1 /* $OpenBSD: s3_lib.c,v 1.243 2023/05/16 14:10:43 jcs Exp $ */ 2 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) 3 * All rights reserved. 4 * 5 * This package is an SSL implementation written 6 * by Eric Young (eay@cryptsoft.com). 7 * The implementation was written so as to conform with Netscapes SSL. 8 * 9 * This library is free for commercial and non-commercial use as long as 10 * the following conditions are aheared to. The following conditions 11 * apply to all code found in this distribution, be it the RC4, RSA, 12 * lhash, DES, etc., code; not just the SSL code. The SSL documentation 13 * included with this distribution is covered by the same copyright terms 14 * except that the holder is Tim Hudson (tjh@cryptsoft.com). 15 * 16 * Copyright remains Eric Young's, and as such any Copyright notices in 17 * the code are not to be removed. 18 * If this package is used in a product, Eric Young should be given attribution 19 * as the author of the parts of the library used. 20 * This can be in the form of a textual message at program startup or 21 * in documentation (online or textual) provided with the package. 22 * 23 * Redistribution and use in source and binary forms, with or without 24 * modification, are permitted provided that the following conditions 25 * are met: 26 * 1. Redistributions of source code must retain the copyright 27 * notice, this list of conditions and the following disclaimer. 28 * 2. Redistributions in binary form must reproduce the above copyright 29 * notice, this list of conditions and the following disclaimer in the 30 * documentation and/or other materials provided with the distribution. 31 * 3. All advertising materials mentioning features or use of this software 32 * must display the following acknowledgement: 33 * "This product includes cryptographic software written by 34 * Eric Young (eay@cryptsoft.com)" 35 * The word 'cryptographic' can be left out if the rouines from the library 36 * being used are not cryptographic related :-). 37 * 4. If you include any Windows specific code (or a derivative thereof) from 38 * the apps directory (application code) you must include an acknowledgement: 39 * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)" 40 * 41 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND 42 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 43 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 44 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE 45 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 46 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 47 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 48 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 49 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 50 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 51 * SUCH DAMAGE. 52 * 53 * The licence and distribution terms for any publically available version or 54 * derivative of this code cannot be changed. i.e. this code cannot simply be 55 * copied and put under another distribution licence 56 * [including the GNU Public Licence.] 57 */ 58 /* ==================================================================== 59 * Copyright (c) 1998-2007 The OpenSSL Project. All rights reserved. 60 * 61 * Redistribution and use in source and binary forms, with or without 62 * modification, are permitted provided that the following conditions 63 * are met: 64 * 65 * 1. Redistributions of source code must retain the above copyright 66 * notice, this list of conditions and the following disclaimer. 67 * 68 * 2. Redistributions in binary form must reproduce the above copyright 69 * notice, this list of conditions and the following disclaimer in 70 * the documentation and/or other materials provided with the 71 * distribution. 