFC_CHACHA20_POLY1305_SHA256, 919 .id = TLS1_3_CK_CHACHA20_POLY1305_SHA256, 920 .algorithm_mkey = SSL_kTLS1_3, 921 .algorithm_auth = SSL_aTLS1_3, 922 .algorithm_enc = SSL_CHACHA20POLY1305, 923 .algorithm_mac = SSL_AEAD, 924 .algorithm_ssl = SSL_TLSV1_3, 925 .algo_strength = SSL_HIGH, 926 .algorithm2 = SSL_HANDSHAKE_MAC_SHA256, /* XXX */ 927 .strength_bits = 256, 928 .alg_bits = 256, 929 }, 930 #endif 931 932 /* Cipher C006 */ 933 { 934 .valid = 1, 935 .name = TLS1_TXT_ECDHE_ECDSA_WITH_NULL_SHA, 936 .id = TLS1_CK_ECDHE_ECDSA_WITH_NULL_SHA, 937 .algorithm_mkey = SSL_kECDHE, 938 .algorithm_auth = SSL_aECDSA, 939 .algorithm_enc = SSL_eNULL, 940 .algorithm_mac = SSL_SHA1, 941 .algorithm_ssl = SSL_TLSV1, 942 .algo_strength = SSL_STRONG_NONE, 943 .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF, 944 .strength_bits = 0, 945 .alg_bits = 0, 946 }, 947 948 /* Cipher C007 */ 949 { 950 .valid = 1, 951 .name = TLS1_TXT_ECDHE_ECDSA_WITH_RC4_128_SHA, 952 .id = TLS1_CK_ECDHE_ECDSA_WITH_RC4_128_SHA, 953 .algorithm_mkey = SSL_kECDHE, 954 .algorithm_auth = SSL_aECDSA, 955 .algorithm_enc = SSL_RC4, 956 .algorithm_mac = SSL_SHA1, 957 .algorithm_ssl = SSL_TLSV1, 958 .algo_strength = SSL_LOW, 959 .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF, 960 .strength_bits = 128, 961 .alg_bits = 128, 962 }, 963 964 /* Cipher C008 */ 965 { 966 .valid = 1, 967 .name = TLS1_TXT_ECDHE_ECDSA_WITH_DES_192_CBC3_SHA, 968 .id = TLS1_CK_ECDHE_ECDSA_WITH_DES_192_CBC3_SHA, 969 .algorithm_mkey = SSL_kECDHE, 970 .algorithm_auth = SSL_aECDSA, 971 .algorithm_enc = SSL_3DES, 972 .algorithm_mac = SSL_SHA1, 973 .algorithm_ssl = SSL_TLSV1, 974 .algo_strength = SSL_MEDIUM, 975 .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF, 976 .strength_bits = 112, 977 .alg_bits = 168, 978 }, 979 980 /* Cipher C009 */ 981 { 982 .valid = 1, 983 .name = TLS1_TXT_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, 984 .id = TLS1_CK_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, 985 .algorithm_mkey = SSL_kECDHE, 986 .algorithm_auth = SSL_aECDSA, 987 .algorithm_enc = SSL_AES128, 988 .algorithm_mac = SSL_SHA1, 989 .algorithm_ssl = SSL_TLSV1, 990 .algo_strength = SSL_HIGH, 991 .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF, 992 .strength_bits = 128, 993 .alg_bits = 128, 994 }, 995 996 /* Cipher C00A */ 997 { 998 .valid = 1, 999 .name = TLS1_TXT_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, 1000 .id = TLS1_CK_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, 1001 .algorithm_mkey = SSL_kECDHE, 1002 .algorithm_auth = SSL_aECDSA, 1003 .algorithm_enc = SSL_AES256, 1004 .algorithm_mac = SSL_SHA1, 1005 .algorithm_ssl = SSL_TLSV1, 1006 .algo_strength = SSL_HIGH, 1007 .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF, 1008 .strength_bits = 256, 1009 .alg_bits = 256, 1010 }, 1011 1012 /* Cipher C010 */ 1013 { 1014 .valid = 1, 1015 .name = TLS1_TXT_ECDHE_RSA_WITH_NULL_SHA, 1016 .id = TLS1_CK_ECDHE_RSA_WITH_NULL_SHA, 1017 .algorithm_mkey = SSL_kECDHE, 1018 .algorithm_auth = SSL_aRSA, 1019 .algorithm_enc = SSL_eNULL, 1020 .algorithm_mac = SSL_SHA1, 1021 .algorithm_ssl = SSL_TLSV1, 1022 .algo_strength = SSL_STRONG_NONE, 1023 .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF, 1024 .strength_bits = 0, 1025 .alg_bits = 0, 1026 }, 1027 1028 /* Cipher C011 */ 1029 { 1030 .valid = 1, 1031 .name = TLS1_TXT_ECDHE_RSA_WITH_RC4_128_SHA, 1032 .id = TLS1_CK_ECDHE_RSA_WITH_RC4_128_SHA, 1033 .algorithm_mkey = SSL_kECDHE, 1034 .algorithm_auth = SSL_aRSA, 1035 .algorithm_enc = SSL_RC4, 1036 .algorithm_mac = SSL_SHA1, 1037 .algorithm_ssl = SSL_TLSV1, 1038 .algo_strength = SSL_LOW, 1039 .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF, 1040 .strength_bits = 128, 1041 .alg_bits = 128, 1042 }, 1043 1044 /* Cipher C012 */ 1045 { 1046 .valid = 1, 1047 .name = TLS1_TXT_ECDHE_RSA_WITH_DES_192_CBC3_SHA, 1048 .id = TLS1_CK_ECDHE_RSA_WITH_DES_192_CBC3_SHA, 1049 .algorithm_mkey = SSL_kECDHE, 1050 .algorithm_auth = SSL_aRSA, 1051 .algorithm_enc = SSL_3DES, 1052 .algorithm_mac = SSL_SHA1, 1053 .algorithm_ssl = SSL_TLSV1, 1054 .algo_strength = SSL_MEDIUM, 1055 .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF, 1056 .strength_bits = 112, 1057 .alg_bits = 168, 1058 }, 1059 1060 /* Cipher C013 */ 1061 { 1062 .valid = 1, 1063 .name = TLS1_TXT_ECDHE_RSA_WITH_AES_128_CBC_SHA, 1064 .id = TLS1_CK_ECDHE_RSA_WITH_AES_128_CBC_SHA, 1065 .algorithm_mkey = SSL_kECDHE, 1066 .algorithm_auth = SSL_aRSA, 1067 .algorithm_enc = SSL_AES128, 1068 .algorithm_mac = SSL_SHA1, 1069 .algorithm_ssl = SSL_TLSV1, 1070 .algo_strength = SSL_HIGH, 1071 .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF, 1072 .strength_bits = 128, 1073 .alg_bits = 128, 1074 }, 1075 1076 /* Cipher C014 */ 1077 { 1078 .valid = 1, 1079 .name = TLS1_TXT_ECDHE_RSA_WITH_AES_256_CBC_SHA, 1080 .id = TLS1_CK_ECDHE_RSA_WITH_AES_256_CBC_SHA, 1081 .algorithm_mkey = SSL_kECDHE, 1082 .algorithm_auth = SSL_aRSA, 1083 .algorithm_enc = SSL_AES256, 1084 .algorithm_mac = SSL_SHA1, 1085 .algorithm_ssl = SSL_TLSV1, 1086 .algo_strength = SSL_HIGH, 1087 .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF, 1088 .strength_bits = 256, 1089 .alg_bits = 256, 1090 }, 1091 1092 /* Cipher C015 */ 1093 { 1094 .valid = 1, 1095 .name = TLS1_TXT_ECDH_anon_WITH_NULL_SHA, 1096 .id = TLS1_CK_ECDH_anon_WITH_NULL_SHA, 1097 .algorithm_mkey = SSL_kECDHE, 1098 .algorithm_auth = SSL_aNULL, 1099 .algorithm_enc = SSL_eNULL, 1100 .algorithm_mac = SSL_SHA1, 1101 .algorithm_ssl = SSL_TLSV1, 1102 .algo_strength = SSL_STRONG_NONE, 1103 .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF, 1104 .strength_bits = 0, 1105 .alg_bits = 0, 1106 }, 1107 1108 /* Cipher C016 */ 1109 { 1110 .valid = 1, 1111 .name = TLS1_TXT_ECDH_anon_WITH_RC4_128_SHA, 1112 .id = TLS1_CK_ECDH_anon_WITH_RC4_128_SHA, 1113 .algorithm_mkey = SSL_kECDHE, 1114 .algorithm_auth = SSL_aNULL, 1115 .algorithm_enc = SSL_RC4, 1116 .algorithm_mac = SSL_SHA1, 1117 .algorithm_ssl = SSL_TLSV1, 1118 .algo_strength = SSL_LOW, 1119 .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF, 1120 .strength_bits = 128, 1121 .alg_bits = 128, 1122 }, 1123 1124 /* Cipher C017 */ 1125 { 1126 .valid = 1, 1127 .name = TLS1_TXT_ECDH_anon_WITH_DES_192_CBC3_SHA, 1128 .id = TLS1_CK_ECDH_anon_WITH_DES_192_CBC3_SHA, 1129 .algorithm_mkey = SSL_kECDHE, 1130 .algorithm_auth = SSL_aNULL, 1131 .algorithm_enc = SSL_3DES, 1132 .algorithm_mac = SSL_SHA1, 1133 .algorithm_ssl = SSL_TLSV1, 1134 .algo_strength = SSL_MEDIUM, 1135 .