1 /* $OpenBSD: s3_lib.c,v 1.248 2023/11/29 13:39:34 tb Exp $ */ 2 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) 3 * All rights reserved. 4 * 5 * This package is an SSL implementation written 6 * by Eric Young (eay@cryptsoft.com). 7 * The implementation was written so as to conform with Netscapes SSL. 8 * 9 * This library is free for commercial and non-commercial use as long as 10 * the following conditions are aheared to. The following conditions 11 * apply to all code found in this distribution, be it the RC4, RSA, 12 * lhash, DES, etc., code; not just the SSL code. The SSL documentation 13 * included with this distribution is covered by the same copyright terms 14 * except that the holder is Tim Hudson (tjh@cryptsoft.com). 15 * 16 * Copyright remains Eric Young's, and as such any Copyright notices in 17 * the code are not to be removed. 18 * If this package is used in a product, Eric Young should be given attribution 19 * as the author of the parts of the library used. 20 * This can be in the form of a textual message at program startup or 21 * in documentation (online or textual) provided with the package. 22 * 23 * Redistribution and use in source and binary forms, with or without 24 * modification, are permitted provided that the following conditions 25 * are met: 26 * 1. Redistributions of source code must retain the copyright 27 * notice, this list of conditions and the following disclaimer. 28 * 2. Redistributions in binary form must reproduce the above copyright 29 * notice, this list of conditions and the following disclaimer in the 30 * documentation and/or other materials provided with the distribution. 31 * 3. All advertising materials mentioning features or use of this software 32 * must display the following acknowledgement: 33 * "This product includes cryptographic software written by 34 * Eric Young (eay@cryptsoft.com)" 35 * The word 'cryptographic' can be left out if the rouines from the library 36 * being used are not cryptographic related :-). 37 * 4. If you include any Windows specific code (or a derivative thereof) from 38 * the apps directory (application code) you must include an acknowledgement: 39 * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)" 40 * 41 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND 42 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 43 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 44 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE 45 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 46 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 47 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 48 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 49 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 50 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 51 * SUCH DAMAGE. 52 * 53 * The licence and distribution terms for any publically available version or 54 * derivative of this code cannot be changed. i.e. this code cannot simply be 55 * copied and put under another distribution licence 56 * [including the GNU Public Licence.] 57 */ 58 /* ==================================================================== 59 * Copyright (c) 1998-2007 The OpenSSL Project. All rights reserved. 60 * 61 * Redistribution and use in source and binary forms, with or without 62 * modification, are permitted provided that the following conditions 63 * are met: 64 * 65 * 1. Redistributions of source code must retain the above copyright 66 * notice, this list of conditions and the following disclaimer. 67 * 68 * 2. Redistributions in binary form must reproduce the above copyright 69 * notice, this list of conditions and the following disclaimer in 70 * the documentation and/or other materials provided with the 71 * distribution. 72 * 73 * 3. All advertising materials mentioning features or use of this 74 * software must display the following acknowledgment: 75 * "This product includes software developed by the OpenSSL Project 76 * for use in the OpenSSL Toolkit. (http://www.openssl.org/)" 77 * 78 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to 79 * endorse or promote products derived from this software without 80 * prior written permission. For written permission, please contact 81 * openssl-core@openssl.org. 82 * 83 * 5. Products derived from this software may not be called "OpenSSL" 84 * nor may "OpenSSL" appear in their names without prior written 85 * permission of the OpenSSL Project. 86 * 87 * 6. Redistributions of any form whatsoever must retain the following 88 * acknowledgment: 89 * "This product includes software developed by the OpenSSL Project 90 * for use in the OpenSSL Toolkit (http://www.openssl.org/)" 91 * 92 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY 93 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 94 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR 95 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR 96 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, 97 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT 98 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; 99 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 100 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, 101 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) 102 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED 103 * OF THE POSSIBILITY OF SUCH DAMAGE. 104 * ==================================================================== 105 * 106 * This product includes cryptographic software written by Eric Young 107 * (eay@cryptsoft.com). This product includes software written by Tim 108 * Hudson (tjh@cryptsoft.com). 109 * 110 */ 111 /* ==================================================================== 112 * Copyright 2002 Sun Microsystems, Inc. ALL RIGHTS RESERVED. 113 * 114 * Portions of the attached software ("Contribution") are developed by 115 * SUN MICROSYSTEMS, INC., and are contributed to the OpenSSL project. 116 * 117 * The Contribution is licensed pursuant to the OpenSSL open source 118 * license provided above. 119 * 120 * ECC cipher suite support in OpenSSL originally written by 121 * Vipul Gupta and Sumit Gupta of Sun Microsystems Laboratories. 122 * 123 */ 124 /* ==================================================================== 125 * Copyright 2005 Nokia. All rights reserved. 126 * 127 * The portions of the attached software ("Contribution") is developed by 128 * Nokia Corporation and is licensed pursuant to the OpenSSL open source 129 * license. 130 * 131 * The Contribution, originally written by Mika Kousa and Pasi Eronen of 132 * Nokia Corporation, consists of the "PSK" (Pre-Shared Key) ciphersuites 133 * support (see RFC 4279) to OpenSSL. 134 * 135 * No patent licenses or other rights except those expressly stated in 136 * the OpenSSL open source license shall be deemed granted or received 137 * expressly, by implication, estoppel, or otherwise. 138 * 139 * No assurances are provided by Nokia that the Contribution does not 140 * infringe the patent or other intellectual property rights of any third 141 * party or that the license provides you with all the necessary rights 142 * to make use of the Contribution. 143 * 144 * THE SOFTWARE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. IN 145 * ADDITION TO THE DISCLAIMERS INCLUDED IN THE LICENSE, NOKIA 146 * SPECIFICALLY DISCLAIMS ANY LIABILITY FOR CLAIMS BROUGHT BY YOU OR ANY 147 * OTHER ENTITY BASED ON INFRINGEMENT OF INTELLECTUAL PROPERTY RIGHTS OR 148 * OTHERWISE. 149 */ 150 151 #include <limits.h> 152 #include <stdio.h> 153 #include <stdlib.h> 154 155 #include <openssl/bn.h> 156 #include <openssl/curve25519.h> 157 #include <openssl/dh.h> 158 #include <openssl/md5.h> 159 #include <openssl/objects.h> 160 #include <openssl/opensslconf.h> 161 162 #include "bytestring.h" 163 #include "dtls_local.h" 164 #include "ssl_local.h" 165 #include "ssl_sigalgs.h" 166 #include "ssl_tlsext.h" 167 #include "tls_content.h" 168 169 #define SSL3_NUM_CIPHERS (sizeof(ssl3_ciphers) / sizeof(SSL_CIPHER)) 170 171 /* 172 * FIXED_NONCE_LEN is a macro that provides in the correct value to set the 173 * fixed nonce length in algorithms2. It is the inverse of the 174 * SSL_CIPHER_AEAD_FIXED_NONCE_LEN macro. 175 */ 176 #define FIXED_NONCE_LEN(x) (((x / 2) & 0xf) << 24) 177 178 /* list of available SSLv3 ciphers (sorted by id) */ 179 const SSL_CIPHER ssl3_ciphers[] = { 180 181 /* The RSA ciphers */ 182 /* Cipher 01 */ 183 { 184 .valid = 1, 185 .name = SSL3_TXT_RSA_NULL_MD5, 186 .id = SSL3_CK_RSA_NULL_MD5, 187 .algorithm_mkey = SSL_kRSA, 188 .algorithm_auth = SSL_aRSA, 189 .algorithm_enc = SSL_eNULL, 190 .algorithm_mac = SSL_MD5, 191 .algorithm_ssl = SSL_SSLV3, 192 .algo_strength = SSL_STRONG_NONE, 193 .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF, 194 .strength_bits = 0, 195 .alg_bits = 0, 196 }, 197 198 /* Cipher 02 */ 199 { 200 .valid = 1, 201 .name = SSL3_TXT_RSA_NULL_SHA, 202 .id = SSL3_CK_RSA_NULL_SHA, 203 .algorithm_mkey = SSL_kRSA, 204 .algorithm_auth = SSL_aRSA, 205 .algorithm_enc = SSL_eNULL, 206 .algorithm_mac = SSL_SHA1, 207 .algorithm_ssl = SSL_SSLV3, 208 .algo_strength = SSL_STRONG_NONE, 209 .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF, 210 .strength_bits = 0, 211 .alg_bits = 0, 212 }, 213 214 /* Cipher 04 */ 215 { 216 .valid = 1, 217 .name = SSL3_TXT_RSA_RC4_128_MD5, 218 .id = SSL3_CK_RSA_RC4_128_MD5, 219 .algorithm_mkey = SSL_kRSA, 220 .algorithm_auth = SSL_aRSA, 221 .algorithm_enc = SSL_RC4, 222 .algorithm_mac = SSL_MD5, 223 .algorithm_ssl = SSL_SSLV3, 224 .algo_strength = SSL_LOW, 225 .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF, 226 .strength_bits = 128, 227 .alg_bits = 128, 228 }, 229 230 /* Cipher 05 */ 231 { 232 .valid = 1, 233 .name = SSL3_TXT_RSA_RC4_128_SHA, 234 .id = SSL3_CK_RSA_RC4_128_SHA, 235 .algorithm_mkey = SSL_kRSA, 236 .algorithm_auth = SSL_aRSA, 237 .algorithm_enc = SSL_RC4, 238 .algorithm_mac = SSL_SHA1, 239 .algorithm_ssl = SSL_SSLV3, 240 .algo_strength = SSL_LOW, 241 .