72 * 73 * 3. All advertising materials mentioning features or use of this 74 * software must display the following acknowledgment: 75 * "This product includes software developed by the OpenSSL Project 76 * for use in the OpenSSL Toolkit. (http://www.openssl.org/)" 77 * 78 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to 79 * endorse or promote products derived from this software without 80 * prior written permission. For written permission, please contact 81 * openssl-core@openssl.org. 82 * 83 * 5. Products derived from this software may not be called "OpenSSL" 84 * nor may "OpenSSL" appear in their names without prior written 85 * permission of the OpenSSL Project. 86 * 87 * 6. Redistributions of any form whatsoever must retain the following 88 * acknowledgment: 89 * "This product includes software developed by the OpenSSL Project 90 * for use in the OpenSSL Toolkit (http://www.openssl.org/)" 91 * 92 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY 93 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 94 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR 95 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR 96 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, 97 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT 98 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; 99 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 100 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, 101 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) 102 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED 103 * OF THE POSSIBILITY OF SUCH DAMAGE. 104 * ==================================================================== 105 * 106 * This product includes cryptographic software written by Eric Young 107 * (eay@cryptsoft.com). This product includes software written by Tim 108 * Hudson (tjh@cryptsoft.com). 109 * 110 */ 111 /* ==================================================================== 112 * Copyright 2002 Sun Microsystems, Inc. ALL RIGHTS RESERVED. 113 * 114 * Portions of the attached software ("Contribution") are developed by 115 * SUN MICROSYSTEMS, INC., and are contributed to the OpenSSL project. 116 * 117 * The Contribution is licensed pursuant to the OpenSSL open source 118 * license provided above. 119 * 120 * ECC cipher suite support in OpenSSL originally written by 121 * Vipul Gupta and Sumit Gupta of Sun Microsystems Laboratories. 122 * 123 */ 124 /* ==================================================================== 125 * Copyright 2005 Nokia. All rights reserved. 126 * 127 * The portions of the attached software ("Contribution") is developed by 128 * Nokia Corporation and is licensed pursuant to the OpenSSL open source 129 * license. 130 * 131 * The Contribution, originally written by Mika Kousa and Pasi Eronen of 132 * Nokia Corporation, consists of the "PSK" (Pre-Shared Key) ciphersuites 133 * support (see RFC 4279) to OpenSSL. 134 * 135 * No patent licenses or other rights except those expressly stated in 136 * the OpenSSL open source license shall be deemed granted or received 137 * expressly, by implication, estoppel, or otherwise. 138 * 139 * No assurances are provided by Nokia that the Contribution does not 140 * infringe the patent or other intellectual property rights of any third 141 * party or that the license provides you with all the necessary rights 142 * to make use of the Contribution. 143 * 144 * THE SOFTWARE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. IN 145 * ADDITION TO THE DISCLAIMERS INCLUDED IN THE LICENSE, NOKIA 146 * SPECIFICALLY DISCLAIMS ANY LIABILITY FOR CLAIMS BROUGHT BY YOU OR ANY 147 * OTHER ENTITY BASED ON INFRINGEMENT OF INTELLECTUAL PROPERTY RIGHTS OR 148 * OTHERWISE. 149 */ 150 151 #include <limits.h> 152 #include <stdio.h> 153 154 #include <openssl/bn.h> 155 #include <openssl/curve25519.h> 156 #include <openssl/dh.h> 157 #include <openssl/md5.h> 158 #include <openssl/objects.h> 159 #include <openssl/opensslconf.h> 160 161 #include "bytestring.h" 162 #include "dtls_local.h" 163 #include "ssl_local.h" 164 #include "ssl_sigalgs.h" 165 #include "ssl_tlsext.h" 166 #include "tls_content.h" 167 168 #define SSL3_NUM_CIPHERS (sizeof(ssl3_ciphers) / sizeof(SSL_CIPHER)) 169 170 /* 171 * FIXED_NONCE_LEN is a macro that provides in the correct value to set the 172 * fixed nonce length in algorithms2. It is the inverse of the 173 * SSL_CIPHER_AEAD_FIXED_NONCE_LEN macro. 