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF, 1136 .strength_bits = 112, 1137 .alg_bits = 168, 1138 }, 1139 1140 /* Cipher C018 */ 1141 { 1142 .valid = 1, 1143 .name = TLS1_TXT_ECDH_anon_WITH_AES_128_CBC_SHA, 1144 .id = TLS1_CK_ECDH_anon_WITH_AES_128_CBC_SHA, 1145 .algorithm_mkey = SSL_kECDHE, 1146 .algorithm_auth = SSL_aNULL, 1147 .algorithm_enc = SSL_AES128, 1148 .algorithm_mac = SSL_SHA1, 1149 .algorithm_ssl = SSL_TLSV1, 1150 .algo_strength = SSL_HIGH, 1151 .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF, 1152 .strength_bits = 128, 1153 .alg_bits = 128, 1154 }, 1155 1156 /* Cipher C019 */ 1157 { 1158 .valid = 1, 1159 .name = TLS1_TXT_ECDH_anon_WITH_AES_256_CBC_SHA, 1160 .id = TLS1_CK_ECDH_anon_WITH_AES_256_CBC_SHA, 1161 .algorithm_mkey = SSL_kECDHE, 1162 .algorithm_auth = SSL_aNULL, 1163 .algorithm_enc = SSL_AES256, 1164 .algorithm_mac = SSL_SHA1, 1165 .algorithm_ssl = SSL_TLSV1, 1166 .algo_strength = SSL_HIGH, 1167 .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF, 1168 .strength_bits = 256, 1169 .alg_bits = 256, 1170 }, 1171 1172 1173 /* HMAC based TLS v1.2 ciphersuites from RFC5289 */ 1174 1175 /* Cipher C023 */ 1176 { 1177 .valid = 1, 1178 .name = TLS1_TXT_ECDHE_ECDSA_WITH_AES_128_SHA256, 1179 .id = TLS1_CK_ECDHE_ECDSA_WITH_AES_128_SHA256, 1180 .algorithm_mkey = SSL_kECDHE, 1181 .algorithm_auth = SSL_aECDSA, 1182 .algorithm_enc = SSL_AES128, 1183 .algorithm_mac = SSL_SHA256, 1184 .algorithm_ssl = SSL_TLSV1_2, 1185 .algo_strength = SSL_HIGH, 1186 .algorithm2 = SSL_HANDSHAKE_MAC_SHA256|TLS1_PRF_SHA256, 1187 .strength_bits = 128, 1188 .alg_bits = 128, 1189 }, 1190 1191 /* Cipher C024 */ 1192 { 1193 .valid = 1, 1194 .name = TLS1_TXT_ECDHE_ECDSA_WITH_AES_256_SHA384, 1195 .id = TLS1_CK_ECDHE_ECDSA_WITH_AES_256_SHA384, 1196 .algorithm_mkey = SSL_kECDHE, 1197 .algorithm_auth = SSL_aECDSA, 1198 .algorithm_enc = SSL_AES256, 1199 .algorithm_mac = SSL_SHA384, 1200 .algorithm_ssl = SSL_TLSV1_2, 1201 .algo_strength = SSL_HIGH, 1202 .algorithm2 = SSL_HANDSHAKE_MAC_SHA384|TLS1_PRF_SHA384, 1203 .strength_bits = 256, 1204 .alg_bits = 256, 1205 }, 1206 1207 /* Cipher C027 */ 1208 { 1209 .valid = 1, 1210 .name = TLS1_TXT_ECDHE_RSA_WITH_AES_128_SHA256, 1211 .id = TLS1_CK_ECDHE_RSA_WITH_AES_128_SHA256, 1212 .algorithm_mkey = SSL_kECDHE, 1213 .algorithm_auth = SSL_aRSA, 1214 .algorithm_enc = SSL_AES128, 1215 .algorithm_mac = SSL_SHA256, 1216 .algorithm_ssl = SSL_TLSV1_2, 1217 .algo_strength = SSL_HIGH, 1218 .algorithm2 = SSL_HANDSHAKE_MAC_SHA256|TLS1_PRF_SHA256, 1219 .strength_bits = 128, 1220 .alg_bits = 128, 1221 }, 1222 1223 /* Cipher C028 */ 1224 { 1225 .valid = 1, 1226 .name = TLS1_TXT_ECDHE_RSA_WITH_AES_256_SHA384, 1227 .id = TLS1_CK_ECDHE_RSA_WITH_AES_256_SHA384, 1228 .algorithm_mkey = SSL_kECDHE, 1229 .algorithm_auth = SSL_aRSA, 1230 .algorithm_enc = SSL_AES256, 1231 .algorithm_mac = SSL_SHA384, 1232 .algorithm_ssl = SSL_TLSV1_2, 1233 .algo_strength = SSL_HIGH, 1234 .algorithm2 = SSL_HANDSHAKE_MAC_SHA384|TLS1_PRF_SHA384, 1235 .strength_bits = 256, 1236 .alg_bits = 256, 1237 }, 1238 1239 /* GCM based TLS v1.2 ciphersuites from RFC5289 */ 1240 1241 /* Cipher C02B */ 1242 { 1243 .valid = 1, 1244 .name = TLS1_TXT_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, 1245 .id = TLS1_CK_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, 1246 .algorithm_mkey = SSL_kECDHE, 1247 .algorithm_auth = SSL_aECDSA, 1248 .algorithm_enc = SSL_AES128GCM, 1249 .algorithm_mac = SSL_AEAD, 1250 .algorithm_ssl = SSL_TLSV1_2, 1251 .algo_strength = SSL_HIGH, 1252 .algorithm2 = SSL_HANDSHAKE_MAC_SHA256|TLS1_PRF_SHA256| 1253 FIXED_NONCE_LEN(4)| 1254 SSL_CIPHER_ALGORITHM2_VARIABLE_NONCE_IN_RECORD, 1255 .strength_bits = 128, 1256 .alg_bits = 128, 1257 }, 1258 1259 /* Cipher C02C */ 1260 { 1261 .valid = 1, 1262 .name = TLS1_TXT_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, 1263 .id = TLS1_CK_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, 1264 .algorithm_mkey = SSL_kECDHE, 1265 .algorithm_auth = SSL_aECDSA, 1266 .algorithm_enc = SSL_AES256GCM, 1267 .algorithm_mac = SSL_AEAD, 1268 .algorithm_ssl = SSL_TLSV1_2, 1269 .algo_strength = SSL_HIGH, 1270 .algorithm2 = SSL_HANDSHAKE_MAC_SHA384|TLS1_PRF_SHA384| 1271 FIXED_NONCE_LEN(4)| 1272 SSL_CIPHER_ALGORITHM2_VARIABLE_NONCE_IN_RECORD, 1273 .strength_bits = 256, 1274 .alg_bits = 256, 1275 }, 1276 1277 /* Cipher C02F */ 1278 { 1279 .valid = 1, 1280 .name = TLS1_TXT_ECDHE_RSA_WITH_AES_128_GCM_SHA256, 1281 .id = TLS1_CK_ECDHE_RSA_WITH_AES_128_GCM_SHA256, 1282 .algorithm_mkey = SSL_kECDHE, 1283 .algorithm_auth = SSL_aRSA, 1284 .algorithm_enc = SSL_AES128GCM, 1285 .algorithm_mac = SSL_AEAD, 1286 .algorithm_ssl = SSL_TLSV1_2, 1287 .algo_strength = SSL_HIGH, 1288 .algorithm2 = SSL_HANDSHAKE_MAC_SHA256|TLS1_PRF_SHA256| 1289 FIXED_NONCE_LEN(4)| 1290 SSL_CIPHER_ALGORITHM2_VARIABLE_NONCE_IN_RECORD, 1291 .strength_bits = 128, 1292 .alg_bits = 128, 1293 }, 1294 1295 /* Cipher C030 */ 1296 { 1297 .valid = 1, 1298 .name = TLS1_TXT_ECDHE_RSA_WITH_AES_256_GCM_SHA384, 1299 .id = TLS1_CK_ECDHE_RSA_WITH_AES_256_GCM_SHA384, 1300 .algorithm_mkey = SSL_kECDHE, 1301 .algorithm_auth = SSL_aRSA, 1302 .algorithm_enc = SSL_AES256GCM, 1303 .algorithm_mac = SSL_AEAD, 1304 .algorithm_ssl = SSL_TLSV1_2, 1305 .algo_strength = SSL_HIGH, 1306 .algorithm2 = SSL_HANDSHAKE_MAC_SHA384|TLS1_PRF_SHA384| 1307 FIXED_NONCE_LEN(4)| 1308 SSL_CIPHER_ALGORITHM2_VARIABLE_NONCE_IN_RECORD, 1309 .strength_bits = 256, 1310 .alg_bits = 256, 1311 }, 1312 1313 /* Cipher CCA8 */ 1314 { 1315 .valid = 1, 1316 .name = TLS1_TXT_ECDHE_RSA_WITH_CHACHA20_POLY1305, 1317 .id = TLS1_CK_ECDHE_RSA_CHACHA20_POLY1305, 1318 .algorithm_mkey = SSL_kECDHE, 1319 .algorithm_auth = SSL_aRSA, 1320 .algorithm_enc = SSL_CHACHA20POLY1305, 1321 .algorithm_mac = SSL_AEAD, 1322 .algorithm_ssl = SSL_TLSV1_2, 1323 .algo_strength = SSL_HIGH, 1324 .algorithm2 = SSL_HANDSHAKE_MAC_SHA256|TLS1_PRF_SHA256| 1325 FIXED_NONCE_LEN(12), 1326 .strength_bits = 256, 1327 .alg_bits = 256, 1328 }, 1329 1330 /* Cipher CCA9 */ 1331 { 1332 .valid = 