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF, 242 .strength_bits = 128, 243 .alg_bits = 128, 244 }, 245 246 /* Cipher 0A */ 247 { 248 .valid = 1, 249 .name = SSL3_TXT_RSA_DES_192_CBC3_SHA, 250 .id = SSL3_CK_RSA_DES_192_CBC3_SHA, 251 .algorithm_mkey = SSL_kRSA, 252 .algorithm_auth = SSL_aRSA, 253 .algorithm_enc = SSL_3DES, 254 .algorithm_mac = SSL_SHA1, 255 .algorithm_ssl = SSL_SSLV3, 256 .algo_strength = SSL_MEDIUM, 257 .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF, 258 .strength_bits = 112, 259 .alg_bits = 168, 260 }, 261 262 /* 263 * Ephemeral DH (DHE) ciphers. 264 */ 265 266 /* Cipher 16 */ 267 { 268 .valid = 1, 269 .name = SSL3_TXT_EDH_RSA_DES_192_CBC3_SHA, 270 .id = SSL3_CK_EDH_RSA_DES_192_CBC3_SHA, 271 .algorithm_mkey = SSL_kDHE, 272 .algorithm_auth = SSL_aRSA, 273 .algorithm_enc = SSL_3DES, 274 .algorithm_mac = SSL_SHA1, 275 .algorithm_ssl = SSL_SSLV3, 276 .algo_strength = SSL_MEDIUM, 277 .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF, 278 .strength_bits = 112, 279 .alg_bits = 168, 280 }, 281 282 /* Cipher 18 */ 283 { 284 .valid = 1, 285 .name = SSL3_TXT_ADH_RC4_128_MD5, 286 .id = SSL3_CK_ADH_RC4_128_MD5, 287 .algorithm_mkey = SSL_kDHE, 288 .algorithm_auth = SSL_aNULL, 289 .algorithm_enc = SSL_RC4, 290 .algorithm_mac = SSL_MD5, 291 .algorithm_ssl = SSL_SSLV3, 292 .algo_strength = SSL_LOW, 293 .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF, 294 .strength_bits = 128, 295 .alg_bits = 128, 296 }, 297 298 /* Cipher 1B */ 299 { 300 .valid = 1, 301 .name = SSL3_TXT_ADH_DES_192_CBC_SHA, 302 .id = SSL3_CK_ADH_DES_192_CBC_SHA, 303 .algorithm_mkey = SSL_kDHE, 304 .algorithm_auth = SSL_aNULL, 305 .algorithm_enc = SSL_3DES, 306 .algorithm_mac = SSL_SHA1, 307 .algorithm_ssl = SSL_SSLV3, 308 .algo_strength = SSL_MEDIUM, 309 .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF, 310 .strength_bits = 112, 311 .alg_bits = 168, 312 }, 313 314 /* 315 * AES ciphersuites. 316 */ 317 318 /* Cipher 2F */ 319 { 320 .valid = 1, 321 .name = TLS1_TXT_RSA_WITH_AES_128_SHA, 322 .id = TLS1_CK_RSA_WITH_AES_128_SHA, 323 .algorithm_mkey = SSL_kRSA, 324 .algorithm_auth = SSL_aRSA, 325 .algorithm_enc = SSL_AES128, 326 .algorithm_mac = SSL_SHA1, 327 .algorithm_ssl = SSL_TLSV1, 328 .algo_strength = SSL_HIGH, 329 .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF, 330 .strength_bits = 128, 331 .alg_bits = 128, 332 }, 333 334 /* Cipher 33 */ 335 { 336 .valid = 1, 337 .name = TLS1_TXT_DHE_RSA_WITH_AES_128_SHA, 338 .id = TLS1_CK_DHE_RSA_WITH_AES_128_SHA, 339 .algorithm_mkey = SSL_kDHE, 340 .algorithm_auth = SSL_aRSA, 341 .algorithm_enc = SSL_AES128, 342 .algorithm_mac = SSL_SHA1, 343 .algorithm_ssl = SSL_TLSV1, 344 .algo_strength = SSL_HIGH, 345 .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF, 346 .strength_bits = 128, 347 .alg_bits = 128, 348 }, 349 350 /* Cipher 34 */ 351 { 352 .valid = 1, 353 .name = TLS1_TXT_ADH_WITH_AES_128_SHA, 354 .id = TLS1_CK_ADH_WITH_AES_128_SHA, 355 .algorithm_mkey = SSL_kDHE, 356 .algorithm_auth = SSL_aNULL, 357 .algorithm_enc = SSL_AES128, 358 .algorithm_mac = SSL_SHA1, 359 .algorithm_ssl = SSL_TLSV1, 360 .algo_strength = SSL_HIGH, 361 .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF, 362 .strength_bits = 128, 363 .alg_bits = 128, 364 }, 365 366 /* Cipher 35 */ 367 { 368 .valid = 1, 369 .name = TLS1_TXT_RSA_WITH_AES_256_SHA, 370 .id = TLS1_CK_RSA_WITH_AES_256_SHA, 371 .algorithm_mkey = SSL_kRSA, 372 .algorithm_auth = SSL_aRSA, 373 .algorithm_enc = SSL_AES256, 374 .algorithm_mac = SSL_SHA1, 375 .algorithm_ssl = SSL_TLSV1, 376 .algo_strength = SSL_HIGH, 377 .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF, 378 .strength_bits = 256, 379 .alg_bits = 256, 380 }, 381 382 /* Cipher 39 */ 383 { 384 .valid = 1, 385 .name = TLS1_TXT_DHE_RSA_WITH_AES_256_SHA, 386 .id = TLS1_CK_DHE_RSA_WITH_AES_256_SHA, 387 .algorithm_mkey = SSL_kDHE, 388 .algorithm_auth = SSL_aRSA, 389 .algorithm_enc = SSL_AES256, 390 .algorithm_mac = SSL_SHA1, 391 .algorithm_ssl = SSL_TLSV1, 392 .algo_strength = SSL_HIGH, 393 .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF, 394 .strength_bits = 256, 395 .alg_bits = 256, 396 }, 397 398 /* Cipher 3A */ 399 { 400 .valid = 1, 401 .name = TLS1_TXT_ADH_WITH_AES_256_SHA, 402 .id = TLS1_CK_ADH_WITH_AES_256_SHA, 403 .algorithm_mkey = SSL_kDHE, 404 .algorithm_auth = SSL_aNULL, 405 .algorithm_enc = SSL_AES256, 406 .algorithm_mac = SSL_SHA1, 407 .algorithm_ssl = SSL_TLSV1, 408 .algo_strength = SSL_HIGH, 409 .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF, 410 .strength_bits = 256, 411 .alg_bits = 256, 412 }, 413 414 /* TLS v1.2 ciphersuites */ 415 /* Cipher 3B */ 416 { 417 .valid = 1, 418 .name = TLS1_TXT_RSA_WITH_NULL_SHA256, 419 .id = TLS1_CK_RSA_WITH_NULL_SHA256, 420 .algorithm_mkey = SSL_kRSA, 421 .algorithm_auth = SSL_aRSA, 422 .algorithm_enc = SSL_eNULL, 423 .algorithm_mac = SSL_SHA256, 424 .algorithm_ssl = SSL_TLSV1_2, 425 .algo_strength = SSL_STRONG_NONE, 426 .algorithm2 = SSL_HANDSHAKE_MAC_SHA256|TLS1_PRF_SHA256, 427 .strength_bits = 0, 428 .alg_bits = 0, 429 }, 430 431 /* Cipher 3C */ 432 { 433 .valid = 1, 434 .name = TLS1_TXT_RSA_WITH_AES_128_SHA256, 435 .id = TLS1_CK_RSA_WITH_AES_128_SHA256, 436 .algorithm_mkey = SSL_kRSA, 437 .algorithm_auth = SSL_aRSA, 438 .algorithm_enc = SSL_AES128, 439 .algorithm_mac = SSL_SHA256, 440 .algorithm_ssl = SSL_TLSV1_2, 441 .algo_strength = SSL_HIGH, 442 .algorithm2 = SSL_HANDSHAKE_MAC_SHA256|TLS1_PRF_SHA256, 443 .strength_bits = 128, 444 .alg_bits = 128, 445 }, 446 447 /* Cipher 3D */ 448 { 449 .valid = 1, 450 .name = TLS1_TXT_RSA_WITH_AES_256_SHA256, 451 .id = TLS1_CK_RSA_WITH_AES_256_SHA256, 452 .algorithm_mkey = SSL_kRSA, 453 .algorithm_auth = SSL_aRSA, 454 .algorithm_enc = SSL_AES256, 455 .algorithm_mac = SSL_SHA256, 456 .algorithm_ssl = SSL_TLSV1_2, 457 .algo_strength = SSL_HIGH, 458 .algorithm2 = SSL_HANDSHAKE_MAC_SHA256|TLS1_PRF_SHA256, 459 .strength_bits = 256, 460 .alg_bits = 256, 461 }, 462 463 #ifndef OPENSSL_NO_CAMELLIA 464 /* Camellia ciphersuites from RFC4132 (128-bit portion) */ 465 466 /* Cipher 41 */ 467 { 468 .valid = 1, 469 .name = TLS1_TXT_RSA_WITH_CAMELLIA_128_CBC_SHA, 470 .id = TLS1_CK_RSA_WITH_CAMELLIA_128_CBC_SHA, 471 .algorithm_mkey = SSL_kRSA, 472 .algorithm_auth = SSL_aRSA, 473 .algorithm_enc = SSL_CAMELLIA128, 474 .algorithm_mac = SSL_SHA1, 475 .algorithm_ssl = SSL_TLSV1, 476 .algo_strength = SSL_HIGH, 477 .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF, 478 .strength_bits = 128, 479 .alg_bits = 128, 480 }, 481 482 /* Cipher 45 */ 483 { 484 .valid = 1, 485 .name = TLS1_TXT_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA, 486 .id = TLS1_CK_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA, 487 .algorithm_mkey = SSL_kDHE, 488 .algorithm_auth = SSL_aRSA, 489 .algorithm_enc = SSL_CAMELLIA128, 490 .algorithm_mac = SSL_SHA1, 491 .algorithm_ssl = SSL_TLSV1, 492 .algo_strength = SSL_HIGH, 493 .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF, 494 .strength_bits = 128, 495 .alg_bits = 128, 496 }, 497 498 /* Cipher 46 */ 499 { 500 .valid = 1, 501 .name = TLS1_TXT_ADH_WITH_CAMELLIA_128_CBC_SHA, 502 .id = TLS1_CK_ADH_WITH_CAMELLIA_128_CBC_SHA, 503 .algorithm_mkey = SSL_kDHE, 504 .algorithm_auth = SSL_aNULL, 505 .algorithm_enc = SSL_CAMELLIA128, 506 .algorithm_mac = SSL_SHA1, 507 .algorithm_ssl = SSL_TLSV1, 508 .algo_strength = SSL_HIGH, 509 .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF, 510 .strength_bits = 128, 511 .alg_bits = 128, 512 }, 513 #endif /* OPENSSL_NO_CAMELLIA */ 514 515 /* TLS v1.2 ciphersuites */ 516 /* Cipher 67 */ 517 { 518 .valid = 1, 519 .name = TLS1_TXT_DHE_RSA_WITH_AES_128_SHA256, 520 .id = TLS1_CK_DHE_RSA_WITH_AES_128_SHA256, 521 .algorithm_mkey = SSL_kDHE, 522 .algorithm_auth = SSL_aRSA, 523 .algorithm_enc = SSL_AES128, 524 .algorithm_mac = SSL_SHA256, 525 .algorithm_ssl = SSL_TLSV1_2, 526 .algo_strength = SSL_HIGH, 527 .algorithm2 = SSL_HANDSHAKE_MAC_SHA256|TLS1_PRF_SHA256, 528 .strength_bits = 128, 529 .alg_bits = 128, 530 }, 531 532 /* Cipher 6B */ 533 { 534 .valid = 1, 535 .name = TLS1_TXT_DHE_RSA_WITH_AES_256_SHA256, 536 .id = TLS1_CK_DHE_RSA_WITH_AES_256_SHA256, 537 .algorithm_mkey = SSL_kDHE, 538 .algorithm_auth = SSL_aRSA, 539 .algorithm_enc = SSL_AES256, 540 .algorithm_mac = SSL_SHA256, 541 .algorithm_ssl = SSL_TLSV1_2, 542 .algo_strength = SSL_HIGH, 543 .algorithm2 = SSL_HANDSHAKE_MAC_SHA256|TLS1_PRF_SHA256, 544 .strength_bits = 256, 545 .alg_bits = 256, 546 }, 547 548 /* Cipher 6C */ 549 { 550 .valid = 1, 551 .name = TLS1_TXT_ADH_WITH_AES_128_SHA256, 552 .id = TLS1_CK_ADH_WITH_AES_128_SHA256, 553 .algorithm_mkey = SSL_kDHE, 554 .algorithm_auth = SSL_aNULL, 555 .algorithm_enc = SSL_AES128, 556 .algorithm_mac = SSL_SHA256, 557 .algorithm_ssl = SSL_TLSV1_2, 558 .algo_strength = SSL_HIGH, 559 .algorithm2 = SSL_HANDSHAKE_MAC_SHA256|TLS1_PRF_SHA256, 560 .strength_bits = 128, 561 .alg_bits = 128, 562 }, 563 564 /* Cipher 6D */ 565 { 566 .valid = 1, 567 .name = TLS1_TXT_ADH_WITH_AES_256_SHA256, 568 .id = TLS1_CK_ADH_WITH_AES_256_SHA256, 569 .algorithm_mkey = SSL_kDHE, 570 .algorithm_auth = SSL_aNULL, 571 .algorithm_enc = SSL_AES256, 572 .algorithm_mac = SSL_SHA256, 573 .algorithm_ssl = SSL_TLSV1_2, 574 .algo_strength = SSL_HIGH, 575 .algorithm2 = SSL_HANDSHAKE_MAC_SHA256|TLS1_PRF_SHA256, 576 .strength_bits = 256, 577 .alg_bits = 256, 578 }, 579 580 /* GOST Ciphersuites */ 581 582 /* Cipher 81 */ 583 { 584 .valid = 1, 585 .name = "GOST2001-GOST89-GOST89", 586 .id = 0x3000081, 587 .algorithm_mkey = SSL_kGOST, 588 .algorithm_auth = SSL_aGOST01, 589 .algorithm_enc = SSL_eGOST2814789CNT, 590 .algorithm_mac = SSL_GOST89MAC, 591 .algorithm_ssl = SSL_TLSV1, 592 .algo_strength = SSL_HIGH, 593 .algorithm2 = SSL_HANDSHAKE_MAC_GOST94|TLS1_PRF_GOST94| 594 TLS1_STREAM_MAC, 595 .strength_bits = 256, 596 .alg_bits = 256 597 }, 598 599 /* Cipher 83 */ 600 { 601 .valid = 1, 602 .name = "GOST2001-NULL-GOST94", 603 .id = 0x3000083, 604 .algorithm_mkey = SSL_kGOST, 605 .algorithm_auth = SSL_aGOST01, 606 .algorithm_enc = SSL_eNULL, 607 .algorithm_mac = SSL_GOST94, 608 .algorithm_ssl = SSL_TLSV1, 609 .algo_strength = SSL_STRONG_NONE, 610 .algorithm2 = SSL_HANDSHAKE_MAC_GOST94|TLS1_PRF_GOST94, 611 .strength_bits = 0, 612 .alg_bits = 0 613 }, 614 615 #ifndef OPENSSL_NO_CAMELLIA 616 /* Camellia ciphersuites from RFC4132 (256-bit portion) */ 617 618 /* Cipher 84 */ 619 { 620 .valid = 1, 621 .name = TLS1_TXT_RSA_WITH_CAMELLIA_256_CBC_SHA, 622 .id = TLS1_CK_RSA_WITH_CAMELLIA_256_CBC_SHA, 623 .algorithm_mkey = SSL_kRSA, 624 .algorithm_auth = SSL_aRSA, 625 .algorithm_enc = SSL_CAMELLIA256, 626 .algorithm_mac = SSL_SHA1, 627 .algorithm_ssl = SSL_TLSV1, 628 .algo_strength = SSL_HIGH, 629 .