1, 1333 .name = TLS1_TXT_ECDHE_ECDSA_WITH_CHACHA20_POLY1305, 1334 .id = TLS1_CK_ECDHE_ECDSA_CHACHA20_POLY1305, 1335 .algorithm_mkey = SSL_kECDHE, 1336 .algorithm_auth = SSL_aECDSA, 1337 .algorithm_enc = SSL_CHACHA20POLY1305, 1338 .algorithm_mac = SSL_AEAD, 1339 .algorithm_ssl = SSL_TLSV1_2, 1340 .algo_strength = SSL_HIGH, 1341 .algorithm2 = SSL_HANDSHAKE_MAC_SHA256|TLS1_PRF_SHA256| 1342 FIXED_NONCE_LEN(12), 1343 .strength_bits = 256, 1344 .alg_bits = 256, 1345 }, 1346 1347 /* Cipher CCAA */ 1348 { 1349 .valid = 1, 1350 .name = TLS1_TXT_DHE_RSA_WITH_CHACHA20_POLY1305, 1351 .id = TLS1_CK_DHE_RSA_CHACHA20_POLY1305, 1352 .algorithm_mkey = SSL_kDHE, 1353 .algorithm_auth = SSL_aRSA, 1354 .algorithm_enc = SSL_CHACHA20POLY1305, 1355 .algorithm_mac = SSL_AEAD, 1356 .algorithm_ssl = SSL_TLSV1_2, 1357 .algo_strength = SSL_HIGH, 1358 .algorithm2 = SSL_HANDSHAKE_MAC_SHA256|TLS1_PRF_SHA256| 1359 FIXED_NONCE_LEN(12), 1360 .strength_bits = 256, 1361 .alg_bits = 256, 1362 }, 1363 1364 /* Cipher FF85 FIXME IANA */ 1365 { 1366 .valid = 1, 1367 .name = "GOST2012256-GOST89-GOST89", 1368 .id = 0x300ff85, /* FIXME IANA */ 1369 .algorithm_mkey = SSL_kGOST, 1370 .algorithm_auth = SSL_aGOST01, 1371 .algorithm_enc = SSL_eGOST2814789CNT, 1372 .algorithm_mac = SSL_GOST89MAC, 1373 .algorithm_ssl = SSL_TLSV1, 1374 .algo_strength = SSL_HIGH, 1375 .algorithm2 = SSL_HANDSHAKE_MAC_STREEBOG256|TLS1_PRF_STREEBOG256| 1376 TLS1_STREAM_MAC, 1377 .strength_bits = 256, 1378 .alg_bits = 256 1379 }, 1380 1381 /* Cipher FF87 FIXME IANA */ 1382 { 1383 .valid = 1, 1384 .name = "GOST2012256-NULL-STREEBOG256", 1385 .id = 0x300ff87, /* FIXME IANA */ 1386 .algorithm_mkey = SSL_kGOST, 1387 .algorithm_auth = SSL_aGOST01, 1388 .algorithm_enc = SSL_eNULL, 1389 .algorithm_mac = SSL_STREEBOG256, 1390 .algorithm_ssl = SSL_TLSV1, 1391 .algo_strength = SSL_STRONG_NONE, 1392 .algorithm2 = SSL_HANDSHAKE_MAC_STREEBOG256|TLS1_PRF_STREEBOG256, 1393 .strength_bits = 0, 1394 .alg_bits = 0 1395 }, 1396 1397 1398 /* end of list */ 1399 }; 1400 1401 int 1402 ssl3_num_ciphers(void) 1403 { 1404 return (SSL3_NUM_CIPHERS); 1405 } 1406 1407 const SSL_CIPHER * 1408 ssl3_get_cipher(unsigned int u) 1409 { 1410 if (u < SSL3_NUM_CIPHERS) 1411 return (&(ssl3_ciphers[SSL3_NUM_CIPHERS - 1 - u])); 1412 else 1413 return (NULL); 1414 } 1415 1416 const SSL_CIPHER * 1417 ssl3_get_cipher_by_id(unsigned int id) 1418 { 1419 const SSL_CIPHER *cp; 1420 SSL_CIPHER c; 1421 1422 c.id = id; 1423 cp = OBJ_bsearch_ssl_cipher_id(&c, ssl3_ciphers, SSL3_NUM_CIPHERS); 1424 if (cp != NULL && cp->valid == 1) 1425 return (cp); 1426 1427 return (NULL); 1428 } 1429 1430 const SSL_CIPHER * 1431 ssl3_get_cipher_by_value(uint16_t value) 1432 { 1433 return ssl3_get_cipher_by_id(SSL3_CK_ID | value); 1434 } 1435 1436 uint16_t 1437 ssl3_cipher_get_value(const SSL_CIPHER *c) 1438 { 1439 return (c->id & SSL3_CK_VALUE_MASK); 1440 } 1441 1442 int 1443 ssl3_pending(const SSL *s) 1444 { 1445 if (s->s3->rcontent == NULL) 1446 return 0; 1447 if (tls_content_type(s->s3->rcontent) != SSL3_RT_APPLICATION_DATA) 1448 return 0; 1449 1450 return tls_content_remaining(s->s3->rcontent); 1451 } 1452 1453 int 1454 ssl3_handshake_msg_hdr_len(SSL *s) 1455 { 1456 return (SSL_is_dtls(s) ? DTLS1_HM_HEADER_LENGTH : 1457 SSL3_HM_HEADER_LENGTH); 1458 } 1459 1460 int 1461 ssl3_handshake_msg_start(SSL *s, CBB *handshake, CBB *body, uint8_t msg_type) 1462 { 1463 int ret = 0; 1464 1465 if (!CBB_init(handshake, SSL3_RT_MAX_PLAIN_LENGTH)) 1466 goto err; 1467 if (!CBB_add_u8(handshake, msg_type)) 1468 goto err; 1469 if (SSL_is_dtls(s)) { 1470 unsigned char *data; 1471 1472 if (!CBB_add_space(handshake, &data, DTLS1_HM_HEADER_LENGTH - 1473 SSL3_HM_HEADER_LENGTH)) 1474 goto err; 1475 } 1476 if (!CBB_add_u24_length_prefixed(handshake, body)) 1477 goto err; 1478 1479 ret = 1; 1480 1481 err: 1482 return (ret); 1483 } 1484 1485 int 1486 ssl3_handshake_msg_finish(SSL *s, CBB *handshake) 1487 { 1488 unsigned char *data = NULL; 1489 size_t outlen; 1490 int ret = 0; 1491 1492 if (!CBB_finish(handshake, &data, &outlen)) 1493 goto err; 1494 1495 if (outlen > INT_MAX) 1496 goto err; 1497 1498 if (!BUF_MEM_grow_clean(s->init_buf, outlen)) 1499 goto err; 1500 1501 memcpy(s->init_buf->data, data, outlen); 1502 1503 s->init_num = (int)outlen; 1504 s->init_off = 0; 1505 1506 if (SSL_is_dtls(s)) { 1507 unsigned long len; 1508 uint8_t msg_type; 1509 CBS cbs; 1510 1511 CBS_init(&cbs, data, outlen); 1512 if (!CBS_get_u8(&cbs, &msg_type)) 1513 goto err; 1514 1515 len = outlen - ssl3_handshake_msg_hdr_len(s); 1516 1517 dtls1_set_message_header(s, msg_type, len, 0, len); 1518 dtls1_buffer_message(s, 0); 1519 } 1520 1521 ret = 1; 1522 1523 err: 1524 free(data); 1525 1526 return (ret); 1527 } 1528 1529 int 1530 ssl3_handshake_write(SSL *s) 1531 { 1532 return ssl3_record_write(s, SSL3_RT_HANDSHAKE); 1533 } 1534 1535 int 1536 ssl3_record_write(SSL *s, int type) 1537 { 1538 if (SSL_is_dtls(s)) 1539 return dtls1_do_write(s, type); 1540 1541 return ssl3_do_write(s, type); 1542 } 1543 1544 int 1545 ssl3_new(SSL *s) 1546 { 1547 if ((s->s3 = calloc(1, sizeof(*s->s3))) == NULL) 1548 return (0); 1549 1550 s->method->ssl_clear(s); 1551 1552 return (1); 1553 } 1554 1555 void 1556 ssl3_free(SSL *s) 1557 { 1558 if (s == NULL) 1559 return; 1560 1561 tls1_cleanup_key_block(s); 1562 ssl3_release_read_buffer(s); 1563 ssl3_release_write_buffer(s); 1564 1565 tls_content_free(s->s3->rcontent); 1566 1567 tls_buffer_free(s->s3->alert_fragment); 1568 tls_buffer_free(s->s3->handshake_fragment); 1569 1570 freezero(s->s3->hs.sigalgs, s->s3->hs.sigalgs_len); 1571 sk_X509_pop_free(s->s3->hs.peer_certs, X509_free); 1572 sk_X509_pop_free(s->s3->hs.peer_certs_no_leaf, X509_free); 1573 sk_X509_pop_free(s->s3->hs.verified_chain, X509_free); 1574 tls_key_share_free(s->s3->hs.key_share); 1575 1576 tls13_secrets_destroy(s->s3->hs.tls13.secrets); 1577 freezero(s->s3->hs.tls13.cookie, s->s3->hs.tls13.cookie_len); 1578 tls13_clienthello_hash_clear(&s->s3->hs.tls13); 1579 1580 tls_buffer_free(s->s3->hs.tls13.quic_read_buffer); 1581 1582 sk_X509_NAME_pop_free(s->s3->hs.tls12.ca_names, X509_NAME_free); 1583 1584 tls1_transcript_free(s); 1585 tls1_transcript_hash_free(s); 1586 1587 free(s->s3->alpn_selected); 1588 1589 freezero(s->s3->peer_quic_transport_params, 1590 s->s3->peer_quic_transport_params_len); 1591 1592 freezero(s->s3, sizeof(*s->s3)); 1593 1594 s->s3 = NULL; 1595 } 1596 1597 void 1598 ssl3_clear(SSL *s) 1599 { 1600 unsigned char *rp, *wp; 1601 size_t rlen, wlen; 1602 1603 tls1_cleanup_key_block(s); 1604 sk_X509_NAME_pop_free(s->s3->hs.tls12.ca_names, X509_NAME_free); 1605 1606 tls_buffer_free(s->s3->alert_fragment); 1607 s->s3->alert_fragment = NULL; 1608 tls_buffer_free(s->s3->handshake_fragment); 1609 s->s3->handshake_fragment = NULL; 1610 1611 freezero(s->s3->hs.sigalgs, s->s3->hs.sigalgs_len); 1612 s->s3->hs.sigalgs = NULL; 1613 s->s3->hs.sigalgs_len = 0; 1614 1615 sk_X509_pop_free(s->s3->hs.peer_certs, X509_free); 1616 s->s3->hs.peer_certs = NULL; 1617 sk_X509_pop_free(s->s3->hs.peer_certs_no_leaf, X509_free); 1618 s->s3->hs.peer_certs_no_leaf = NULL; 1619 sk_X509_pop_free(s->s3->hs.verified_chain, X509_free); 1620 s->s3->hs.verified_chain = NULL; 1621 1622 tls_key_share_free(s->s3->hs.key_share); 1623 s->s3->hs.key_share = NULL; 1624 1625 tls13_secrets_destroy(s->s3->hs.tls13.secrets); 1626 s->s3->hs.tls13.secrets = NULL; 1627 freezero(s->s3->hs.tls13.cookie, s->s3->hs.tls13.cookie_len); 1628 s->s3->hs.tls13.cookie = NULL; 1629 s->s3->hs.tls13.cookie_len = 0; 1630 tls13_clienthello_hash_clear(&s->s3->hs.tls13); 1631 1632 tls_buffer_free(s->s3->hs.tls13.quic_read_buffer); 1633 s->s3->hs.tls13.quic_read_buffer = NULL; 1634 s->s3->hs.tls13.quic_read_level = ssl_encryption_initial; 1635 s->s3->hs.tls13.quic_write_level = ssl_encryption_initial; 1636 1637 s->s3->hs.extensions_seen = 0; 1638 1639 rp = s->s3->rbuf.buf; 1640 wp = s->s3->wbuf.buf; 1641 rlen = s->s3->rbuf.len; 1642 wlen = s->s3->wbuf.len; 1643 1644 tls_content_free(s->s3->rcontent); 1645 s->s3->rcontent = NULL; 1646 1647 tls1_transcript_free(s); 1648 tls1_transcript_hash_free(s); 1649 1650 free(s->s3->alpn_selected); 1651 s->s3->alpn_selected = NULL; 1652 s->s3->alpn_selected_len = 0; 1653 1654 freezero(s->s3->peer_quic_transport_params, 1655 s->s3->peer_quic_transport_params_len); 1656 s->s3->peer_quic_transport_params = NULL; 1657 s->s3->peer_quic_transport_params_len = 0; 1658 1659 memset(s->s3, 0, sizeof(*s->s3)); 1660 1661 s->s3->rbuf.buf = rp; 1662 s->s3->wbuf.buf = wp; 1663 s->s3->rbuf.len = rlen; 1664 s->s3->wbuf.len = wlen; 1665 1666 ssl_free_wbio_buffer(s); 1667 1668 /* Not needed... */ 1669 s->s3->renegotiate = 0; 1670 s->s3->total_renegotiations = 0; 1671 s->s3->num_renegotiations = 0; 1672 s->s3->in_read_app_data = 0; 1673 1674 s->packet_length = 0; 1675 s->version = TLS1_2_VERSION; 1676 1677 s->s3->hs.state = SSL_ST_BEFORE|((s->server) ? SSL_ST_ACCEPT : SSL_ST_CONNECT); 1678 } 1679 1680 long 1681 _SSL_get_shared_group(SSL *s, long n) 1682 { 1683 size_t count; 1684 int nid; 1685 1686 /* OpenSSL document that they return -1 for clients. They return 0. */ 1687 if (!s->server) 1688 return 0; 1689 1690 if (n == -1) { 1691 if (!tls1_count_shared_groups(s, &count)) 1692 return 0; 1693 1694 if (count > LONG_MAX) 1695 count = LONG_MAX; 1696 1697 return count; 1698 } 1699 1700 /* Undocumented special case added for Suite B profile support. */ 1701 if (n == -2) 1702 n = 0; 1703 1704 if (n < 0) 1705 return 0; 1706 1707 if (!tls1_get_shared_group_by_index(s, n, &nid)) 1708 return NID_undef; 1709 1710 return nid; 1711 } 1712 1713 long 1714 _SSL_get_peer_tmp_key(SSL *s, EVP_PKEY **key) 1715 { 1716 EVP_PKEY *pkey = NULL; 1717 int ret = 0; 1718 1719 *key = NULL; 1720 1721 if (s->s3->hs.key_share == NULL) 1722 goto err; 1723 1724 if ((pkey = EVP_PKEY_new()) == NULL) 1725 goto err; 1726 if (!tls_key_share_peer_pkey(s->s3->hs.key_share, pkey)) 1727 goto err; 1728 1729 *key = pkey; 1730 pkey = NULL; 1731 1732 ret = 1; 1733 1734 err: 1735 EVP_PKEY_free(pkey); 1736 1737 return (ret); 1738 } 1739 1740 static int 1741 _SSL_session_reused(SSL *s) 1742 { 1743 return s->hit; 1744 } 1745 1746 static int 1747 _SSL_num_renegotiations(SSL *s) 1748 { 1749 return s->s3->num_renegotiations; 1750 } 1751 1752 static int 1753 _SSL_clear_num_renegotiations(SSL *s) 1754 { 1755 int renegs; 1756 1757 renegs = s->s3->num_renegotiations; 1758 s->s3->num_renegotiations = 0; 1759 1760 return renegs; 1761 } 1762 1763 static int 1764 _SSL_total_renegotiations(SSL *s) 1765 { 1766 return s->s3->total_renegotiations; 1767 } 1768 1769 static int 1770 _SSL_set_tmp_dh(SSL *s, DH *dh) 1771 { 1772 DH *dhe_params; 1773 1774 if (dh == NULL) { 1775 SSLerror(s, ERR_R_PASSED_NULL_PARAMETER); 1776 return 0; 1777 } 1778 1779 if (!ssl_security_dh(s, dh)) { 1780 SSLerror(s, SSL_R_DH_KEY_TOO_SMALL); 1781 return 0; 1782 } 1783 1784 if ((dhe_params = DHparams_dup(dh)) == NULL) { 1785 SSLerror(s, ERR_R_DH_LIB); 1786 return 0; 1787 } 1788 1789 DH_free(s->cert->dhe_params); 1790 s->cert->dhe_params = dhe_params; 1791 1792 return 1; 1793 } 1794 1795 static int 1796 _SSL_set_dh_auto(SSL *s, int state) 1797 { 1798 s->cert->dhe_params_auto = state; 1799 return 1; 1800 } 1801 1802 static int 1803 _SSL_set_tmp_ecdh(SSL *s, EC_KEY *ecdh) 1804 { 1805 const EC_GROUP *group; 1806 int nid; 1807 1808 if (ecdh == NULL) 1809 return 0; 1810 if ((group = EC_KEY_get0_group(ecdh)) == NULL) 1811 return 0; 1812 1813 nid = EC_GROUP_get_curve_name(group); 1814 return SSL_set1_groups(s, &nid, 1); 1815 } 1816 1817 static int 1818 _SSL_set_ecdh_auto(SSL *s, int state) 1819 { 1820 return 1; 1821 } 1822 1823 static int 1824 _SSL_set_tlsext_host_name(SSL *s, const char *name) 1825 { 1826 int is_ip; 1827 CBS cbs; 1828 1829 free(s->tlsext_hostname); 1830 s->tlsext_hostname = NULL; 1831 1832 if (name == NULL) 1833 return 1; 1834 1835 CBS_init(&cbs, name, strlen(name)); 1836 1837 if (!tlsext_sni_is_valid_hostname(&cbs, &is_ip)) { 1838 SSLerror(s, SSL_R_SSL3_EXT_INVALID_SERVERNAME); 1839 return 0; 1840 } 1841 if ((s->tlsext_hostname = strdup(name)) == NULL) { 1842 SSLerror(s, ERR_R_INTERNAL_ERROR); 1843 return 0; 1844 } 1845 1846 return 1; 1847 } 1848 1849 static int 1850 _SSL_set_tlsext_debug_arg(SSL *s, void *arg) 1851 { 1852 s->tlsext_debug_arg = arg; 1853 return 1; 1854 } 1855 1856 static int 1857 _SSL_get_tlsext_status_type(SSL *s) 1858 { 1859 return s->tlsext_status_type; 1860 } 1861 1862 static int 1863 _SSL_set_tlsext_status_type(SSL *s, int type) 1864 { 1865 s->tlsext_status_type = type; 1866 return 1; 1867 } 1868 1869 static int 1870 _SSL_get_tlsext_status_exts(SSL *s, STACK_OF(X509_EXTENSION) **exts) 1871 { 1872 *exts = s->tlsext_ocsp_exts; 1873 return 1; 1874 } 1875 1876 static int 1877 _SSL_set_tlsext_status_exts(SSL *s, STACK_OF(X509_EXTENSION) *exts) 1878 { 1879 /* XXX - leak... */ 1880 s->tlsext_ocsp_exts = exts; 1881 return 1; 1882 } 1883 1884 static int 1885 _SSL_get_tlsext_status_ids(SSL *s, STACK_OF(OCSP_RESPID) **ids) 1886 { 1887 *ids = s->tlsext_ocsp_ids; 1888 return 1; 1889 } 1890 1891 static int 1892 _SSL_set_tlsext_status_ids(SSL *s, STACK_OF(OCSP_RESPID) *ids) 1893 { 1894 /* XXX - leak... */ 1895 s->tlsext_ocsp_ids = ids; 1896 return 1; 1897 } 1898 1899 static int 1900 _SSL_get_tlsext_status_ocsp_resp(SSL *s, unsigned char **resp) 1901 { 1902 if (s->tlsext_ocsp_resp != NULL && 1903 s->tlsext_ocsp_resp_len < INT_MAX) { 1904 *resp = s->tlsext_ocsp_resp; 1905 return (int)s->tlsext_ocsp_resp_len; 1906 } 1907 1908 *resp = NULL; 1909 1910 return -1; 1911 } 1912 1913 static int 1914 _SSL_set_tlsext_status_ocsp_resp(SSL *s, unsigned char *resp, int resp_len) 1915 { 1916 free(s->tlsext_ocsp_resp); 1917 s->tlsext_ocsp_resp = NULL; 1918 s->tlsext_ocsp_resp_len = 0; 1919 1920 if (resp_len < 0) 1921 return 0; 1922 1923 s->tlsext_ocsp_resp = resp; 1924 s->tlsext_ocsp_resp_len = (size_t)resp_len; 1925 1926 return 1; 1927 } 1928 1929 int 1930 SSL_set0_chain(SSL *ssl, STACK_OF(X509) *chain) 1931 { 1932 return ssl_cert_set0_chain(NULL, ssl, chain); 1933 } 1934 LSSL_ALIAS(SSL_set0_chain); 1935 1936 int 1937 SSL_set1_chain(SSL *ssl, STACK_OF(X509) *chain) 1938 { 1939 return ssl_cert_set1_chain(NULL, ssl, chain); 1940 } 1941 LSSL_ALIAS(SSL_set1_chain); 1942 1943 int 1944 SSL_add0_chain_cert(SSL *ssl, X509 *x509) 1945 { 1946 return ssl_cert_add0_chain_cert(NULL, ssl, x509); 1947 } 1948 LSSL_ALIAS(SSL_add0_chain_cert); 1949 1950 int 1951 SSL_add1_chain_cert(SSL *ssl, X509 *x509) 1952 { 1953 return ssl_cert_add1_chain_cert(NULL, ssl, x509); 1954 } 1955 LSSL_ALIAS(SSL_add1_chain_cert); 1956 1957 int 1958 SSL_get0_chain_certs(const SSL *ssl, STACK_OF(X509) **out_chain) 1959 { 1960 *out_chain = NULL; 1961 1962 if (ssl->cert->key != NULL) 1963 *out_chain = ssl->cert->key->chain; 1964 1965 return 1; 1966 } 1967 LSSL_ALIAS(SSL_get0_chain_certs); 1968 1969 int 1970 SSL_clear_chain_certs(SSL *ssl) 1971 { 1972 return ssl_cert_set0_chain(NULL, ssl, NULL); 1973 } 1974 LSSL_ALIAS(SSL_clear_chain_certs); 1975 1976 int 1977 SSL_set1_groups(SSL *s, const int *groups, size_t groups_len) 1978 { 1979 return tls1_set_groups(&s->tlsext_supportedgroups, 1980 &s->tlsext_supportedgroups_length, groups, groups_len); 1981 } 1982 LSSL_ALIAS(SSL_set1_groups); 1983 1984 int 1985 SSL_set1_groups_list(SSL *s, const char *groups) 1986 { 1987 return tls1_set_group_list(&s->tlsext_supportedgroups, 1988 &s->tlsext_supportedgroups_length, groups); 1989 } 1990 LSSL_ALIAS(SSL_set1_groups_list); 1991 1992 static int 1993 _SSL_get_signature_nid(SSL *s, int *nid) 1994 { 1995 const struct ssl_sigalg *sigalg; 1996 1997 if ((sigalg = s->s3->hs.our_sigalg) == NULL) 1998 return 0; 1999 2000 *nid = EVP_MD_type(sigalg->md()); 2001 2002 return 1; 2003 } 2004 2005 static int 2006 _SSL_get_peer_signature_nid(SSL *s, int *nid) 2007 { 2008 const struct ssl_sigalg *sigalg; 2009 2010 if ((sigalg = s->s3->hs.peer_sigalg) == NULL) 2011 return 0; 2012 2013 *nid = EVP_MD_type(sigalg->md()); 2014 2015 return 1; 2016 } 2017 2018 int 2019 SSL_get_signature_type_nid(const SSL *s, int *nid) 2020 { 2021 const struct ssl_sigalg *sigalg; 2022 2023 if ((sigalg = s->s3->hs.our_sigalg) == NULL) 2024 return 0; 2025 2026 *nid = sigalg->key_type; 2027 if (sigalg->key_type == EVP_PKEY_RSA && 2028 (sigalg->flags & SIGALG_FLAG_RSA_PSS)) 2029 *nid = EVP_PKEY_RSA_PSS; 2030 2031 return 1; 2032 } 2033 2034 int 2035 SSL_get_peer_signature_type_nid(const SSL *s, int *nid) 2036 { 2037 const struct ssl_sigalg *sigalg; 2038 2039 if ((sigalg = s->s3->hs.peer_sigalg) == NULL) 2040 return 0; 2041 2042 *nid = sigalg->key_type; 2043 if (sigalg->key_type == EVP_PKEY_RSA && 2044 (sigalg->flags & SIGALG_FLAG_RSA_PSS)) 2045 *nid = EVP_PKEY_RSA_PSS; 2046 2047 return 1; 2048 } 2049 2050 long 2051 ssl3_ctrl(SSL *s, int cmd, long larg, void *parg) 2052 { 2053 switch (cmd) { 2054 case SSL_CTRL_GET_SESSION_REUSED: 2055 return _SSL_session_reused(s); 2056 2057 case SSL_CTRL_GET_NUM_RENEGOTIATIONS: 2058 return _SSL_num_renegotiations(s); 2059 2060 case SSL_CTRL_CLEAR_NUM_RENEGOTIATIONS: 2061 return _SSL_clear_num_renegotiations(s); 2062 2063 case SSL_CTRL_GET_TOTAL_RENEGOTIATIONS: 2064 return _SSL_total_renegotiations(s); 2065 2066 case SSL_CTRL_SET_TMP_DH: 2067 return _SSL_set_tmp_dh(s, parg); 2068 2069 case SSL_CTRL_SET_TMP_DH_CB: 2070 SSLerror(s, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED); 2071 return 0; 2072 2073 case SSL_CTRL_SET_DH_AUTO: 2074 return _SSL_set_dh_auto(s, larg); 2075 2076 case SSL_CTRL_SET_TMP_ECDH: 2077 return _SSL_set_tmp_ecdh(s, parg); 2078 2079 case SSL_CTRL_SET_TMP_ECDH_CB: 2080 SSLerror(s, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED); 2081 return 0; 2082 2083 case SSL_CTRL_SET_ECDH_AUTO: 2084 return _SSL_set_ecdh_auto(s, larg); 2085 2086 case SSL_CTRL_SET_TLSEXT_HOSTNAME: 2087 if (larg != TLSEXT_NAMETYPE_host_name) { 2088 SSLerror(s, SSL_R_SSL3_EXT_INVALID_SERVERNAME_TYPE); 2089 return 0; 2090 } 2091 return _SSL_set_tlsext_host_name(s, parg); 2092 2093 case SSL_CTRL_SET_TLSEXT_DEBUG_ARG: 2094 return _SSL_set_tlsext_debug_arg(s, parg); 2095 2096 case SSL_CTRL_GET_TLSEXT_STATUS_REQ_TYPE: 2097 return _SSL_get_tlsext_status_type(s); 2098 2099 case SSL_CTRL_SET_TLSEXT_STATUS_REQ_TYPE: 2100 return _SSL_set_tlsext_status_type(s, larg); 2101 2102 case SSL_CTRL_GET_TLSEXT_STATUS_REQ_EXTS: 2103 return _SSL_get_tlsext_status_exts(s, parg); 2104 2105 case SSL_CTRL_SET_TLSEXT_STATUS_REQ_EXTS: 2106 return _SSL_set_tlsext_status_exts(s, parg); 2107 2108 case SSL_CTRL_GET_TLSEXT_STATUS_REQ_IDS: 2109 return _SSL_get_tlsext_status_ids(s, parg); 2110 2111 case SSL_CTRL_SET_TLSEXT_STATUS_REQ_IDS: 2112 return _SSL_set_tlsext_status_ids(s, parg); 2113 2114 case SSL_CTRL_GET_TLSEXT_STATUS_REQ_OCSP_RESP: 2115 return _SSL_get_tlsext_status_ocsp_resp(s, parg); 2116 2117 case SSL_CTRL_SET_TLSEXT_STATUS_REQ_OCSP_RESP: 2118 return _SSL_set_tlsext_status_ocsp_resp(s, parg, larg); 2119 2120 case SSL_CTRL_CHAIN: 2121 if (larg == 0) 2122 return SSL_set0_chain(s, (STACK_OF(X509) *)parg); 2123 else 2124 return SSL_set1_chain(s, (STACK_OF(X509) *)parg); 2125 2126 case SSL_CTRL_CHAIN_CERT: 2127 if (larg == 0) 2128 return SSL_add0_chain_cert(s, (X509 *)parg); 2129 else 2130 return SSL_add1_chain_cert(s, (X509 *)parg); 2131 2132 case SSL_CTRL_GET_CHAIN_CERTS: 2133 return SSL_get0_chain_certs(s, (STACK_OF(X509) **)parg); 2134 2135 case SSL_CTRL_SET_GROUPS: 2136 return SSL_set1_groups(s, parg, larg); 2137 2138 case SSL_CTRL_SET_GROUPS_LIST: 2139 return SSL_set1_groups_list(s, parg); 2140 2141 case SSL_CTRL_GET_SHARED_GROUP: 2142 return _SSL_get_shared_group(s, larg); 2143 2144 /* XXX - rename to SSL_CTRL_GET_PEER_TMP_KEY and remove server check. */ 2145 case SSL_CTRL_GET_SERVER_TMP_KEY: 2146 if (s->server != 0) 2147 return 0; 2148 return _SSL_get_peer_tmp_key(s, parg); 2149 2150 case SSL_CTRL_GET_MIN_PROTO_VERSION: 2151 return SSL_get_min_proto_version(s); 2152 2153 case SSL_CTRL_GET_MAX_PROTO_VERSION: 2154 return SSL_get_max_proto_version(s); 2155 2156 case SSL_CTRL_SET_MIN_PROTO_VERSION: 2157 if (larg < 0 || larg > UINT16_MAX) 2158 return 0; 2159 return SSL_set_min_proto_version(s, larg); 2160 2161 case SSL_CTRL_SET_MAX_PROTO_VERSION: 2162 if (larg < 0 || larg > UINT16_MAX) 2163 return 0; 2164 return SSL_set_max_proto_version(s, larg); 2165 2166 case SSL_CTRL_GET_SIGNATURE_NID: 2167 return _SSL_get_signature_nid(s, parg); 2168 2169 case SSL_CTRL_GET_PEER_SIGNATURE_NID: 2170 return _SSL_get_peer_signature_nid(s, parg); 2171 2172 /* 2173 * Legacy controls that should eventually be removed. 2174 */ 2175 case SSL_CTRL_GET_CLIENT_CERT_REQUEST: 2176 return 0; 2177 2178 case SSL_CTRL_GET_FLAGS: 2179 return (int)(s->s3->flags); 2180 2181 case SSL_CTRL_NEED_TMP_RSA: 2182 return 0; 2183 2184 case SSL_CTRL_SET_TMP_RSA: 2185 case SSL_CTRL_SET_TMP_RSA_CB: 2186 SSLerror(s, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED); 2187 return 0; 2188 } 2189 2190 return 0; 2191 } 2192 2193 long 2194 ssl3_callback_ctrl(SSL *s, int cmd, void (*fp)(void)) 2195 { 2196 switch (cmd) { 2197 case SSL_CTRL_SET_TMP_RSA_CB: 2198 SSLerror(s, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED); 2199 return 0; 2200 2201 case SSL_CTRL_SET_TMP_DH_CB: 2202 s->cert->dhe_params_cb = (DH *(*)(SSL *, int, int))fp; 2203 return 1; 2204 2205 case SSL_CTRL_SET_TMP_ECDH_CB: 2206 return 1; 2207 2208 case SSL_CTRL_SET_TLSEXT_DEBUG_CB: 2209 s->tlsext_debug_cb = (void (*)(SSL *, int , int, 2210 unsigned char *, int, void *))fp; 2211 return 1; 2212 } 2213 2214 return 0; 2215 } 2216 2217 static int 2218 _SSL_CTX_set_tmp_dh(SSL_CTX *ctx, DH *dh) 2219 { 2220 DH *dhe_params; 2221 2222 if (dh == NULL) { 2223 SSLerrorx(ERR_R_PASSED_NULL_PARAMETER); 2224 return 0; 2225 } 2226 2227 if (!ssl_ctx_security_dh(ctx, dh)) { 2228 SSLerrorx(SSL_R_DH_KEY_TOO_SMALL); 2229 return 0; 2230 } 2231 2232 if ((dhe_params = DHparams_dup(dh)) == NULL) { 2233 SSLerrorx(ERR_R_DH_LIB); 2234 return 0; 2235 } 2236 2237 DH_free(ctx->cert->dhe_params); 2238 ctx->cert->dhe_params = dhe_params; 2239 2240 return 1; 2241 } 2242 2243 static int 2244 _SSL_CTX_set_dh_auto(SSL_CTX *ctx, int state) 2245 { 2246 ctx->cert->dhe_params_auto = state; 2247 return 1; 2248 } 2249 2250 static int 2251 _SSL_CTX_set_tmp_ecdh(SSL_CTX *ctx, EC_KEY *ecdh) 2252 { 2253 const EC_GROUP *group; 2254 int nid; 2255 2256 if (ecdh == NULL) 2257 return 0; 2258 if ((group = EC_KEY_get0_group(ecdh)) == NULL) 2259 return 0; 2260 2261 nid = EC_GROUP_get_curve_name(group); 2262 return SSL_CTX_set1_groups(ctx, &nid, 1); 2263 } 2264 2265 static int 2266 _SSL_CTX_set_ecdh_auto(SSL_CTX *ctx, int state) 2267 { 2268 return 1; 2269 } 2270 2271 static int 2272 _SSL_CTX_set_tlsext_servername_arg(SSL_CTX *ctx, void *arg) 2273 { 2274 ctx->tlsext_servername_arg = arg; 2275 return 1; 2276 } 2277 2278 static int 2279 _SSL_CTX_get_tlsext_ticket_keys(SSL_CTX *ctx, unsigned char *keys, int keys_len) 2280 { 2281 if (keys == NULL) 2282 return 48; 2283 2284 if (keys_len != 48) { 2285 SSLerrorx(SSL_R_INVALID_TICKET_KEYS_LENGTH); 2286 return 0; 2287 } 2288 2289 memcpy(keys, ctx->tlsext_tick_key_name, 16); 2290 memcpy(keys + 16, ctx->tlsext_tick_hmac_key, 16); 2291 memcpy(keys + 32, ctx->tlsext_tick_aes_key, 16); 2292 2293 return 1; 2294 } 2295 2296 static int 2297 _SSL_CTX_set_tlsext_ticket_keys(SSL_CTX *ctx, unsigned char *keys, int keys_len) 2298 { 2299 if (keys == NULL) 2300 return 48; 2301 2302 if (keys_len != 48) { 2303 SSLerrorx(SSL_R_INVALID_TICKET_KEYS_LENGTH); 2304 return 0; 2305 } 2306 2307 memcpy(ctx->tlsext_tick_key_name, keys, 16); 2308 memcpy(ctx->tlsext_tick_hmac_key, keys + 16, 16); 2309 memcpy(ctx->tlsext_tick_aes_key, keys + 32, 16); 2310 2311 return 1; 2312 } 2313 2314 static int 2315 _SSL_CTX_get_tlsext_status_arg(SSL_CTX *ctx, void **arg) 2316 { 2317 *arg = ctx->tlsext_status_arg; 2318 return 1; 2319 } 2320 2321 static int 2322 _SSL_CTX_set_tlsext_status_arg(SSL_CTX *ctx, void *arg) 2323 { 2324 ctx->tlsext_status_arg = arg; 2325 return 1; 2326 } 2327 2328 int 2329 SSL_CTX_set0_chain(SSL_CTX *ctx, STACK_OF(X509) *chain) 2330 { 2331 return ssl_cert_set0_chain(ctx, NULL, chain); 2332 } 2333 LSSL_ALIAS(SSL_CTX_set0_chain); 2334 2335 int 2336 SSL_CTX_set1_chain(SSL_CTX *ctx, STACK_OF(X509) *chain) 2337 { 2338 return ssl_cert_set1_chain(ctx, NULL, chain); 2339 } 2340 LSSL_ALIAS(SSL_CTX_set1_chain); 2341 2342 int 2343 SSL_CTX_add0_chain_cert(SSL_CTX *ctx, X509 *x509) 2344 { 2345 return ssl_cert_add0_chain_cert(ctx, NULL, x509); 2346 } 2347 LSSL_ALIAS(SSL_CTX_add0_chain_cert); 2348 2349 int 2350 SSL_CTX_add1_chain_cert(SSL_CTX *ctx, X509 *x509) 2351 { 2352 return ssl_cert_add1_chain_cert(ctx, NULL, x509); 2353 } 2354 LSSL_ALIAS(SSL_CTX_add1_chain_cert); 2355 2356 int 2357 SSL_CTX_get0_chain_certs(const SSL_CTX *ctx, STACK_OF(X509) **out_chain) 2358 { 2359 *out_chain = NULL; 2360 2361 if (ctx->cert->key != NULL) 2362 *out_chain = ctx->cert->key->chain; 2363 2364 return 1; 2365 } 2366 LSSL_ALIAS(SSL_CTX_get0_chain_certs); 2367 2368 int 2369 