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF, 630 .strength_bits = 256, 631 .alg_bits = 256, 632 }, 633 634 /* Cipher 88 */ 635 { 636 .valid = 1, 637 .name = TLS1_TXT_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA, 638 .id = TLS1_CK_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA, 639 .algorithm_mkey = SSL_kDHE, 640 .algorithm_auth = SSL_aRSA, 641 .algorithm_enc = SSL_CAMELLIA256, 642 .algorithm_mac = SSL_SHA1, 643 .algorithm_ssl = SSL_TLSV1, 644 .algo_strength = SSL_HIGH, 645 .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF, 646 .strength_bits = 256, 647 .alg_bits = 256, 648 }, 649 650 /* Cipher 89 */ 651 { 652 .valid = 1, 653 .name = TLS1_TXT_ADH_WITH_CAMELLIA_256_CBC_SHA, 654 .id = TLS1_CK_ADH_WITH_CAMELLIA_256_CBC_SHA, 655 .algorithm_mkey = SSL_kDHE, 656 .algorithm_auth = SSL_aNULL, 657 .algorithm_enc = SSL_CAMELLIA256, 658 .algorithm_mac = SSL_SHA1, 659 .algorithm_ssl = SSL_TLSV1, 660 .algo_strength = SSL_HIGH, 661 .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF, 662 .strength_bits = 256, 663 .alg_bits = 256, 664 }, 665 #endif /* OPENSSL_NO_CAMELLIA */ 666 667 /* 668 * GCM ciphersuites from RFC5288. 669 */ 670 671 /* Cipher 9C */ 672 { 673 .valid = 1, 674 .name = TLS1_TXT_RSA_WITH_AES_128_GCM_SHA256, 675 .id = TLS1_CK_RSA_WITH_AES_128_GCM_SHA256, 676 .algorithm_mkey = SSL_kRSA, 677 .algorithm_auth = SSL_aRSA, 678 .algorithm_enc = SSL_AES128GCM, 679 .algorithm_mac = SSL_AEAD, 680 .algorithm_ssl = SSL_TLSV1_2, 681 .algo_strength = SSL_HIGH, 682 .algorithm2 = SSL_HANDSHAKE_MAC_SHA256|TLS1_PRF_SHA256| 683 FIXED_NONCE_LEN(4)| 684 SSL_CIPHER_ALGORITHM2_VARIABLE_NONCE_IN_RECORD, 685 .strength_bits = 128, 686 .alg_bits = 128, 687 }, 688 689 /* Cipher 9D */ 690 { 691 .valid = 1, 692 .name = TLS1_TXT_RSA_WITH_AES_256_GCM_SHA384, 693 .id = TLS1_CK_RSA_WITH_AES_256_GCM_SHA384, 694 .algorithm_mkey = SSL_kRSA, 695 .algorithm_auth = SSL_aRSA, 696 .algorithm_enc = SSL_AES256GCM, 697 .algorithm_mac = SSL_AEAD, 698 .algorithm_ssl = SSL_TLSV1_2, 699 .algo_strength = SSL_HIGH, 700 .algorithm2 = SSL_HANDSHAKE_MAC_SHA384|TLS1_PRF_SHA384| 701 FIXED_NONCE_LEN(4)| 702 SSL_CIPHER_ALGORITHM2_VARIABLE_NONCE_IN_RECORD, 703 .strength_bits = 256, 704 .alg_bits = 256, 705 }, 706 707 /* Cipher 9E */ 708 { 709 .valid = 1, 710 .name = TLS1_TXT_DHE_RSA_WITH_AES_128_GCM_SHA256, 711 .id = TLS1_CK_DHE_RSA_WITH_AES_128_GCM_SHA256, 712 .algorithm_mkey = SSL_kDHE, 713 .algorithm_auth = SSL_aRSA, 714 .algorithm_enc = SSL_AES128GCM, 715 .algorithm_mac = SSL_AEAD, 716 .algorithm_ssl = SSL_TLSV1_2, 717 .algo_strength = SSL_HIGH, 718 .algorithm2 = SSL_HANDSHAKE_MAC_SHA256|TLS1_PRF_SHA256| 719 FIXED_NONCE_LEN(4)| 720 SSL_CIPHER_ALGORITHM2_VARIABLE_NONCE_IN_RECORD, 721 .strength_bits = 128, 722 .alg_bits = 128, 723 }, 724 725 /* Cipher 9F */ 726 { 727 .valid = 1, 728 .name = TLS1_TXT_DHE_RSA_WITH_AES_256_GCM_SHA384, 729 .id = TLS1_CK_DHE_RSA_WITH_AES_256_GCM_SHA384, 730 .algorithm_mkey = SSL_kDHE, 731 .algorithm_auth = SSL_aRSA, 732 .algorithm_enc = SSL_AES256GCM, 733 .algorithm_mac = SSL_AEAD, 734 .algorithm_ssl = SSL_TLSV1_2, 735 .algo_strength = SSL_HIGH, 736 .algorithm2 = SSL_HANDSHAKE_MAC_SHA384|TLS1_PRF_SHA384| 737 FIXED_NONCE_LEN(4)| 738 SSL_CIPHER_ALGORITHM2_VARIABLE_NONCE_IN_RECORD, 739 .strength_bits = 256, 740 .alg_bits = 256, 741 }, 742 743 /* Cipher A6 */ 744 { 745 .valid = 1, 746 .name = TLS1_TXT_ADH_WITH_AES_128_GCM_SHA256, 747 .id = TLS1_CK_ADH_WITH_AES_128_GCM_SHA256, 748 .algorithm_mkey = SSL_kDHE, 749 .algorithm_auth = SSL_aNULL, 750 .algorithm_enc = SSL_AES128GCM, 751 .algorithm_mac = SSL_AEAD, 752 .algorithm_ssl = SSL_TLSV1_2, 753 .algo_strength = SSL_HIGH, 754 .algorithm2 = SSL_HANDSHAKE_MAC_SHA256|TLS1_PRF_SHA256| 755 FIXED_NONCE_LEN(4)| 756 SSL_CIPHER_ALGORITHM2_VARIABLE_NONCE_IN_RECORD, 757 .strength_bits = 128, 758 .alg_bits = 128, 759 }, 760 761 /* Cipher A7 */ 762 { 763 .valid = 1, 764 .name = TLS1_TXT_ADH_WITH_AES_256_GCM_SHA384, 765 .id = TLS1_CK_ADH_WITH_AES_256_GCM_SHA384, 766 .algorithm_mkey = SSL_kDHE, 767 .algorithm_auth = SSL_aNULL, 768 .algorithm_enc = SSL_AES256GCM, 769 .algorithm_mac = SSL_AEAD, 770 .algorithm_ssl = SSL_TLSV1_2, 771 .algo_strength = SSL_HIGH, 772 .algorithm2 = SSL_HANDSHAKE_MAC_SHA384|TLS1_PRF_SHA384| 773 FIXED_NONCE_LEN(4)| 774 SSL_CIPHER_ALGORITHM2_VARIABLE_NONCE_IN_RECORD, 775 .strength_bits = 256, 776 .alg_bits = 256, 777 }, 778 779 #ifndef OPENSSL_NO_CAMELLIA 780 /* TLS 1.2 Camellia SHA-256 ciphersuites from RFC5932 */ 781 782 /* Cipher BA */ 783 { 784 .valid = 1, 785 .name = TLS1_TXT_RSA_WITH_CAMELLIA_128_CBC_SHA256, 786 .id = TLS1_CK_RSA_WITH_CAMELLIA_128_CBC_SHA256, 787 .algorithm_mkey = SSL_kRSA, 788 .algorithm_auth = SSL_aRSA, 789 .algorithm_enc = SSL_CAMELLIA128, 790 .algorithm_mac = SSL_SHA256, 791 .algorithm_ssl = SSL_TLSV1_2, 792 .algo_strength = SSL_HIGH, 793 .algorithm2 = SSL_HANDSHAKE_MAC_SHA256|TLS1_PRF_SHA256, 794 .strength_bits = 128, 795 .alg_bits = 128, 796 }, 797 798 /* Cipher BE */ 799 { 800 .valid = 1, 801 .name = TLS1_TXT_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA256, 802 .id = TLS1_CK_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA256, 803 .algorithm_mkey = SSL_kDHE, 804 .algorithm_auth = SSL_aRSA, 805 .algorithm_enc = SSL_CAMELLIA128, 806 .algorithm_mac = SSL_SHA256, 807 .algorithm_ssl = SSL_TLSV1_2, 808 .algo_strength = SSL_HIGH, 809 .algorithm2 = SSL_HANDSHAKE_MAC_SHA256|TLS1_PRF_SHA256, 810 .strength_bits = 128, 811 .alg_bits = 128, 812 }, 813 814 /* Cipher BF */ 815 { 816 .valid = 1, 817 .name = TLS1_TXT_ADH_WITH_CAMELLIA_128_CBC_SHA256, 818 .id = TLS1_CK_ADH_WITH_CAMELLIA_128_CBC_SHA256, 819 .algorithm_mkey = SSL_kDHE, 820 .algorithm_auth = SSL_aNULL, 821 .algorithm_enc = SSL_CAMELLIA128, 822 .algorithm_mac = SSL_SHA256, 823 .algorithm_ssl = SSL_TLSV1_2, 824 .algo_strength = SSL_HIGH, 825 .algorithm2 = SSL_HANDSHAKE_MAC_SHA256|TLS1_PRF_SHA256, 826 .strength_bits = 128, 827 .alg_bits = 128, 828 }, 829 830 /* Cipher C0 */ 831 { 832 .valid = 1, 833 .name = TLS1_TXT_RSA_WITH_CAMELLIA_256_CBC_SHA256, 834 .id = TLS1_CK_RSA_WITH_CAMELLIA_256_CBC_SHA256, 835 .algorithm_mkey = SSL_kRSA, 836 .algorithm_auth = SSL_aRSA, 837 .algorithm_enc = SSL_CAMELLIA256, 838 .algorithm_mac = SSL_SHA256, 839 .algorithm_ssl = SSL_TLSV1_2, 840 .algo_strength = SSL_HIGH, 841 .algorithm2 = SSL_HANDSHAKE_MAC_SHA256|TLS1_PRF_SHA256, 842 .strength_bits = 256, 843 .alg_bits = 256, 844 }, 845 846 /* Cipher C4 */ 847 { 848 .valid = 1, 849 .name = TLS1_TXT_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA256, 850 .id = TLS1_CK_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA256, 851 .algorithm_mkey = SSL_kDHE, 852 .algorithm_auth = SSL_aRSA, 853 .algorithm_enc = SSL_CAMELLIA256, 854 .algorithm_mac = SSL_SHA256, 855 .algorithm_ssl = SSL_TLSV1_2, 856 .algo_strength = SSL_HIGH, 857 .algorithm2 = SSL_HANDSHAKE_MAC_SHA256|TLS1_PRF_SHA256, 858 .strength_bits = 256, 859 .alg_bits = 256, 860 }, 861 862 /* Cipher C5 */ 863 { 864 .valid = 1, 865 .name = TLS1_TXT_ADH_WITH_CAMELLIA_256_CBC_SHA256, 866 .id = TLS1_CK_ADH_WITH_CAMELLIA_256_CBC_SHA256, 867 .algorithm_mkey = SSL_kDHE, 868 .algorithm_auth = SSL_aNULL, 869 .algorithm_enc = SSL_CAMELLIA256, 870 .algorithm_mac = SSL_SHA256, 871 .algorithm_ssl = SSL_TLSV1_2, 872 .algo_strength = SSL_HIGH, 873 .algorithm2 = SSL_HANDSHAKE_MAC_SHA256|TLS1_PRF_SHA256, 874 .strength_bits = 256, 875 .alg_bits = 256, 876 }, 877 #endif /* OPENSSL_NO_CAMELLIA */ 878 879 /* 880 * TLSv1.3 cipher suites. 881 */ 882 883 #ifdef LIBRESSL_HAS_TLS1_3 884 /* Cipher 1301 */ 885 { 886 .valid = 1, 887 .name = TLS1_3_RFC_AES_128_GCM_SHA256, 888 .id = TLS1_3_CK_AES_128_GCM_SHA256, 889 .algorithm_mkey = SSL_kTLS1_3, 890 .algorithm_auth = SSL_aTLS1_3, 891 .algorithm_enc = SSL_AES128GCM, 892 .algorithm_mac = SSL_AEAD, 893 .algorithm_ssl = SSL_TLSV1_3, 894 .algo_strength = SSL_HIGH, 895 .algorithm2 = SSL_HANDSHAKE_MAC_SHA256, /* XXX */ 896 .strength_bits = 128, 897 .alg_bits = 128, 898 }, 899 900 /* Cipher 1302 */ 901 { 902 .valid = 1, 903 .name = TLS1_3_RFC_AES_256_GCM_SHA384, 904 .id = TLS1_3_CK_AES_256_GCM_SHA384, 905 .algorithm_mkey = SSL_kTLS1_3, 906 .algorithm_auth = SSL_aTLS1_3, 907 .algorithm_enc = SSL_AES256GCM, 908 .algorithm_mac = SSL_AEAD, 909 .algorithm_ssl = SSL_TLSV1_3, 910 .algo_strength = SSL_HIGH, 911 .algorithm2 = SSL_HANDSHAKE_MAC_SHA384, /* XXX */ 912 .strength_bits = 256, 913 .alg_bits = 256, 914 }, 915 916 /* Cipher 1303 */ 917 { 918 .valid = 1, 919 .name = TLS1_3_RFC_CHACHA20_POLY1305_SHA256, 920 .id = TLS1_3_CK_CHACHA20_POLY1305_SHA256, 921 .algorithm_mkey = SSL_kTLS1_3, 922 .algorithm_auth = SSL_aTLS1_3, 923 .algorithm_enc = SSL_CHACHA20POLY1305, 924 .algorithm_mac = SSL_AEAD, 925 .algorithm_ssl = SSL_TLSV1_3, 926 .algo_strength = SSL_HIGH, 927 .algorithm2 = SSL_HANDSHAKE_MAC_SHA256, /* XXX */ 928 .strength_bits = 256, 929 .alg_bits = 256, 930 }, 931 #endif 932 933 /* Cipher C006 */ 934 { 935 .valid = 1, 936 .name = TLS1_TXT_ECDHE_ECDSA_WITH_NULL_SHA, 937 .id = TLS1_CK_ECDHE_ECDSA_WITH_NULL_SHA, 938 .algorithm_mkey = SSL_kECDHE, 939 .algorithm_auth = SSL_aECDSA, 940 .algorithm_enc = SSL_eNULL, 941 .algorithm_mac = SSL_SHA1, 942 .algorithm_ssl = SSL_TLSV1, 943 .algo_strength = SSL_STRONG_NONE, 944 .