SSL_CTX_clear_chain_certs(SSL_CTX *ctx) 2370 { 2371 return ssl_cert_set0_chain(ctx, NULL, NULL); 2372 } 2373 LSSL_ALIAS(SSL_CTX_clear_chain_certs); 2374 2375 static int 2376 _SSL_CTX_add_extra_chain_cert(SSL_CTX *ctx, X509 *cert) 2377 { 2378 if (ctx->extra_certs == NULL) { 2379 if ((ctx->extra_certs = sk_X509_new_null()) == NULL) 2380 return 0; 2381 } 2382 if (sk_X509_push(ctx->extra_certs, cert) == 0) 2383 return 0; 2384 2385 return 1; 2386 } 2387 2388 static int 2389 _SSL_CTX_get_extra_chain_certs(SSL_CTX *ctx, STACK_OF(X509) **certs) 2390 { 2391 *certs = ctx->extra_certs; 2392 if (*certs == NULL) 2393 *certs = ctx->cert->key->chain; 2394 2395 return 1; 2396 } 2397 2398 static int 2399 _SSL_CTX_get_extra_chain_certs_only(SSL_CTX *ctx, STACK_OF(X509) **certs) 2400 { 2401 *certs = ctx->extra_certs; 2402 return 1; 2403 } 2404 2405 static int 2406 _SSL_CTX_clear_extra_chain_certs(SSL_CTX *ctx) 2407 { 2408 sk_X509_pop_free(ctx->extra_certs, X509_free); 2409 ctx->extra_certs = NULL; 2410 return 1; 2411 } 2412 2413 int 2414 SSL_CTX_set1_groups(SSL_CTX *ctx, const int *groups, size_t groups_len) 2415 { 2416 return tls1_set_groups(&ctx->tlsext_supportedgroups, 2417 &ctx->tlsext_supportedgroups_length, groups, groups_len); 2418 } 2419 LSSL_ALIAS(SSL_CTX_set1_groups); 2420 2421 int 2422 SSL_CTX_set1_groups_list(SSL_CTX *ctx, const char *groups) 2423 { 2424 return tls1_set_group_list(&ctx->tlsext_supportedgroups, 2425 &ctx->tlsext_supportedgroups_length, groups); 2426 } 2427 LSSL_ALIAS(SSL_CTX_set1_groups_list); 2428 2429 long 2430 ssl3_ctx_ctrl(SSL_CTX *ctx, int cmd, long larg, void *parg) 2431 { 2432 switch (cmd) { 2433 case SSL_CTRL_SET_TMP_DH: 2434 return _SSL_CTX_set_tmp_dh(ctx, parg); 2435 2436 case SSL_CTRL_SET_TMP_DH_CB: 2437 SSLerrorx(ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED); 2438 return 0; 2439 2440 case SSL_CTRL_SET_DH_AUTO: 2441 return _SSL_CTX_set_dh_auto(ctx, larg); 2442 2443 case SSL_CTRL_SET_TMP_ECDH: 2444 return _SSL_CTX_set_tmp_ecdh(ctx, parg); 2445 2446 case SSL_CTRL_SET_TMP_ECDH_CB: 2447 SSLerrorx(ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED); 2448 return 0; 2449 2450 case SSL_CTRL_SET_ECDH_AUTO: 2451 return _SSL_CTX_set_ecdh_auto(ctx, larg); 2452 2453 case SSL_CTRL_SET_TLSEXT_SERVERNAME_ARG: 2454 return _SSL_CTX_set_tlsext_servername_arg(ctx, parg); 2455 2456 case SSL_CTRL_GET_TLSEXT_TICKET_KEYS: 2457 return _SSL_CTX_get_tlsext_ticket_keys(ctx, parg, larg); 2458 2459 case SSL_CTRL_SET_TLSEXT_TICKET_KEYS: 2460 return _SSL_CTX_set_tlsext_ticket_keys(ctx, parg, larg); 2461 2462 case SSL_CTRL_GET_TLSEXT_STATUS_REQ_CB_ARG: 2463 return _SSL_CTX_get_tlsext_status_arg(ctx, parg); 2464 2465 case SSL_CTRL_SET_TLSEXT_STATUS_REQ_CB_ARG: 2466 return _SSL_CTX_set_tlsext_status_arg(ctx, parg); 2467 2468 case SSL_CTRL_CHAIN: 2469 if (larg == 0) 2470 return SSL_CTX_set0_chain(ctx, (STACK_OF(X509) *)parg); 2471 else 2472 return SSL_CTX_set1_chain(ctx, (STACK_OF(X509) *)parg); 2473 2474 case SSL_CTRL_CHAIN_CERT: 2475 if (larg == 0) 2476 return SSL_CTX_add0_chain_cert(ctx, (X509 *)parg); 2477 else 2478 return SSL_CTX_add1_chain_cert(ctx, (X509 *)parg); 2479 2480 case SSL_CTRL_GET_CHAIN_CERTS: 2481 return SSL_CTX_get0_chain_certs(ctx, (STACK_OF(X509) **)parg); 2482 2483 case SSL_CTRL_EXTRA_CHAIN_CERT: 2484 return _SSL_CTX_add_extra_chain_cert(ctx, parg); 2485 2486 case SSL_CTRL_GET_EXTRA_CHAIN_CERTS: 2487 if (larg == 0) 2488 return _SSL_CTX_get_extra_chain_certs(ctx, parg); 2489 else 2490 return _SSL_CTX_get_extra_chain_certs_only(ctx, parg); 2491 2492 case SSL_CTRL_CLEAR_EXTRA_CHAIN_CERTS: 2493 return _SSL_CTX_clear_extra_chain_certs(ctx); 2494 2495 case SSL_CTRL_SET_GROUPS: 2496 return SSL_CTX_set1_groups(ctx, parg, larg); 2497 2498 case SSL_CTRL_SET_GROUPS_LIST: 2499 return SSL_CTX_set1_groups_list(ctx, parg); 2500 2501 case SSL_CTRL_GET_MIN_PROTO_VERSION: 2502 return SSL_CTX_get_min_proto_version(ctx); 2503 2504 case SSL_CTRL_GET_MAX_PROTO_VERSION: 2505 return SSL_CTX_get_max_proto_version(ctx); 2506 2507 case SSL_CTRL_SET_MIN_PROTO_VERSION: 2508 if (larg < 0 || larg > UINT16_MAX) 2509 return 0; 2510 return SSL_CTX_set_min_proto_version(ctx, larg); 2511 2512 case SSL_CTRL_SET_MAX_PROTO_VERSION: 2513 if (larg < 0 || larg > UINT16_MAX) 2514 return 0; 2515 return SSL_CTX_set_max_proto_version(ctx, larg); 2516 2517 /* 2518 * Legacy controls that should eventually be removed. 2519 */ 2520 case SSL_CTRL_NEED_TMP_RSA: 2521 return 0; 2522 2523 case SSL_CTRL_SET_TMP_RSA: 2524 case SSL_CTRL_SET_TMP_RSA_CB: 2525 SSLerrorx(ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED); 2526 return 0; 2527 } 2528 2529 return 0; 2530 } 2531 2532 long 2533 ssl3_ctx_callback_ctrl(SSL_CTX *ctx, int cmd, void (*fp)(void)) 2534 { 2535 switch (cmd) { 2536 case SSL_CTRL_SET_TMP_RSA_CB: 2537 SSLerrorx(ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED); 2538 return 0; 2539 2540 case SSL_CTRL_SET_TMP_DH_CB: 2541 ctx->cert->dhe_params_cb = 2542 (DH *(*)(SSL *, int, int))fp; 2543 return 1; 2544 2545 case SSL_CTRL_SET_TMP_ECDH_CB: 2546 return 1; 2547 2548 case SSL_CTRL_SET_TLSEXT_SERVERNAME_CB: 2549 ctx->tlsext_servername_callback = 2550 (int (*)(SSL *, int *, void *))fp; 2551 return 1; 2552 2553 case SSL_CTRL_GET_TLSEXT_STATUS_REQ_CB: 2554 *(int (**)(SSL *, void *))fp = ctx->tlsext_status_cb; 2555 return 1; 2556 2557 case SSL_CTRL_SET_TLSEXT_STATUS_REQ_CB: 2558 ctx->tlsext_status_cb = (int (*)(SSL *, void *))fp; 2559 return 1; 2560 2561 case SSL_CTRL_SET_TLSEXT_TICKET_KEY_CB: 2562 ctx->tlsext_ticket_key_cb = (int (*)(SSL *, unsigned char *, 2563 unsigned char *, EVP_CIPHER_CTX *, HMAC_CTX *, int))fp; 2564 return 1; 2565 } 2566 2567 return 0; 2568 } 2569 2570 SSL_CIPHER * 2571 ssl3_choose_cipher(SSL *s, STACK_OF(SSL_CIPHER) *clnt, 2572 STACK_OF(SSL_CIPHER) *srvr) 2573 { 2574 unsigned long alg_k, alg_a, mask_k, mask_a; 2575 STACK_OF(SSL_CIPHER) *prio, *allow; 2576 SSL_CIPHER *c, *ret = NULL; 2577 int can_use_ecc; 2578 int i, ii, nid, ok; 2579 SSL_CERT *cert; 2580 2581 /* Let's see which ciphers we can support */ 2582 cert = s->cert; 2583 2584 can_use_ecc = tls1_get_supported_group(s, &nid); 2585 2586 /* 2587 * Do not set the compare functions, because this may lead to a 2588 * reordering by "id". We want to keep the original ordering. 