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF, 945 .strength_bits = 0, 946 .alg_bits = 0, 947 }, 948 949 /* Cipher C007 */ 950 { 951 .valid = 1, 952 .name = TLS1_TXT_ECDHE_ECDSA_WITH_RC4_128_SHA, 953 .id = TLS1_CK_ECDHE_ECDSA_WITH_RC4_128_SHA, 954 .algorithm_mkey = SSL_kECDHE, 955 .algorithm_auth = SSL_aECDSA, 956 .algorithm_enc = SSL_RC4, 957 .algorithm_mac = SSL_SHA1, 958 .algorithm_ssl = SSL_TLSV1, 959 .algo_strength = SSL_LOW, 960 .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF, 961 .strength_bits = 128, 962 .alg_bits = 128, 963 }, 964 965 /* Cipher C008 */ 966 { 967 .valid = 1, 968 .name = TLS1_TXT_ECDHE_ECDSA_WITH_DES_192_CBC3_SHA, 969 .id = TLS1_CK_ECDHE_ECDSA_WITH_DES_192_CBC3_SHA, 970 .algorithm_mkey = SSL_kECDHE, 971 .algorithm_auth = SSL_aECDSA, 972 .algorithm_enc = SSL_3DES, 973 .algorithm_mac = SSL_SHA1, 974 .algorithm_ssl = SSL_TLSV1, 975 .algo_strength = SSL_MEDIUM, 976 .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF, 977 .strength_bits = 112, 978 .alg_bits = 168, 979 }, 980 981 /* Cipher C009 */ 982 { 983 .valid = 1, 984 .name = TLS1_TXT_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, 985 .id = TLS1_CK_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, 986 .algorithm_mkey = SSL_kECDHE, 987 .algorithm_auth = SSL_aECDSA, 988 .algorithm_enc = SSL_AES128, 989 .algorithm_mac = SSL_SHA1, 990 .algorithm_ssl = SSL_TLSV1, 991 .algo_strength = SSL_HIGH, 992 .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF, 993 .strength_bits = 128, 994 .alg_bits = 128, 995 }, 996 997 /* Cipher C00A */ 998 { 999 .valid = 1, 1000 .name = TLS1_TXT_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, 1001 .id = TLS1_CK_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, 1002 .algorithm_mkey = SSL_kECDHE, 1003 .algorithm_auth = SSL_aECDSA, 1004 .algorithm_enc = SSL_AES256, 1005 .algorithm_mac = SSL_SHA1, 1006 .algorithm_ssl = SSL_TLSV1, 1007 .algo_strength = SSL_HIGH, 1008 .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF, 1009 .strength_bits = 256, 1010 .alg_bits = 256, 1011 }, 1012 1013 /* Cipher C010 */ 1014 { 1015 .valid = 1, 1016 .name = TLS1_TXT_ECDHE_RSA_WITH_NULL_SHA, 1017 .id = TLS1_CK_ECDHE_RSA_WITH_NULL_SHA, 1018 .algorithm_mkey = SSL_kECDHE, 1019 .algorithm_auth = SSL_aRSA, 1020 .algorithm_enc = SSL_eNULL, 1021 .algorithm_mac = SSL_SHA1, 1022 .algorithm_ssl = SSL_TLSV1, 1023 .algo_strength = SSL_STRONG_NONE, 1024 .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF, 1025 .strength_bits = 0, 1026 .alg_bits = 0, 1027 }, 1028 1029 /* Cipher C011 */ 1030 { 1031 .valid = 1, 1032 .name = TLS1_TXT_ECDHE_RSA_WITH_RC4_128_SHA, 1033 .id = TLS1_CK_ECDHE_RSA_WITH_RC4_128_SHA, 1034 .algorithm_mkey = SSL_kECDHE, 1035 .algorithm_auth = SSL_aRSA, 1036 .algorithm_enc = SSL_RC4, 1037 .algorithm_mac = SSL_SHA1, 1038 .algorithm_ssl = SSL_TLSV1, 1039 .algo_strength = SSL_LOW, 1040 .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF, 1041 .strength_bits = 128, 1042 .alg_bits = 128, 1043 }, 1044 1045 /* Cipher C012 */ 1046 { 1047 .valid = 1, 1048 .name = TLS1_TXT_ECDHE_RSA_WITH_DES_192_CBC3_SHA, 1049 .id = TLS1_CK_ECDHE_RSA_WITH_DES_192_CBC3_SHA, 1050 .algorithm_mkey = SSL_kECDHE, 1051 .algorithm_auth = SSL_aRSA, 1052 .algorithm_enc = SSL_3DES, 1053 .algorithm_mac = SSL_SHA1, 1054 .algorithm_ssl = SSL_TLSV1, 1055 .algo_strength = SSL_MEDIUM, 1056 .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF, 1057 .strength_bits = 112, 1058 .alg_bits = 168, 1059 }, 1060 1061 /* Cipher C013 */ 1062 { 1063 .valid = 1, 1064 .name = TLS1_TXT_ECDHE_RSA_WITH_AES_128_CBC_SHA, 1065 .id = TLS1_CK_ECDHE_RSA_WITH_AES_128_CBC_SHA, 1066 .algorithm_mkey = SSL_kECDHE, 1067 .algorithm_auth = SSL_aRSA, 1068 .algorithm_enc = SSL_AES128, 1069 .algorithm_mac = SSL_SHA1, 1070 .algorithm_ssl = SSL_TLSV1, 1071 .algo_strength = SSL_HIGH, 1072 .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF, 1073 .strength_bits = 128, 1074 .alg_bits = 128, 1075 }, 1076 1077 /* Cipher C014 */ 1078 { 1079 .valid = 1, 1080 .name = TLS1_TXT_ECDHE_RSA_WITH_AES_256_CBC_SHA, 1081 .id = TLS1_CK_ECDHE_RSA_WITH_AES_256_CBC_SHA, 1082 .algorithm_mkey = SSL_kECDHE, 1083 .algorithm_auth = SSL_aRSA, 1084 .algorithm_enc = SSL_AES256, 1085 .algorithm_mac = SSL_SHA1, 1086 .algorithm_ssl = SSL_TLSV1, 1087 .algo_strength = SSL_HIGH, 1088 .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF, 1089 .strength_bits = 256, 1090 .alg_bits = 256, 1091 }, 1092 1093 /* Cipher C015 */ 1094 { 1095 .valid = 1, 1096 .name = TLS1_TXT_ECDH_anon_WITH_NULL_SHA, 1097 .id = TLS1_CK_ECDH_anon_WITH_NULL_SHA, 1098 .algorithm_mkey = SSL_kECDHE, 1099 .algorithm_auth = SSL_aNULL, 1100 .algorithm_enc = SSL_eNULL, 1101 .algorithm_mac = SSL_SHA1, 1102 .algorithm_ssl = SSL_TLSV1, 1103 .algo_strength = SSL_STRONG_NONE, 1104 .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF, 1105 .strength_bits = 0, 1106 .alg_bits = 0, 1107 }, 1108 1109 /* Cipher C016 */ 1110 { 1111 .valid = 1, 1112 .name = TLS1_TXT_ECDH_anon_WITH_RC4_128_SHA, 1113 .id = TLS1_CK_ECDH_anon_WITH_RC4_128_SHA, 1114 .algorithm_mkey = SSL_kECDHE, 1115 .algorithm_auth = SSL_aNULL, 1116 .algorithm_enc = SSL_RC4, 1117 .algorithm_mac = SSL_SHA1, 1118 .algorithm_ssl = SSL_TLSV1, 1119 .algo_strength = SSL_LOW, 1120 .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF, 1121 .strength_bits = 128, 1122 .alg_bits = 128, 1123 }, 1124 1125 /* Cipher C017 */ 1126 { 1127 .valid = 1, 1128 .name = TLS1_TXT_ECDH_anon_WITH_DES_192_CBC3_SHA, 1129 .id = TLS1_CK_ECDH_anon_WITH_DES_192_CBC3_SHA, 1130 .algorithm_mkey = SSL_kECDHE, 1131 .algorithm_auth = SSL_aNULL, 1132 .algorithm_enc = SSL_3DES, 1133 .algorithm_mac = SSL_SHA1, 1134 .algorithm_ssl = SSL_TLSV1, 1135 .algo_strength = SSL_MEDIUM, 1136 .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF, 1137 .strength_bits = 112, 1138 .alg_bits = 168, 1139 }, 1140 1141 /* Cipher C018 */ 1142 { 1143 .valid = 1, 1144 .name = TLS1_TXT_ECDH_anon_WITH_AES_128_CBC_SHA, 1145 .id = TLS1_CK_ECDH_anon_WITH_AES_128_CBC_SHA, 1146 .algorithm_mkey = SSL_kECDHE, 1147 .algorithm_auth = SSL_aNULL, 1148 .algorithm_enc = SSL_AES128, 1149 .algorithm_mac = SSL_SHA1, 1150 .algorithm_ssl = SSL_TLSV1, 1151 .algo_strength = SSL_HIGH, 1152 .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF, 1153 .strength_bits = 128, 1154 .alg_bits = 128, 1155 }, 1156 1157 /* Cipher C019 */ 1158 { 1159 .valid = 1, 1160 .name = TLS1_TXT_ECDH_anon_WITH_AES_256_CBC_SHA, 1161 .id = TLS1_CK_ECDH_anon_WITH_AES_256_CBC_SHA, 1162 .algorithm_mkey = SSL_kECDHE, 1163 .algorithm_auth = SSL_aNULL, 1164 .algorithm_enc = SSL_AES256, 1165 .algorithm_mac = SSL_SHA1, 1166 .algorithm_ssl = SSL_TLSV1, 1167 .algo_strength = SSL_HIGH, 1168 .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF, 1169 .strength_bits = 256, 1170 .alg_bits = 256, 1171 }, 1172 1173 1174 /* HMAC based TLS v1.2 ciphersuites from RFC5289 */ 1175 1176 /* Cipher C023 */ 1177 { 1178 .valid = 1, 1179 .name = TLS1_TXT_ECDHE_ECDSA_WITH_AES_128_SHA256, 1180 .id = TLS1_CK_ECDHE_ECDSA_WITH_AES_128_SHA256, 1181 .algorithm_mkey = SSL_kECDHE, 1182 .algorithm_auth = SSL_aECDSA, 1183 .algorithm_enc = SSL_AES128, 1184 .algorithm_mac = SSL_SHA256, 1185 .algorithm_ssl = SSL_TLSV1_2, 1186 .algo_strength = SSL_HIGH, 1187 .algorithm2 = SSL_HANDSHAKE_MAC_SHA256|TLS1_PRF_SHA256, 1188 .strength_bits = 128, 1189 .alg_bits = 128, 1190 }, 1191 1192 /* Cipher C024 */ 1193 { 1194 .valid = 1, 1195 .name = TLS1_TXT_ECDHE_ECDSA_WITH_AES_256_SHA384, 1196 .id = TLS1_CK_ECDHE_ECDSA_WITH_AES_256_SHA384, 1197 .algorithm_mkey = SSL_kECDHE, 1198 .algorithm_auth = SSL_aECDSA, 1199 .algorithm_enc = SSL_AES256, 1200 .algorithm_mac = SSL_SHA384, 1201 .algorithm_ssl = SSL_TLSV1_2, 1202 .algo_strength = SSL_HIGH, 1203 .algorithm2 = SSL_HANDSHAKE_MAC_SHA384|TLS1_PRF_SHA384, 1204 .strength_bits = 256, 1205 .alg_bits = 256, 1206 }, 1207 1208 /* Cipher C027 */ 1209 { 1210 .valid = 1, 1211 .name = TLS1_TXT_ECDHE_RSA_WITH_AES_128_SHA256, 1212 .id = TLS1_CK_ECDHE_RSA_WITH_AES_128_SHA256, 1213 .algorithm_mkey = SSL_kECDHE, 1214 .algorithm_auth = SSL_aRSA, 1215 .algorithm_enc = SSL_AES128, 1216 .algorithm_mac = SSL_SHA256, 1217 .algorithm_ssl = SSL_TLSV1_2, 1218 .algo_strength = SSL_HIGH, 1219 .algorithm2 = SSL_HANDSHAKE_MAC_SHA256|TLS1_PRF_SHA256, 1220 .strength_bits = 128, 1221 .alg_bits = 128, 1222 }, 1223 1224 /* Cipher C028 */ 1225 { 1226 .valid = 1, 1227 .name = TLS1_TXT_ECDHE_RSA_WITH_AES_256_SHA384, 1228 .id = TLS1_CK_ECDHE_RSA_WITH_AES_256_SHA384, 1229 .algorithm_mkey = SSL_kECDHE, 1230 .algorithm_auth = SSL_aRSA, 1231 .algorithm_enc = SSL_AES256, 1232 .algorithm_mac = SSL_SHA384, 1233 .algorithm_ssl = SSL_TLSV1_2, 1234 .algo_strength = SSL_HIGH, 1235 .algorithm2 = SSL_HANDSHAKE_MAC_SHA384|TLS1_PRF_SHA384, 1236 .strength_bits = 256, 1237 .alg_bits = 256, 1238 }, 1239 1240 /* GCM based TLS v1.2 ciphersuites from RFC5289 */ 1241 1242 /* Cipher C02B */ 1243 { 1244 .valid = 1, 1245 .name = TLS1_TXT_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, 1246 .id = TLS1_CK_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, 1247 .algorithm_mkey = SSL_kECDHE, 1248 .algorithm_auth = SSL_aECDSA, 1249 .algorithm_enc = SSL_AES128GCM, 1250 .algorithm_mac = SSL_AEAD, 1251 .algorithm_ssl = SSL_TLSV1_2, 1252 .algo_strength = SSL_HIGH, 1253 .algorithm2 = SSL_HANDSHAKE_MAC_SHA256|TLS1_PRF_SHA256| 1254 FIXED_NONCE_LEN(4)| 1255 SSL_CIPHER_ALGORITHM2_VARIABLE_NONCE_IN_RECORD, 1256 .strength_bits = 128, 1257 .alg_bits = 128, 1258 }, 1259 1260 /* Cipher C02C */ 1261 { 1262 .valid = 1, 1263 .name = TLS1_TXT_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, 1264 .id = TLS1_CK_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, 1265 .algorithm_mkey = SSL_kECDHE, 1266 .algorithm_auth = SSL_aECDSA, 1267 .algorithm_enc = SSL_AES256GCM, 1268 .algorithm_mac = SSL_AEAD, 1269 .algorithm_ssl = SSL_TLSV1_2, 1270 .algo_strength = SSL_HIGH, 1271 .algorithm2 = SSL_HANDSHAKE_MAC_SHA384|TLS1_PRF_SHA384| 1272 FIXED_NONCE_LEN(4)| 1273 SSL_CIPHER_ALGORITHM2_VARIABLE_NONCE_IN_RECORD, 1274 .strength_bits = 256, 1275 .alg_bits = 256, 1276 }, 1277 1278 /* Cipher C02F */ 1279 { 1280 .valid = 1, 1281 .name = TLS1_TXT_ECDHE_RSA_WITH_AES_128_GCM_SHA256, 1282 .id = TLS1_CK_ECDHE_RSA_WITH_AES_128_GCM_SHA256, 1283 .algorithm_mkey = SSL_kECDHE, 1284 .algorithm_auth = SSL_aRSA, 1285 .algorithm_enc = SSL_AES128GCM, 1286 .algorithm_mac = SSL_AEAD, 1287 .algorithm_ssl = SSL_TLSV1_2, 1288 .algo_strength = SSL_HIGH, 1289 .algorithm2 = SSL_HANDSHAKE_MAC_SHA256|TLS1_PRF_SHA256| 1290 FIXED_NONCE_LEN(4)| 1291 SSL_CIPHER_ALGORITHM2_VARIABLE_NONCE_IN_RECORD, 1292 .strength_bits = 128, 1293 .alg_bits = 128, 1294 }, 1295 1296 /* Cipher C030 */ 1297 { 1298 .valid = 1, 1299 .name = TLS1_TXT_ECDHE_RSA_WITH_AES_256_GCM_SHA384, 1300 .id = TLS1_CK_ECDHE_RSA_WITH_AES_256_GCM_SHA384, 1301 .algorithm_mkey = SSL_kECDHE, 1302 .algorithm_auth = SSL_aRSA, 1303 .algorithm_enc = SSL_AES256GCM, 1304 .algorithm_mac = SSL_AEAD, 1305 .algorithm_ssl = SSL_TLSV1_2, 1306 .algo_strength = SSL_HIGH, 1307 .algorithm2 = SSL_HANDSHAKE_MAC_SHA384|TLS1_PRF_SHA384| 1308 FIXED_NONCE_LEN(4)| 1309 SSL_CIPHER_ALGORITHM2_VARIABLE_NONCE_IN_RECORD, 1310 .strength_bits = 256, 1311 .alg_bits = 256, 1312 }, 1313 1314 /* Cipher CCA8 */ 1315 { 1316 .valid = 1, 1317 .name = TLS1_TXT_ECDHE_RSA_WITH_CHACHA20_POLY1305, 1318 .id = TLS1_CK_ECDHE_RSA_CHACHA20_POLY1305, 1319 .algorithm_mkey = SSL_kECDHE, 1320 .algorithm_auth = SSL_aRSA, 1321 .algorithm_enc = SSL_CHACHA20POLY1305, 1322 .algorithm_mac = SSL_AEAD, 1323 .algorithm_ssl = SSL_TLSV1_2, 1324 .algo_strength = SSL_HIGH, 1325 .algorithm2 = SSL_HANDSHAKE_MAC_SHA256|TLS1_PRF_SHA256| 1326 FIXED_NONCE_LEN(12), 1327 .strength_bits = 256, 1328 .alg_bits = 256, 1329 }, 1330 1331 /* Cipher CCA9 */ 1332 { 1333 .valid = 1, 1334 .name = TLS1_TXT_ECDHE_ECDSA_WITH_CHACHA20_POLY1305, 1335 .id = TLS1_CK_ECDHE_ECDSA_CHACHA20_POLY1305, 1336 .algorithm_mkey = SSL_kECDHE, 1337 .algorithm_auth = SSL_aECDSA, 1338 .algorithm_enc = SSL_CHACHA20POLY1305, 1339 .algorithm_mac = SSL_AEAD, 1340 .algorithm_ssl = SSL_TLSV1_2, 1341 .algo_strength = SSL_HIGH, 1342 .algorithm2 = SSL_HANDSHAKE_MAC_SHA256|TLS1_PRF_SHA256| 1343 FIXED_NONCE_LEN(12), 1344 .strength_bits = 256, 1345 .alg_bits = 256, 1346 }, 1347 1348 /* Cipher CCAA */ 1349 { 1350 .valid = 1, 1351 .name = TLS1_TXT_DHE_RSA_WITH_CHACHA20_POLY1305, 1352 .id = TLS1_CK_DHE_RSA_CHACHA20_POLY1305, 1353 .algorithm_mkey = SSL_kDHE, 1354 .algorithm_auth = SSL_aRSA, 1355 .algorithm_enc = SSL_CHACHA20POLY1305, 1356 .algorithm_mac = SSL_AEAD, 1357 .algorithm_ssl = SSL_TLSV1_2, 1358 .algo_strength = SSL_HIGH, 1359 .algorithm2 = SSL_HANDSHAKE_MAC_SHA256|TLS1_PRF_SHA256| 1360 FIXED_NONCE_LEN(12), 1361 .strength_bits = 256, 1362 .alg_bits = 256, 1363 }, 1364 1365 /* Cipher FF85 FIXME IANA */ 1366 { 1367 .valid = 1, 1368 .name = "GOST2012256-GOST89-GOST89", 1369 .id = 0x300ff85, /* FIXME IANA */ 1370 .algorithm_mkey = SSL_kGOST, 1371 .algorithm_auth = SSL_aGOST01, 1372 .algorithm_enc = SSL_eGOST2814789CNT, 1373 .algorithm_mac = SSL_GOST89MAC, 1374 .algorithm_ssl = SSL_TLSV1, 1375 .algo_strength = SSL_HIGH, 1376 .algorithm2 = SSL_HANDSHAKE_MAC_STREEBOG256|TLS1_PRF_STREEBOG256| 1377 TLS1_STREAM_MAC, 1378 .strength_bits = 256, 1379 .alg_bits = 256 1380 }, 1381 1382 /* Cipher FF87 FIXME IANA */ 1383 { 1384 .valid = 1, 1385 .name = "GOST2012256-NULL-STREEBOG256", 1386 .id = 0x300ff87, /* FIXME IANA */ 1387 .algorithm_mkey = SSL_kGOST, 1388 .algorithm_auth = SSL_aGOST01, 1389 .algorithm_enc = SSL_eNULL, 1390 .algorithm_mac = SSL_STREEBOG256, 1391 .algorithm_ssl = SSL_TLSV1, 1392 .algo_strength = SSL_STRONG_NONE, 1393 .algorithm2 = SSL_HANDSHAKE_MAC_STREEBOG256|TLS1_PRF_STREEBOG256, 1394 .strength_bits = 0, 1395 .alg_bits = 0 1396 }, 1397 1398 1399 /* end of list */ 1400 }; 1401 1402 int 1403 ssl3_num_ciphers(void) 1404 { 1405 return (SSL3_NUM_CIPHERS); 1406 } 1407 1408 const SSL_CIPHER * 1409 ssl3_get_cipher(unsigned int u) 1410 { 1411 if (u < SSL3_NUM_CIPHERS) 1412 return (&(ssl3_ciphers[SSL3_NUM_CIPHERS - 1 - u])); 1413 else 1414 return (NULL); 1415 } 1416 1417 static int 1418 ssl3_cipher_id_cmp(const void *id, const void *cipher) 1419 { 1420 unsigned long a = *(const unsigned long *)id; 1421 unsigned long b = ((const SSL_CIPHER *)cipher)->id; 1422 1423 return a < b ? -1 : a > b; 1424 } 1425 1426 const SSL_CIPHER * 1427 ssl3_get_cipher_by_id(unsigned long id) 1428 { 1429 const SSL_CIPHER *cipher; 1430 1431 cipher = bsearch(&id, ssl3_ciphers, SSL3_NUM_CIPHERS, sizeof(*cipher), 1432 ssl3_cipher_id_cmp); 1433 if (cipher != NULL && cipher->valid == 1) 1434 return cipher; 1435 1436 return NULL; 1437 } 1438 1439 const SSL_CIPHER * 1440 ssl3_get_cipher_by_value(uint16_t value) 1441 { 1442 return ssl3_get_cipher_by_id(SSL3_CK_ID | value); 1443 } 1444 1445 uint16_t 1446 ssl3_cipher_get_value(const SSL_CIPHER *c) 1447 { 1448 return (c->id & SSL3_CK_VALUE_MASK); 1449 } 1450 1451 int 1452 ssl3_pending(const SSL *s) 1453 { 1454 if (s->s3->rcontent == NULL) 1455 return 0; 1456 if (tls_content_type(s->s3->rcontent) != SSL3_RT_APPLICATION_DATA) 1457 return 0; 1458 1459 return tls_content_remaining(s->s3->rcontent); 1460 } 1461 1462 int 1463 ssl3_handshake_msg_hdr_len(SSL *s) 1464 { 1465 return (SSL_is_dtls(s) ? DTLS1_HM_HEADER_LENGTH : 1466 SSL3_HM_HEADER_LENGTH); 1467 } 1468 1469 int 1470 ssl3_handshake_msg_start(SSL *s, CBB *handshake, CBB *body, uint8_t msg_type) 1471 { 1472 int ret = 0; 1473 1474 if (!CBB_init(handshake, SSL3_RT_MAX_PLAIN_LENGTH)) 1475 goto err; 1476 if (!CBB_add_u8(handshake, msg_type)) 1477 goto err; 1478 if (SSL_is_dtls(s)) { 1479 unsigned char *data; 1480 1481 if (!CBB_add_space(handshake, &data, DTLS1_HM_HEADER_LENGTH - 1482 SSL3_HM_HEADER_LENGTH)) 1483 goto err; 1484 } 1485 if (!CBB_add_u24_length_prefixed(handshake, body)) 1486 goto err; 1487 1488 ret = 1; 1489 1490 err: 1491 return (ret); 1492 } 1493 1494 int 1495 ssl3_handshake_msg_finish(SSL *s, CBB *handshake) 1496 { 1497 unsigned char *data = NULL; 1498 size_t outlen; 1499 int ret = 0; 1500 1501 if (!CBB_finish(handshake, &data, &outlen)) 1502 goto err; 1503 1504 if (outlen > INT_MAX) 1505 goto err; 1506 1507 if (!BUF_MEM_grow_clean(s->init_buf, outlen)) 1508 goto err; 1509 1510 memcpy(s->init_buf->data, data, outlen); 1511 1512 s->init_num = (int)outlen; 1513 s->init_off = 0; 1514 1515 if (SSL_is_dtls(s)) { 1516 unsigned long len; 1517 uint8_t msg_type; 1518 CBS cbs; 1519 1520 CBS_init(&cbs, data, outlen); 1521 if (!CBS_get_u8(&cbs, &msg_type)) 1522 goto err; 1523 1524 len = outlen - ssl3_handshake_msg_hdr_len(s); 1525 1526 dtls1_set_message_header(s, msg_type, len, 0, len); 1527 dtls1_buffer_message(s, 0); 1528 } 1529 1530 ret = 1; 1531 1532 err: 1533 free(data); 1534 1535 return (ret); 1536 } 1537 1538 int 1539 ssl3_handshake_write(SSL *s) 1540 { 1541 return ssl3_record_write(s, SSL3_RT_HANDSHAKE); 1542 } 1543 1544 int 1545 ssl3_record_write(SSL *s, int type) 1546 { 1547 if (SSL_is_dtls(s)) 1548 return dtls1_do_write(s, type); 1549 1550 return ssl3_do_write(s, type); 1551 } 1552 1553 int 1554 ssl3_new(SSL *s) 1555 { 1556 if ((s->s3 = calloc(1, sizeof(*s->s3))) == NULL) 1557 return (0); 1558 1559 s->method->ssl_clear(s); 1560 1561 return (1); 1562 } 1563 1564 void 1565 ssl3_free(SSL *s) 1566 { 1567 if (s == NULL) 1568 return; 1569 1570 tls1_cleanup_key_block(s); 1571 ssl3_release_read_buffer(s); 1572 ssl3_release_write_buffer(s); 1573 1574 tls_content_free(s->s3->rcontent); 1575 1576 tls_buffer_free(s->s3->alert_fragment); 1577 tls_buffer_free(s->s3->handshake_fragment); 1578 1579 freezero(s->s3->hs.sigalgs, s->s3->hs.sigalgs_len); 1580 sk_X509_pop_free(s->s3->hs.peer_certs, X509_free); 1581 sk_X509_pop_free(s->s3->hs.peer_certs_no_leaf, X509_free); 1582 sk_X509_pop_free(s->s3->hs.verified_chain, X509_free); 1583 tls_key_share_free(s->s3->hs.key_share); 1584 1585 tls13_secrets_destroy(s->s3->hs.tls13.secrets); 1586 freezero(s->s3->hs.tls13.cookie, s->s3->hs.tls13.cookie_len); 1587 tls13_clienthello_hash_clear(&s->s3->hs.tls13); 1588 1589 tls_buffer_free(s->s3->hs.tls13.quic_read_buffer); 1590 1591 sk_X509_NAME_pop_free(s->s3->hs.tls12.ca_names, X509_NAME_free); 1592 1593 tls1_transcript_free(s); 1594 tls1_transcript_hash_free(s); 1595 1596 free(s->s3->alpn_selected); 1597 1598 freezero(s->s3->peer_quic_transport_params, 1599 s->s3->peer_quic_transport_params_len); 1600 1601 freezero(s->s3, sizeof(*s->s3)); 1602 1603 s->s3 = NULL; 1604 } 1605 1606 void 1607 ssl3_clear(SSL *s) 1608 { 1609 unsigned char *rp, *wp; 1610 size_t rlen, wlen; 1611 1612 tls1_cleanup_key_block(s); 1613 sk_X509_NAME_pop_free(s->s3->hs.tls12.ca_names, X509_NAME_free); 1614 1615 tls_buffer_free(s->s3->alert_fragment); 1616 s->s3->alert_fragment = NULL; 1617 tls_buffer_free(s->s3->handshake_fragment); 1618 s->s3->handshake_fragment = NULL; 1619 1620 freezero(s->s3->hs.sigalgs, s->s3->hs.sigalgs_len); 1621 s->s3->hs.sigalgs = NULL; 1622 s->s3->hs.sigalgs_len = 0; 1623 1624 sk_X509_pop_free(s->s3->hs.peer_certs, X509_free); 1625 s->s3->hs.peer_certs = NULL; 1626 sk_X509_pop_free(s->s3->hs.peer_certs_no_leaf, X509_free); 1627 s->s3->hs.peer_certs_no_leaf = NULL; 1628 sk_X509_pop_free(s->s3->hs.verified_chain, X509_free); 1629 s->s3->hs.verified_chain = NULL; 1630 1631 tls_key_share_free(s->s3->hs.key_share); 1632 s->s3->hs.key_share = NULL; 1633 1634 tls13_secrets_destroy(s->s3->hs.tls13.secrets); 1635 s->s3->hs.tls13.secrets = NULL; 1636 freezero(s->s3->hs.tls13.cookie, s->s3->hs.tls13.cookie_len); 1637 s->s3->hs.tls13.cookie = NULL; 1638 s->s3->hs.tls13.cookie_len = 0; 1639 tls13_clienthello_hash_clear(&s->s3->hs.tls13); 1640 1641 tls_buffer_free(s->s3->hs.tls13.quic_read_buffer); 1642 s->s3->hs.tls13.quic_read_buffer = NULL; 1643 s->s3->hs.tls13.quic_read_level = ssl_encryption_initial; 1644 s->s3->hs.tls13.quic_write_level = ssl_encryption_initial; 1645 1646 s->s3->hs.extensions_seen = 0; 1647 1648 rp = s->s3->rbuf.buf; 1649 wp = s->s3->wbuf.buf; 1650 rlen = s->s3->rbuf.len; 1651 wlen = s->s3->wbuf.len; 1652 1653 tls_content_free(s->s3->rcontent); 1654 s->s3->rcontent = NULL; 1655 1656 tls1_transcript_free(s); 1657 tls1_transcript_hash_free(s); 1658 1659 free(s->s3->alpn_selected); 1660 s->s3->alpn_selected = NULL; 1661 s->s3->alpn_selected_len = 0; 1662 1663 freezero(s->s3->peer_quic_transport_params, 1664 s->s3->peer_quic_transport_params_len); 1665 s->s3->peer_quic_transport_params = NULL; 1666 s->s3->peer_quic_transport_params_len = 0; 1667 1668 memset(s->s3, 0, sizeof(*s->s3)); 1669 1670 s->s3->rbuf.buf = rp; 1671 s->s3->wbuf.buf = wp; 1672 s->s3->rbuf.len = rlen; 1673 s->s3->wbuf.len = wlen; 1674 1675 ssl_free_wbio_buffer(s); 1676 1677 /* Not needed... */ 1678 s->s3->renegotiate = 0; 1679 s->s3->total_renegotiations = 0; 1680 s->s3->num_renegotiations = 0; 1681 s->s3->in_read_app_data = 0; 1682 1683 s->packet_length = 0; 1684 s->version = TLS1_2_VERSION; 1685 1686 s->s3->hs.state = SSL_ST_BEFORE|((s->server) ? SSL_ST_ACCEPT : SSL_ST_CONNECT); 1687 } 1688 1689 long 1690 _SSL_get_shared_group(SSL *s, long n) 1691 { 1692 size_t count; 1693 int nid; 1694 1695 /* OpenSSL document that they return -1 for clients. They return 0. */ 1696 if (!s->server) 1697 return 0; 1698 1699 if (n == -1) { 1700 if (!tls1_count_shared_groups(s, &count)) 1701 return 0; 1702 1703 if (count > LONG_MAX) 1704 count = LONG_MAX; 1705 1706 return count; 1707 } 1708 1709 /* Undocumented special case added for Suite B profile support. */ 1710 if (n == -2) 1711 n = 0; 1712 1713 if (n < 0) 1714 return 0; 1715 1716 if (!tls1_get_shared_group_by_index(s, n, &nid)) 1717 return NID_undef; 1718 1719 return nid; 1720 } 1721 1722 long 1723 _SSL_get_peer_tmp_key(SSL *s, EVP_PKEY **key) 1724 { 1725 EVP_PKEY *pkey = NULL; 1726 int ret = 0; 1727 1728 *key = NULL; 1729 1730 if (s->s3->hs.key_share == NULL) 1731 goto err; 1732 1733 if ((pkey = EVP_PKEY_new()) == NULL) 1734 goto err; 1735 if (!tls_key_share_peer_pkey(s->s3->hs.key_share, pkey)) 1736 goto err; 1737 1738 *key = pkey; 1739 pkey = NULL; 1740 1741 ret = 1; 1742 1743 err: 1744 EVP_PKEY_free(pkey); 1745 1746 return (ret); 1747 } 1748 1749 static int 1750 _SSL_session_reused(SSL *s) 1751 { 1752 return s->hit; 1753 } 1754 1755 static int 1756 _SSL_num_renegotiations(SSL *s) 1757 { 1758 return s->s3->num_renegotiations; 1759 } 1760 1761 static int 1762 _SSL_clear_num_renegotiations(SSL *s) 1763 { 1764 int renegs; 1765 1766 renegs = s->s3->num_renegotiations; 1767 s->s3->num_renegotiations = 0; 1768 1769 return renegs; 1770 } 1771 1772 static int 1773 _SSL_total_renegotiations(SSL *s) 1774 { 1775 return s->s3->total_renegotiations; 1776 } 1777 1778 static int 1779 _SSL_set_tmp_dh(SSL *s, DH *dh) 1780 { 1781 DH *dhe_params; 1782 1783 if (dh == NULL) { 1784 SSLerror(s, ERR_R_PASSED_NULL_PARAMETER); 1785 return 0; 1786 } 1787 1788 if (!ssl_security_dh(s, dh)) { 1789 SSLerror(s, SSL_R_DH_KEY_TOO_SMALL); 1790 return 0; 1791 } 1792 1793 if ((dhe_params = DHparams_dup(dh)) == NULL) { 1794 SSLerror(s, ERR_R_DH_LIB); 1795 return 0; 1796 } 1797 1798 DH_free(s->cert->dhe_params); 1799 s->cert->dhe_params = dhe_params; 1800 1801 return 1; 1802 } 1803 1804 static int 1805 _SSL_set_dh_auto(SSL *s, int state) 1806 { 1807 s->cert->dhe_params_auto = state; 1808 return 1; 1809 } 1810 1811 static int 1812 _SSL_set_tmp_ecdh(SSL *s, EC_KEY *ecdh) 1813 { 1814 const EC_GROUP *group; 1815 int nid; 1816 1817 if (ecdh == NULL) 1818 return 0; 1819 if ((group = EC_KEY_get0_group(ecdh)) == NULL) 1820 return 0; 1821 1822 nid = EC_GROUP_get_curve_name(group); 1823 return SSL_set1_groups(s, &nid, 1); 1824 } 1825 1826 static int 1827 _SSL_set_ecdh_auto(SSL *s, int state) 1828 { 1829 return 1; 1830 } 1831 1832 static int 1833 _SSL_set_tlsext_host_name(SSL *s, const char *name) 1834 { 1835 int is_ip; 1836 CBS cbs; 1837 1838 free(s->tlsext_hostname); 1839 s->tlsext_hostname = NULL; 1840 1841 if (name == NULL) 1842 return 1; 1843 1844 CBS_init(&cbs, name, strlen(name)); 1845 1846 if (!tlsext_sni_is_valid_hostname(&cbs, &is_ip)) { 1847 SSLerror(s, SSL_R_SSL3_EXT_INVALID_SERVERNAME); 1848 return 0; 1849 } 1850 if ((s->tlsext_hostname = strdup(name)) == NULL) { 1851 SSLerror(s, ERR_R_INTERNAL_ERROR); 1852 return 0; 1853 } 1854 1855 return 1; 1856 } 1857 1858 static int 1859 _SSL_set_tlsext_debug_arg(SSL *s, void *arg) 1860 { 1861 s->tlsext_debug_arg = arg; 1862 return 1; 1863 } 1864 1865 static int 1866 _SSL_get_tlsext_status_type(SSL *s) 1867 { 1868 return s->tlsext_status_type; 1869 } 1870 1871 static int 1872 _SSL_set_tlsext_status_type(SSL *s, int type) 1873 { 1874 s->tlsext_status_type = type; 1875 return 1; 1876 } 1877 1878 static int 1879 _SSL_get_tlsext_status_exts(SSL *s, STACK_OF(X509_EXTENSION) **exts) 1880 { 1881 *exts = s->tlsext_ocsp_exts; 1882 return 1; 1883 } 1884 1885 static int 1886 _SSL_set_tlsext_status_exts(SSL *s, STACK_OF(X509_EXTENSION) *exts) 1887 { 1888 /* XXX - leak... */ 1889 s->tlsext_ocsp_exts = exts; 1890 return 1; 1891 } 1892 1893 static int 1894 _SSL_get_tlsext_status_ids(SSL *s, STACK_OF(OCSP_RESPID) **ids) 1895 { 1896 *ids = s->tlsext_ocsp_ids; 1897 return 1; 1898 } 1899 1900 static int 1901 _SSL_set_tlsext_status_ids(SSL *s, STACK_OF(OCSP_RESPID) *ids) 1902 { 1903 /* XXX - leak... */ 1904 s->tlsext_ocsp_ids = ids; 1905 return 1; 1906 } 1907 1908 static int 1909 _SSL_get_tlsext_status_ocsp_resp(SSL *s, unsigned char **resp) 1910 { 1911 if (s->tlsext_ocsp_resp != NULL && 1912 s->tlsext_ocsp_resp_len < INT_MAX) { 1913 *resp = s->tlsext_ocsp_resp; 1914 return (int)s->tlsext_ocsp_resp_len; 1915 } 1916 1917 *resp = NULL; 1918 1919 return -1; 1920 } 1921 1922 static int 1923 _SSL_set_tlsext_status_ocsp_resp(SSL *s, unsigned char *resp, int resp_len) 1924 { 1925 free(s->tlsext_ocsp_resp); 1926 s->tlsext_ocsp_resp = NULL; 1927 s->tlsext_ocsp_resp_len = 0; 1928 1929 if (resp_len < 0) 1930 return 0; 1931 1932 s->tlsext_ocsp_resp = resp; 1933 s->tlsext_ocsp_resp_len = (size_t)resp_len; 1934 1935 return 1; 1936 } 1937 1938 int 1939 SSL_set0_chain(SSL *ssl, STACK_OF(X509) *chain) 1940 { 1941 return ssl_cert_set0_chain(NULL, ssl, chain); 1942 } 1943 LSSL_ALIAS(SSL_set0_chain); 1944 1945 int 1946 SSL_set1_chain(SSL *ssl, STACK_OF(X509) *chain) 1947 { 1948 return ssl_cert_set1_chain(NULL, ssl, chain); 1949 } 1950 LSSL_ALIAS(SSL_set1_chain); 1951 1952 int 1953 SSL_add0_chain_cert(SSL *ssl, X509 *x509) 1954 { 1955 return ssl_cert_add0_chain_cert(NULL, ssl, x509); 1956 } 1957 LSSL_ALIAS(SSL_add0_chain_cert); 1958 1959 int 1960 SSL_add1_chain_cert(SSL *ssl, X509 *x509) 1961 { 1962 return ssl_cert_add1_chain_cert(NULL, ssl, x509); 1963 } 1964 LSSL_ALIAS(SSL_add1_chain_cert); 1965 1966 int 1967 SSL_get0_chain_certs(const SSL *ssl, STACK_OF(X509) **out_chain) 1968 { 1969 *out_chain = NULL; 1970 1971 if (ssl->cert->key != NULL) 1972 *out_chain = ssl->cert->key->chain; 1973 1974 return 1; 1975 } 1976 LSSL_ALIAS(SSL_get0_chain_certs); 1977 1978 int 1979 SSL_clear_chain_certs(SSL *ssl) 1980 { 1981 return ssl_cert_set0_chain(NULL, ssl, NULL); 1982 } 1983 LSSL_ALIAS(SSL_clear_chain_certs); 1984 1985 int 1986 SSL_set1_groups(SSL *s, const int *groups, size_t groups_len) 1987 { 1988 return tls1_set_groups(&s->tlsext_supportedgroups, 1989 &s->tlsext_supportedgroups_length, groups, groups_len); 1990 } 1991 LSSL_ALIAS(SSL_set1_groups); 1992 1993 int 1994 SSL_set1_groups_list(SSL *s, const char *groups) 1995 { 1996 return tls1_set_group_list(&s->tlsext_supportedgroups, 1997 &s->tlsext_supportedgroups_length, groups); 1998 } 1999 LSSL_ALIAS(SSL_set1_groups_list); 2000 2001 static int 2002 _SSL_get_signature_nid(SSL *s, int *nid) 2003 { 2004 const struct ssl_sigalg *sigalg; 2005 2006 if ((sigalg = s->s3->hs.our_sigalg) == NULL) 2007 return 0; 2008 2009 *nid = EVP_MD_type(sigalg->md()); 2010 2011 return 1; 2012 } 2013 2014 static int 2015 _SSL_get_peer_signature_nid(SSL *s, int *nid) 2016 { 2017 const struct ssl_sigalg *sigalg; 2018 2019 if ((sigalg = s->s3->hs.peer_sigalg) == NULL) 2020 return 0; 2021 2022 *nid = EVP_MD_type(sigalg->md()); 2023 2024 return 1; 2025 } 2026 2027 int 2028 SSL_get_signature_type_nid(const SSL *s, int *nid) 2029 { 2030 const struct ssl_sigalg *sigalg; 2031 2032 if ((sigalg = s->s3->hs.our_sigalg) == NULL) 2033 return 0; 2034 2035 *nid = sigalg->key_type; 2036 if (sigalg->key_type == EVP_PKEY_RSA && 2037 (sigalg->flags & SIGALG_FLAG_RSA_PSS)) 2038 *nid = EVP_PKEY_RSA_PSS; 2039 2040 return 1; 2041 } 2042 2043 int 2044 SSL_get_peer_signature_type_nid(const SSL *s, int *nid) 2045 { 2046 const struct ssl_sigalg *sigalg; 2047 2048 if ((sigalg = s->s3->hs.peer_sigalg) == NULL) 2049 return 0; 2050 2051 *nid = sigalg->key_type; 2052 if (sigalg->key_type == EVP_PKEY_RSA && 2053 (sigalg->flags & SIGALG_FLAG_RSA_PSS)) 2054 *nid = EVP_PKEY_RSA_PSS; 2055 2056 return 1; 2057 } 2058 2059 long 2060 ssl3_ctrl(SSL *s, int cmd, long larg, void *parg) 2061 { 2062 switch (cmd) { 2063 case SSL_CTRL_GET_SESSION_REUSED: 2064 return _SSL_session_reused(s); 2065 2066 case SSL_CTRL_GET_NUM_RENEGOTIATIONS: 2067 return _SSL_num_renegotiations(s); 2068 2069 case SSL_CTRL_CLEAR_NUM_RENEGOTIATIONS: 2070 return _SSL_clear_num_renegotiations(s); 2071 2072 case SSL_CTRL_GET_TOTAL_RENEGOTIATIONS: 2073 return _SSL_total_renegotiations(s); 2074 2075 case SSL_CTRL_SET_TMP_DH: 2076 return _SSL_set_tmp_dh(s, parg); 2077 2078 case SSL_CTRL_SET_TMP_DH_CB: 2079 SSLerror(s, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED); 2080 return 0; 2081 2082 case SSL_CTRL_SET_DH_AUTO: 2083 return _SSL_set_dh_auto(s, larg); 2084 2085 case SSL_CTRL_SET_TMP_ECDH: 2086 return _SSL_set_tmp_ecdh(s, parg); 2087 2088 case SSL_CTRL_SET_TMP_ECDH_CB: 2089 SSLerror(s, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED); 