2589 * We may pay a price in performance during sk_SSL_CIPHER_find(), 2590 * but would have to pay with the price of sk_SSL_CIPHER_dup(). 2591 */ 2592 2593 if (s->options & SSL_OP_CIPHER_SERVER_PREFERENCE) { 2594 prio = srvr; 2595 allow = clnt; 2596 } else { 2597 prio = clnt; 2598 allow = srvr; 2599 } 2600 2601 for (i = 0; i < sk_SSL_CIPHER_num(prio); i++) { 2602 c = sk_SSL_CIPHER_value(prio, i); 2603 2604 /* Skip TLS v1.2 only ciphersuites if not supported. */ 2605 if ((c->algorithm_ssl & SSL_TLSV1_2) && 2606 !SSL_USE_TLS1_2_CIPHERS(s)) 2607 continue; 2608 2609 /* Skip TLS v1.3 only ciphersuites if not supported. */ 2610 if ((c->algorithm_ssl & SSL_TLSV1_3) && 2611 !SSL_USE_TLS1_3_CIPHERS(s)) 2612 continue; 2613 2614 /* If TLS v1.3, only allow TLS v1.3 ciphersuites. */ 2615 if (SSL_USE_TLS1_3_CIPHERS(s) && 2616 !(c->algorithm_ssl & SSL_TLSV1_3)) 2617 continue; 2618 2619 if (!ssl_security_shared_cipher(s, c)) 2620 continue; 2621 2622 ssl_set_cert_masks(cert, c); 2623 mask_k = cert->mask_k; 2624 mask_a = cert->mask_a; 2625 2626 alg_k = c->algorithm_mkey; 2627 alg_a = c->algorithm_auth; 2628 2629 ok = (alg_k & mask_k) && (alg_a & mask_a); 2630 2631 /* 2632 * If we are considering an ECC cipher suite that uses our 2633 * certificate check it. 2634 */ 2635 if (alg_a & SSL_aECDSA) 2636 ok = ok && tls1_check_ec_server_key(s); 2637 /* 2638 * If we are considering an ECC cipher suite that uses 2639 * an ephemeral EC key check it. 2640 */ 2641 if (alg_k & SSL_kECDHE) 2642 ok = ok && can_use_ecc; 2643 2644 if (!ok) 2645 continue; 2646 ii = sk_SSL_CIPHER_find(allow, c); 2647 if (ii >= 0) { 2648 ret = sk_SSL_CIPHER_value(allow, ii); 2649 break; 2650 } 2651 } 2652 return (ret); 2653 } 2654 2655 int 2656 ssl3_get_req_cert_types(SSL *s, CBB *cbb) 2657 { 2658 unsigned long alg_k; 2659 2660 alg_k = s->s3->hs.cipher->algorithm_mkey; 2661 2662 #ifndef OPENSSL_NO_GOST 2663 if ((alg_k & SSL_kGOST) != 0) { 2664 if (!CBB_add_u8(cbb, TLS_CT_GOST01_SIGN)) 2665 return 0; 2666 if (!CBB_add_u8(cbb, TLS_CT_GOST12_256_SIGN)) 2667 return 0; 2668 if (!CBB_add_u8(cbb, TLS_CT_GOST12_512_SIGN)) 2669 return 0; 2670 if (!CBB_add_u8(cbb, TLS_CT_GOST12_256_SIGN_COMPAT)) 2671 return 0; 2672 if (!CBB_add_u8(cbb, TLS_CT_GOST12_512_SIGN_COMPAT)) 2673 return 0; 2674 } 2675 #endif 2676 2677 if ((alg_k & SSL_kDHE) != 0) { 2678 if (!CBB_add_u8(cbb, SSL3_CT_RSA_FIXED_DH)) 2679 return 0; 2680 } 2681 2682 if (!CBB_add_u8(cbb, SSL3_CT_RSA_SIGN)) 2683 return 0; 2684 2685 /* 2686 * ECDSA certs can be used with RSA cipher suites as well 2687 * so we don't need to check for SSL_kECDH or SSL_kECDHE. 2688 */ 2689 if (!CBB_add_u8(cbb, TLS_CT_ECDSA_SIGN)) 2690 return 0; 2691 2692 return 1; 2693 } 2694 2695 int 2696 ssl3_shutdown(SSL *s) 2697 { 2698 int ret; 2699 2700 /* 2701 * Don't do anything much if we have not done the handshake or 2702 * we don't want to send messages :-) 2703 */ 2704 if ((s->quiet_shutdown) || (s->s3->hs.state == SSL_ST_BEFORE)) { 2705 s->shutdown = (SSL_SENT_SHUTDOWN|SSL_RECEIVED_SHUTDOWN); 2706 return (1); 2707 } 2708 2709 if (!(s->shutdown & SSL_SENT_SHUTDOWN)) { 2710 s->shutdown|=SSL_SENT_SHUTDOWN; 2711 ssl3_send_alert(s, SSL3_AL_WARNING, SSL_AD_CLOSE_NOTIFY); 2712 /* 2713 * Our shutdown alert has been sent now, and if it still needs 2714 * to be written, s->s3->alert_dispatch will be true 2715 */ 2716 if (s->s3->alert_dispatch) 2717 return (-1); /* return WANT_WRITE */ 2718 } else if (s->s3->alert_dispatch) { 2719 /* resend it if not sent */ 2720 ret = ssl3_dispatch_alert(s); 2721 if (ret == -1) { 2722 /* 2723 * We only get to return -1 here the 2nd/Nth 2724 * invocation, we must have already signalled 2725 * return 0 upon a previous invoation, 2726 * return WANT_WRITE 2727 */ 2728 return (ret); 2729 } 2730 } else if (!(s->shutdown & SSL_RECEIVED_SHUTDOWN)) { 2731 /* If we are waiting for a close from our peer, we are closed */ 2732 s->method->ssl_read_bytes(s, 0, NULL, 0, 0); 2733 if (!(s->shutdown & SSL_RECEIVED_SHUTDOWN)) { 2734 return (-1); /* return WANT_READ */ 2735 } 2736 } 2737 2738 if ((s->shutdown == (SSL_SENT_SHUTDOWN|SSL_RECEIVED_SHUTDOWN)) && 2739 !s->s3->alert_dispatch) 2740 return (1); 2741 else 2742 return (0); 2743 } 2744 2745 int 2746 ssl3_write(SSL *s, const void *buf, int len) 2747 { 2748 errno = 0; 2749 2750 if (s->s3->renegotiate) 2751 ssl3_renegotiate_check(s); 2752 2753 return s->method->ssl_write_bytes(s, SSL3_RT_APPLICATION_DATA, 2754 buf, len); 2755 } 2756 2757 static int 2758 ssl3_read_internal(SSL *s, void *buf, int len, int peek) 2759 { 2760 int ret; 2761 2762 errno = 0; 2763 if (s->s3->renegotiate) 2764 ssl3_renegotiate_check(s); 2765 s->s3->in_read_app_data = 1; 2766 2767 ret = s->method->ssl_read_bytes(s, SSL3_RT_APPLICATION_DATA, buf, len, 2768 peek); 2769 if ((ret == -1) && (s->s3->in_read_app_data == 2)) { 2770 /* 2771 * ssl3_read_bytes decided to call s->handshake_func, 2772 * which called ssl3_read_bytes to read handshake data. 2773 * However, ssl3_read_bytes actually found application data 2774 * and thinks that application data makes sense here; so disable 2775 * handshake processing and try to read application data again. 2776 */ 2777 s->in_handshake++; 2778 ret = s->method->ssl_read_bytes(s, SSL3_RT_APPLICATION_DATA, 2779 buf, len, peek); 2780 s->in_handshake--; 2781 } else 2782 s->s3->in_read_app_data = 0; 2783 2784 return (ret); 2785 } 2786 2787 int 2788 ssl3_read(SSL *s, void *buf, int len) 2789 { 2790 return ssl3_read_internal(s, buf, len, 0); 2791 } 2792 2793 int 2794 ssl3_peek(SSL *s, void *buf, int len) 2795 { 2796 return ssl3_read_internal(s, buf, len, 1); 2797 } 2798 2799 int 2800 ssl3_renegotiate(SSL *s) 2801 { 2802 if (s->handshake_func == NULL) 2803 return 1; 2804 2805 if (s->s3->flags & SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS) 2806 return 0; 2807 2808 s->s3->renegotiate = 1; 2809 2810 return 1; 2811 } 2812 2813 int 2814 ssl3_renegotiate_check(SSL *s) 2815 { 2816 if (!s->s3->renegotiate) 2817 return 0; 2818 if (SSL_in_init(s) || s->s3->rbuf.left != 0 || s->s3->wbuf.left != 0) 2819 return 0; 2820 2821 s->s3->hs.state = SSL_ST_RENEGOTIATE; 2822 s->s3->renegotiate = 0; 2823 s->s3->num_renegotiations++; 2824 s->s3->total_renegotiations++; 2825 2826 return 1; 2827 } 2828