2090 return 0; 2091 2092 case SSL_CTRL_SET_ECDH_AUTO: 2093 return _SSL_set_ecdh_auto(s, larg); 2094 2095 case SSL_CTRL_SET_TLSEXT_HOSTNAME: 2096 if (larg != TLSEXT_NAMETYPE_host_name) { 2097 SSLerror(s, SSL_R_SSL3_EXT_INVALID_SERVERNAME_TYPE); 2098 return 0; 2099 } 2100 return _SSL_set_tlsext_host_name(s, parg); 2101 2102 case SSL_CTRL_SET_TLSEXT_DEBUG_ARG: 2103 return _SSL_set_tlsext_debug_arg(s, parg); 2104 2105 case SSL_CTRL_GET_TLSEXT_STATUS_REQ_TYPE: 2106 return _SSL_get_tlsext_status_type(s); 2107 2108 case SSL_CTRL_SET_TLSEXT_STATUS_REQ_TYPE: 2109 return _SSL_set_tlsext_status_type(s, larg); 2110 2111 case SSL_CTRL_GET_TLSEXT_STATUS_REQ_EXTS: 2112 return _SSL_get_tlsext_status_exts(s, parg); 2113 2114 case SSL_CTRL_SET_TLSEXT_STATUS_REQ_EXTS: 2115 return _SSL_set_tlsext_status_exts(s, parg); 2116 2117 case SSL_CTRL_GET_TLSEXT_STATUS_REQ_IDS: 2118 return _SSL_get_tlsext_status_ids(s, parg); 2119 2120 case SSL_CTRL_SET_TLSEXT_STATUS_REQ_IDS: 2121 return _SSL_set_tlsext_status_ids(s, parg); 2122 2123 case SSL_CTRL_GET_TLSEXT_STATUS_REQ_OCSP_RESP: 2124 return _SSL_get_tlsext_status_ocsp_resp(s, parg); 2125 2126 case SSL_CTRL_SET_TLSEXT_STATUS_REQ_OCSP_RESP: 2127 return _SSL_set_tlsext_status_ocsp_resp(s, parg, larg); 2128 2129 case SSL_CTRL_CHAIN: 2130 if (larg == 0) 2131 return SSL_set0_chain(s, (STACK_OF(X509) *)parg); 2132 else 2133 return SSL_set1_chain(s, (STACK_OF(X509) *)parg); 2134 2135 case SSL_CTRL_CHAIN_CERT: 2136 if (larg == 0) 2137 return SSL_add0_chain_cert(s, (X509 *)parg); 2138 else 2139 return SSL_add1_chain_cert(s, (X509 *)parg); 2140 2141 case SSL_CTRL_GET_CHAIN_CERTS: 2142 return SSL_get0_chain_certs(s, (STACK_OF(X509) **)parg); 2143 2144 case SSL_CTRL_SET_GROUPS: 2145 return SSL_set1_groups(s, parg, larg); 2146 2147 case SSL_CTRL_SET_GROUPS_LIST: 2148 return SSL_set1_groups_list(s, parg); 2149 2150 case SSL_CTRL_GET_SHARED_GROUP: 2151 return _SSL_get_shared_group(s, larg); 2152 2153 /* XXX - rename to SSL_CTRL_GET_PEER_TMP_KEY and remove server check. */ 2154 case SSL_CTRL_GET_SERVER_TMP_KEY: 2155 if (s->server != 0) 2156 return 0; 2157 return _SSL_get_peer_tmp_key(s, parg); 2158 2159 case SSL_CTRL_GET_MIN_PROTO_VERSION: 2160 return SSL_get_min_proto_version(s); 2161 2162 case SSL_CTRL_GET_MAX_PROTO_VERSION: 2163 return SSL_get_max_proto_version(s); 2164 2165 case SSL_CTRL_SET_MIN_PROTO_VERSION: 2166 if (larg < 0 || larg > UINT16_MAX) 2167 return 0; 2168 return SSL_set_min_proto_version(s, larg); 2169 2170 case SSL_CTRL_SET_MAX_PROTO_VERSION: 2171 if (larg < 0 || larg > UINT16_MAX) 2172 return 0; 2173 return SSL_set_max_proto_version(s, larg); 2174 2175 case SSL_CTRL_GET_SIGNATURE_NID: 2176 return _SSL_get_signature_nid(s, parg); 2177 2178 case SSL_CTRL_GET_PEER_SIGNATURE_NID: 2179 return _SSL_get_peer_signature_nid(s, parg); 2180 2181 /* 2182 * Legacy controls that should eventually be removed. 2183 */ 2184 case SSL_CTRL_GET_CLIENT_CERT_REQUEST: 2185 return 0; 2186 2187 case SSL_CTRL_GET_FLAGS: 2188 return (int)(s->s3->flags); 2189 2190 case SSL_CTRL_NEED_TMP_RSA: 2191 return 0; 2192 2193 case SSL_CTRL_SET_TMP_RSA: 2194 case SSL_CTRL_SET_TMP_RSA_CB: 2195 SSLerror(s, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED); 2196 return 0; 2197 } 2198 2199 return 0; 2200 } 2201 2202 long 2203 ssl3_callback_ctrl(SSL *s, int cmd, void (*fp)(void)) 2204 { 2205 switch (cmd) { 2206 case SSL_CTRL_SET_TMP_RSA_CB: 2207 SSLerror(s, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED); 2208 return 0; 2209 2210 case SSL_CTRL_SET_TMP_DH_CB: 2211 s->cert->dhe_params_cb = (DH *(*)(SSL *, int, int))fp; 2212 return 1; 2213 2214 case SSL_CTRL_SET_TMP_ECDH_CB: 2215 return 1; 2216 2217 case SSL_CTRL_SET_TLSEXT_DEBUG_CB: 2218 s->tlsext_debug_cb = (void (*)(SSL *, int , int, 2219 unsigned char *, int, void *))fp; 2220 return 1; 2221 } 2222 2223 return 0; 2224 } 2225 2226 static int 2227 _SSL_CTX_set_tmp_dh(SSL_CTX *ctx, DH *dh) 2228 { 2229 DH *dhe_params; 2230 2231 if (dh == NULL) { 2232 SSLerrorx(ERR_R_PASSED_NULL_PARAMETER); 2233 return 0; 2234 } 2235 2236 if (!ssl_ctx_security_dh(ctx, dh)) { 2237 SSLerrorx(SSL_R_DH_KEY_TOO_SMALL); 2238 return 0; 2239 } 2240 2241 if ((dhe_params = DHparams_dup(dh)) == NULL) { 2242 SSLerrorx(ERR_R_DH_LIB); 2243 return 0; 2244 } 2245 2246 DH_free(ctx->cert->dhe_params); 2247 ctx->cert->dhe_params = dhe_params; 2248 2249 return 1; 2250 } 2251 2252 static int 2253 _SSL_CTX_set_dh_auto(SSL_CTX *ctx, int state) 2254 { 2255 ctx->cert->dhe_params_auto = state; 2256 return 1; 2257 } 2258 2259 static int 2260 _SSL_CTX_set_tmp_ecdh(SSL_CTX *ctx, EC_KEY *ecdh) 2261 { 2262 const EC_GROUP *group; 2263 int nid; 2264 2265 if (ecdh == NULL) 2266 return 0; 2267 if ((group = EC_KEY_get0_group(ecdh)) == NULL) 2268 return 0; 2269 2270 nid = EC_GROUP_get_curve_name(group); 2271 return SSL_CTX_set1_groups(ctx, &nid, 1); 2272 } 2273 2274 static int 2275 _SSL_CTX_set_ecdh_auto(SSL_CTX *ctx, int state) 2276 { 2277 return 1; 2278 } 2279 2280 static int 2281 _SSL_CTX_set_tlsext_servername_arg(SSL_CTX *ctx, void *arg) 2282 { 2283 ctx->tlsext_servername_arg = arg; 2284 return 1; 2285 } 2286 2287 static int 2288 _SSL_CTX_get_tlsext_ticket_keys(SSL_CTX *ctx, unsigned char *keys, int keys_len) 2289 { 2290 if (keys == NULL) 2291 return 48; 2292 2293 if (keys_len != 48) { 2294 SSLerrorx(SSL_R_INVALID_TICKET_KEYS_LENGTH); 2295 return 0; 2296 } 2297 2298 memcpy(keys, ctx->tlsext_tick_key_name, 16); 2299 memcpy(keys + 16, ctx->tlsext_tick_hmac_key, 16); 2300 memcpy(keys + 32, ctx->tlsext_tick_aes_key, 16); 2301 2302 return 1; 2303 } 2304 2305 static int 2306 _SSL_CTX_set_tlsext_ticket_keys(SSL_CTX *ctx, unsigned char *keys, int keys_len) 2307 { 2308 if (keys == NULL) 2309 return 48; 2310 2311 if (keys_len != 48) { 2312 SSLerrorx(SSL_R_INVALID_TICKET_KEYS_LENGTH); 2313 return 0; 2314 } 2315 2316 memcpy(ctx->tlsext_tick_key_name, keys, 16); 2317 memcpy(ctx->tlsext_tick_hmac_key, keys + 16, 16); 2318 memcpy(ctx->tlsext_tick_aes_key, keys + 32, 16); 2319 2320 return 1; 2321 } 2322 2323 static int 2324 _SSL_CTX_get_tlsext_status_arg(SSL_CTX *ctx, void **arg) 2325 { 2326 *arg = ctx->tlsext_status_arg; 2327 return 1; 2328 } 2329 2330 static int 2331 _SSL_CTX_set_tlsext_status_arg(SSL_CTX *ctx, void *arg) 2332 { 2333 ctx->tlsext_status_arg = arg; 2334 return 1; 2335 } 2336 2337 int 2338 SSL_CTX_set0_chain(SSL_CTX *ctx, STACK_OF(X509) *chain) 2339 { 2340 return ssl_cert_set0_chain(ctx, NULL, chain); 2341 } 2342 LSSL_ALIAS(SSL_CTX_set0_chain); 2343 2344 int 2345 SSL_CTX_set1_chain(SSL_CTX *ctx, STACK_OF(X509) *chain) 2346 { 2347 return ssl_cert_set1_chain(ctx, NULL, chain); 2348 } 2349 LSSL_ALIAS(SSL_CTX_set1_chain); 2350 2351 int 2352 SSL_CTX_add0_chain_cert(SSL_CTX *ctx, X509 *x509) 2353 { 2354 return ssl_cert_add0_chain_cert(ctx, NULL, x509); 2355 } 2356 LSSL_ALIAS(SSL_CTX_add0_chain_cert); 2357 2358 int 2359 SSL_CTX_add1_chain_cert(SSL_CTX *ctx, X509 *x509) 2360 { 2361 return ssl_cert_add1_chain_cert(ctx, NULL, x509); 2362 } 2363 LSSL_ALIAS(SSL_CTX_add1_chain_cert); 2364 2365 int 2366 SSL_CTX_get0_chain_certs(const SSL_CTX *ctx, STACK_OF(X509) **out_chain) 2367 { 2368 *out_chain = NULL; 2369 2370 if (ctx->cert->key != NULL) 2371 *out_chain = ctx->cert->key->chain; 2372 2373 return 1; 2374 } 2375 LSSL_ALIAS(SSL_CTX_get0_chain_certs); 2376 2377 int 2378 SSL_CTX_clear_chain_certs(SSL_CTX *ctx) 2379 { 2380 return ssl_cert_set0_chain(ctx, NULL, NULL); 2381 } 2382 LSSL_ALIAS(SSL_CTX_clear_chain_certs); 2383 2384 static int 2385 _SSL_CTX_add_extra_chain_cert(SSL_CTX *ctx, X509 *cert) 2386 { 2387 if (ctx->extra_certs == NULL) { 2388 if ((ctx->extra_certs = sk_X509_new_null()) == NULL) 2389 return 0; 2390 } 2391 if (sk_X509_push(ctx->extra_certs, cert) == 0) 2392 return 0; 2393 2394 return 1; 2395 } 2396 2397 static int 2398 _SSL_CTX_get_extra_chain_certs(SSL_CTX *ctx, STACK_OF(X509) **certs) 2399 { 2400 *certs = ctx->extra_certs; 2401 if (*certs == NULL) 2402 *certs = ctx->cert->key->chain; 2403 2404 return 1; 2405 } 2406 2407 static int 2408 _SSL_CTX_get_extra_chain_certs_only(SSL_CTX *ctx, STACK_OF(X509) **certs) 2409 { 2410 *certs = ctx->extra_certs; 2411 return 1; 2412 } 2413 2414 static int 2415 _SSL_CTX_clear_extra_chain_certs(SSL_CTX *ctx) 2416 { 2417 sk_X509_pop_free(ctx->extra_certs, X509_free); 2418 ctx->extra_certs = NULL; 2419 return 1; 2420 } 2421 2422 int 2423 SSL_CTX_set1_groups(SSL_CTX *ctx, const int *groups, size_t groups_len) 2424 { 2425 return tls1_set_groups(&ctx->tlsext_supportedgroups, 2426 &ctx->tlsext_supportedgroups_length, groups, groups_len); 2427 } 2428 LSSL_ALIAS(SSL_CTX_set1_groups); 2429 2430 int 2431 SSL_CTX_set1_groups_list(SSL_CTX *ctx, const char *groups) 2432 { 2433 return tls1_set_group_list(&ctx->tlsext_supportedgroups, 2434 &ctx->tlsext_supportedgroups_length, groups); 2435 } 2436 LSSL_ALIAS(SSL_CTX_set1_groups_list); 2437 2438 long 2439 ssl3_ctx_ctrl(SSL_CTX *ctx, int cmd, long larg, void *parg) 2440 { 2441 switch (cmd) { 2442 case SSL_CTRL_SET_TMP_DH: 2443 return _SSL_CTX_set_tmp_dh(ctx, parg); 2444 2445 case SSL_CTRL_SET_TMP_DH_CB: 2446 SSLerrorx(ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED); 2447 return 0; 2448 2449 case SSL_CTRL_SET_DH_AUTO: 2450 return _SSL_CTX_set_dh_auto(ctx, larg); 2451 2452 case SSL_CTRL_SET_TMP_ECDH: 2453 return _SSL_CTX_set_tmp_ecdh(ctx, parg); 2454 2455 case SSL_CTRL_SET_TMP_ECDH_CB: 2456 SSLerrorx(ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED); 2457 return 0; 2458 2459 case SSL_CTRL_SET_ECDH_AUTO: 2460 return _SSL_CTX_set_ecdh_auto(ctx, larg); 2461 2462 case SSL_CTRL_SET_TLSEXT_SERVERNAME_ARG: 2463 return _SSL_CTX_set_tlsext_servername_arg(ctx, parg); 2464 2465 case SSL_CTRL_GET_TLSEXT_TICKET_KEYS: 2466 return _SSL_CTX_get_tlsext_ticket_keys(ctx, parg, larg); 2467 2468 case SSL_CTRL_SET_TLSEXT_TICKET_KEYS: 2469 return _SSL_CTX_set_tlsext_ticket_keys(ctx, parg, larg); 2470 2471 case SSL_CTRL_GET_TLSEXT_STATUS_REQ_CB_ARG: 2472 return _SSL_CTX_get_tlsext_status_arg(ctx, parg); 2473 2474 case SSL_CTRL_SET_TLSEXT_STATUS_REQ_CB_ARG: 2475 return _SSL_CTX_set_tlsext_status_arg(ctx, parg); 2476 2477 case SSL_CTRL_CHAIN: 2478 if (larg == 0) 2479 return SSL_CTX_set0_chain(ctx, (STACK_OF(X509) *)parg); 2480 else 2481 return SSL_CTX_set1_chain(ctx, (STACK_OF(X509) *)parg); 2482 2483 case SSL_CTRL_CHAIN_CERT: 2484 if (larg == 0) 2485 return SSL_CTX_add0_chain_cert(ctx, (X509 *)parg); 2486 else 2487 return SSL_CTX_add1_chain_cert(ctx, (X509 *)parg); 2488 2489 case SSL_CTRL_GET_CHAIN_CERTS: 2490 return SSL_CTX_get0_chain_certs(ctx, (STACK_OF(X509) **)parg); 2491 2492 case SSL_CTRL_EXTRA_CHAIN_CERT: 2493 return _SSL_CTX_add_extra_chain_cert(ctx, parg); 2494 2495 case SSL_CTRL_GET_EXTRA_CHAIN_CERTS: 2496 if (larg == 0) 2497 return _SSL_CTX_get_extra_chain_certs(ctx, parg); 2498 else 2499 return _SSL_CTX_get_extra_chain_certs_only(ctx, parg); 2500 2501 case SSL_CTRL_CLEAR_EXTRA_CHAIN_CERTS: 2502 return _SSL_CTX_clear_extra_chain_certs(ctx); 2503 2504 case SSL_CTRL_SET_GROUPS: 2505 return SSL_CTX_set1_groups(ctx, parg, larg); 2506 2507 case SSL_CTRL_SET_GROUPS_LIST: 2508 return SSL_CTX_set1_groups_list(ctx, parg); 2509 2510 case SSL_CTRL_GET_MIN_PROTO_VERSION: 2511 return SSL_CTX_get_min_proto_version(ctx); 2512 2513 case SSL_CTRL_GET_MAX_PROTO_VERSION: 2514 return SSL_CTX_get_max_proto_version(ctx); 2515 2516 case SSL_CTRL_SET_MIN_PROTO_VERSION: 2517 if (larg < 0 || larg > UINT16_MAX) 2518 return 0; 2519 return SSL_CTX_set_min_proto_version(ctx, larg); 2520 2521 case SSL_CTRL_SET_MAX_PROTO_VERSION: 2522 if (larg < 0 || larg > UINT16_MAX) 2523 return 0; 2524 return SSL_CTX_set_max_proto_version(ctx, larg); 2525 2526 /* 2527 * Legacy controls that should eventually be removed. 2528 */ 2529 case SSL_CTRL_NEED_TMP_RSA: 2530 return 0; 2531 2532 case SSL_CTRL_SET_TMP_RSA: 2533 case SSL_CTRL_SET_TMP_RSA_CB: 2534 SSLerrorx(ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED); 2535 return 0; 2536 } 2537 2538 return 0; 2539 } 2540 2541 long 2542 ssl3_ctx_callback_ctrl(SSL_CTX *ctx, int cmd, void (*fp)(void)) 2543 { 2544 switch (cmd) { 2545 case SSL_CTRL_SET_TMP_RSA_CB: 2546 SSLerrorx(ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED); 2547 return 0; 2548 2549 case SSL_CTRL_SET_TMP_DH_CB: 2550 ctx->cert->dhe_params_cb = 2551 (DH *(*)(SSL *, int, int))fp; 2552 return 1; 2553 2554 case SSL_CTRL_SET_TMP_ECDH_CB: 2555 return 1; 2556 2557 case SSL_CTRL_SET_TLSEXT_SERVERNAME_CB: 2558 ctx->tlsext_servername_callback = 2559 (int (*)(SSL *, int *, void *))fp; 2560 return 1; 2561 2562 case SSL_CTRL_GET_TLSEXT_STATUS_REQ_CB: 2563 *(int (**)(SSL *, void *))fp = ctx->tlsext_status_cb; 2564 return 1; 2565 2566 case SSL_CTRL_SET_TLSEXT_STATUS_REQ_CB: 2567 ctx->tlsext_status_cb = (int (*)(SSL *, void *))fp; 2568 return 1; 2569 2570 case SSL_CTRL_SET_TLSEXT_TICKET_KEY_CB: 2571 ctx->tlsext_ticket_key_cb = (int (*)(SSL *, unsigned char *, 2572 unsigned char *, EVP_CIPHER_CTX *, HMAC_CTX *, int))fp; 2573 return 1; 2574 } 2575 2576 return 0; 2577 } 2578 2579 SSL_CIPHER * 2580 ssl3_choose_cipher(SSL *s, STACK_OF(SSL_CIPHER) *clnt, 2581 STACK_OF(SSL_CIPHER) *srvr) 2582 { 2583 unsigned long alg_k, alg_a, mask_k, mask_a; 2584 STACK_OF(SSL_CIPHER) *prio, *allow; 2585 SSL_CIPHER *c, *ret = NULL; 2586 int can_use_ecc; 2587 int i, ii, nid, ok; 2588 SSL_CERT *cert; 2589 2590 /* Let's see which ciphers we can support */ 2591 cert = s->cert; 2592 2593 can_use_ecc = tls1_get_supported_group(s, &nid); 2594 2595 /* 2596 * Do not set the compare functions, because this may lead to a 2597 * reordering by "id". We want to keep the original ordering. 2598 * We may pay a price in performance during sk_SSL_CIPHER_find(), 2599 * but would have to pay with the price of sk_SSL_CIPHER_dup(). 2600 */ 2601 2602 if (s->options & SSL_OP_CIPHER_SERVER_PREFERENCE) { 2603 prio = srvr; 2604 allow = clnt; 2605 } else { 2606 prio = clnt; 2607 allow = srvr; 2608 } 2609 2610 for (i = 0; i < sk_SSL_CIPHER_num(prio); i++) { 2611 c = sk_SSL_CIPHER_value(prio, i); 2612 2613 /* Skip TLS v1.2 only ciphersuites if not supported. */ 2614 if ((c->algorithm_ssl & SSL_TLSV1_2) && 2615 !SSL_USE_TLS1_2_CIPHERS(s)) 2616 continue; 2617 2618 /* Skip TLS v1.3 only ciphersuites if not supported. */ 2619 if ((c->algorithm_ssl & SSL_TLSV1_3) && 2620 !SSL_USE_TLS1_3_CIPHERS(s)) 2621 continue; 2622 2623 /* If TLS v1.3, only allow TLS v1.3 ciphersuites. */ 2624 if (SSL_USE_TLS1_3_CIPHERS(s) && 2625 !(c->algorithm_ssl & SSL_TLSV1_3)) 2626 continue; 2627 2628 if (!ssl_security_shared_cipher(s, c)) 2629 continue; 2630 2631 ssl_set_cert_masks(cert, c); 2632 mask_k = cert->mask_k; 2633 mask_a = cert->mask_a; 2634 2635 alg_k = c->algorithm_mkey; 2636 alg_a = c->algorithm_auth; 2637 2638 ok = (alg_k & mask_k) && (alg_a & mask_a); 2639 2640 /* 2641 * If we are considering an ECC cipher suite that uses our 2642 * certificate check it. 2643 */ 2644 if (alg_a & SSL_aECDSA) 2645 ok = ok && tls1_check_ec_server_key(s); 2646 /* 2647 * If we are considering an ECC cipher suite that uses 2648 * an ephemeral EC key check it. 2649 */ 2650 if (alg_k & SSL_kECDHE) 2651 ok = ok && can_use_ecc; 2652 2653 if (!ok) 2654 continue; 2655 ii = sk_SSL_CIPHER_find(allow, c); 2656 if (ii >= 0) { 2657 ret = sk_SSL_CIPHER_value(allow, ii); 2658 break; 2659 } 2660 } 2661 return (ret); 2662 } 2663 2664 int 2665 ssl3_get_req_cert_types(SSL *s, CBB *cbb) 2666 { 2667 unsigned long alg_k; 2668 2669 alg_k = s->s3->hs.cipher->algorithm_mkey; 2670 2671 #ifndef OPENSSL_NO_GOST 2672 if ((alg_k & SSL_kGOST) != 0) { 2673 if (!CBB_add_u8(cbb, TLS_CT_GOST01_SIGN)) 2674 return 0; 2675 if (!CBB_add_u8(cbb, TLS_CT_GOST12_256_SIGN)) 2676 return 0; 2677 if (!CBB_add_u8(cbb, TLS_CT_GOST12_512_SIGN)) 2678 return 0; 2679 if (!CBB_add_u8(cbb, TLS_CT_GOST12_256_SIGN_COMPAT)) 2680 return 0; 2681 if (!CBB_add_u8(cbb, TLS_CT_GOST12_512_SIGN_COMPAT)) 2682 return 0; 2683 } 2684 #endif 2685 2686 if ((alg_k & SSL_kDHE) != 0) { 2687 if (!CBB_add_u8(cbb, SSL3_CT_RSA_FIXED_DH)) 2688 return 0; 2689 } 2690 2691 if (!CBB_add_u8(cbb, SSL3_CT_RSA_SIGN)) 2692 return 0; 2693 2694 /* 2695 * ECDSA certs can be used with RSA cipher suites as well 2696 * so we don't need to check for SSL_kECDH or SSL_kECDHE. 2697 */ 2698 if (!CBB_add_u8(cbb, TLS_CT_ECDSA_SIGN)) 2699 return 0; 2700 2701 return 1; 2702 } 2703 2704 int 2705 ssl3_shutdown(SSL *s) 2706 { 2707 int ret; 2708 2709 /* 2710 * Don't do anything much if we have not done the handshake or 2711 * we don't want to send messages :-) 2712 */ 2713 if ((s->quiet_shutdown) || (s->s3->hs.state == SSL_ST_BEFORE)) { 2714 s->shutdown = (SSL_SENT_SHUTDOWN|SSL_RECEIVED_SHUTDOWN); 2715 return (1); 2716 } 2717 2718 if (!(s->shutdown & SSL_SENT_SHUTDOWN)) { 2719 s->shutdown|=SSL_SENT_SHUTDOWN; 2720 ssl3_send_alert(s, SSL3_AL_WARNING, SSL_AD_CLOSE_NOTIFY); 2721 /* 2722 * Our shutdown alert has been sent now, and if it still needs 2723 * to be written, s->s3->alert_dispatch will be true 2724 */ 2725 if (s->s3->alert_dispatch) 2726 return (-1); /* return WANT_WRITE */ 2727 } else if (s->s3->alert_dispatch) { 2728 /* resend it if not sent */ 2729 ret = ssl3_dispatch_alert(s); 2730 if (ret == -1) { 2731 /* 2732 * We only get to return -1 here the 2nd/Nth 2733 * invocation, we must have already signalled 2734 * return 0 upon a previous invoation, 2735 * return WANT_WRITE 2736 */ 2737 return (ret); 2738 } 2739 } else if (!(s->shutdown & SSL_RECEIVED_SHUTDOWN)) { 2740 /* If we are waiting for a close from our peer, we are closed */ 2741 s->method->ssl_read_bytes(s, 0, NULL, 0, 0); 2742 if (!(s->shutdown & SSL_RECEIVED_SHUTDOWN)) { 2743 return (-1); /* return WANT_READ */ 2744 } 2745 } 2746 2747 if ((s->shutdown == (SSL_SENT_SHUTDOWN|SSL_RECEIVED_SHUTDOWN)) && 2748 !s->s3->alert_dispatch) 2749 return (1); 2750 else 2751 return (0); 2752 } 2753 2754 int 2755 ssl3_write(SSL *s, const void *buf, int len) 2756 { 2757 errno = 0; 2758 2759 if (s->s3->renegotiate) 2760 ssl3_renegotiate_check(s); 2761 2762 return s->method->ssl_write_bytes(s, SSL3_RT_APPLICATION_DATA, 2763 buf, len); 2764 } 2765 2766 static int 2767 ssl3_read_internal(SSL *s, void *buf, int len, int peek) 2768 { 2769 int ret; 2770 2771 errno = 0; 2772 if (s->s3->renegotiate) 2773 ssl3_renegotiate_check(s); 2774 s->s3->in_read_app_data = 1; 2775 2776 ret = s->method->ssl_read_bytes(s, SSL3_RT_APPLICATION_DATA, buf, len, 2777 peek); 2778 if ((ret == -1) && (s->s3->in_read_app_data == 2)) { 2779 /* 2780 * ssl3_read_bytes decided to call s->handshake_func, 2781 * which called ssl3_read_bytes to read handshake data. 2782 * However, ssl3_read_bytes actually found application data 2783 * and thinks that application data makes sense here; so disable 2784 * handshake processing and try to read application data again. 2785 */ 2786 s->in_handshake++; 2787 ret = s->method->ssl_read_bytes(s, SSL3_RT_APPLICATION_DATA, 2788 buf, len, peek); 2789 s->in_handshake--; 2790 } else 2791 s->s3->in_read_app_data = 0; 2792 2793 return (ret); 2794 } 2795 2796 int 2797 ssl3_read(SSL *s, void *buf, int len) 2798 { 2799 return ssl3_read_internal(s, buf, len, 0); 2800 } 2801 2802 int 2803 ssl3_peek(SSL *s, void *buf, int len) 2804 { 2805 return ssl3_read_internal(s, buf, len, 1); 2806 } 2807 2808 int 2809 ssl3_renegotiate(SSL *s) 2810 { 2811 if (s->handshake_func == NULL) 2812 return 1; 2813 2814 if (s->s3->flags & SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS) 2815 return 0; 2816 2817 s->s3->renegotiate = 1; 2818 2819 return 1; 2820 } 2821 2822 int 2823 ssl3_renegotiate_check(SSL *s) 2824 { 2825 if (!s->s3->renegotiate) 2826 return 0; 2827 if (SSL_in_init(s) || s->s3->rbuf.left != 0 || s->s3->wbuf.left != 0) 2828 return 0; 2829 2830 s->s3->hs.state = SSL_ST_RENEGOTIATE; 2831 s->s3->renegotiate = 0; 2832 s->s3->num_renegotiations++; 2833 s->s3->total_renegotiations++; 2834 2835 return 1; 2836 } 2837