174 */ 175 #define FIXED_NONCE_LEN(x) (((x / 2) & 0xf) << 24) 176 177 /* list of available SSLv3 ciphers (sorted by id) */ 178 const SSL_CIPHER ssl3_ciphers[] = { 179 180 /* The RSA ciphers */ 181 /* Cipher 01 */ 182 { 183 .valid = 1, 184 .name = SSL3_TXT_RSA_NULL_MD5, 185 .id = SSL3_CK_RSA_NULL_MD5, 186 .algorithm_mkey = SSL_kRSA, 187 .algorithm_auth = SSL_aRSA, 188 .algorithm_enc = SSL_eNULL, 189 .algorithm_mac = SSL_MD5, 190 .algorithm_ssl = SSL_SSLV3, 191 .algo_strength = SSL_STRONG_NONE, 192 .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF, 193 .strength_bits = 0, 194 .alg_bits = 0, 195 }, 196 197 /* Cipher 02 */ 198 { 199 .valid = 1, 200 .name = SSL3_TXT_RSA_NULL_SHA, 201 .id = SSL3_CK_RSA_NULL_SHA, 202 .algorithm_mkey = SSL_kRSA, 203 .algorithm_auth = SSL_aRSA, 204 .algorithm_enc = SSL_eNULL, 205 .algorithm_mac = SSL_SHA1, 206 .algorithm_ssl = SSL_SSLV3, 207 .algo_strength = SSL_STRONG_NONE, 208 .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF, 209 .strength_bits = 0, 210 .alg_bits = 0, 211 }, 212 213 /* Cipher 04 */ 214 { 215 .valid = 1, 216 .name = SSL3_TXT_RSA_RC4_128_MD5, 217 .id = SSL3_CK_RSA_RC4_128_MD5, 218 .algorithm_mkey = SSL_kRSA, 219 .algorithm_auth = SSL_aRSA, 220 .algorithm_enc = SSL_RC4, 221 .algorithm_mac = SSL_MD5, 222 .algorithm_ssl = SSL_SSLV3, 223 .algo_strength = SSL_LOW, 224 .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF, 225 .strength_bits = 128, 226 .alg_bits = 128, 227 }, 228 229 /* Cipher 05 */ 230 { 231 .valid = 1, 232 .name = SSL3_TXT_RSA_RC4_128_SHA, 233 .id = SSL3_CK_RSA_RC4_128_SHA, 234 .algorithm_mkey = SSL_kRSA, 235 .algorithm_auth = SSL_aRSA, 236 .algorithm_enc = SSL_RC4, 237 .algorithm_mac = SSL_SHA1, 238 .algorithm_ssl = SSL_SSLV3, 239 .algo_strength = SSL_LOW, 240 .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF, 241 .strength_bits = 128, 242 .alg_bits = 128, 243 }, 244 245 /* Cipher 0A */ 246 { 247 .valid = 1, 248 .name = SSL3_TXT_RSA_DES_192_CBC3_SHA, 249 .id = SSL3_CK_RSA_DES_192_CBC3_SHA, 250 .algorithm_mkey = SSL_kRSA, 251 .algorithm_auth = SSL_aRSA, 252 .algorithm_enc = SSL_3DES, 253 .algorithm_mac = SSL_SHA1, 254 .algorithm_ssl = SSL_SSLV3, 255 .algo_strength = SSL_MEDIUM, 256 .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF, 257 .strength_bits = 112, 258 .alg_bits = 168, 259 }, 260 261 /* 262 * Ephemeral DH (DHE) ciphers. 263 */ 264 265 /* Cipher 16 */ 266 { 267 .valid = 1, 268 .name = SSL3_TXT_EDH_RSA_DES_192_CBC3_SHA, 269 .id = SSL3_CK_EDH_RSA_DES_192_CBC3_SHA, 270 .algorithm_mkey = SSL_kDHE, 271 .algorithm_auth = SSL_aRSA, 272 .algorithm_enc = SSL_3DES, 273 .algorithm_mac = SSL_SHA1, 274 .algorithm_ssl = SSL_SSLV3, 275 .algo_strength = SSL_MEDIUM, 276 .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF, 277 .strength_bits = 112, 278 .alg_bits = 168, 279 }, 280 281 /* Cipher 18 */ 282 { 283 .valid = 1, 284 .name = SSL3_TXT_ADH_RC4_128_MD5, 285 .id = SSL3_CK_ADH_RC4_128_MD5, 286 .algorithm_mkey = SSL_kDHE, 287 .algorithm_auth = SSL_aNULL, 288 .algorithm_enc = SSL_RC4, 289 .algorithm_mac = SSL_MD5, 290 .algorithm_ssl = SSL_SSLV3, 291 .algo_strength = SSL_LOW, 292 .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF, 293 .strength_bits = 128, 294 .alg_bits = 128, 295 }, 296 297 /* Cipher 1B */ 298 { 299 .valid = 1, 300 .name = SSL3_TXT_ADH_DES_192_CBC_SHA, 301 .id = SSL3_CK_ADH_DES_192_CBC_SHA, 302 .algorithm_mkey = SSL_kDHE, 303 .algorithm_auth = SSL_aNULL, 304 .algorithm_enc = SSL_3DES, 305 .algorithm_mac = SSL_SHA1, 306 .algorithm_ssl = SSL_SSLV3, 307 .algo_strength = SSL_MEDIUM, 308 .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF, 309 .strength_bits = 112, 310 .alg_bits = 168, 311 }, 312 313 /* 314 * AES ciphersuites. 315 */ 316 317 /* Cipher 2F */ 318 { 319 .valid = 1, 320 .name = TLS1_TXT_RSA_WITH_AES_128_SHA, 321 .id = TLS1_CK_RSA_WITH_AES_128_SHA, 322 .algorithm_mkey = SSL_kRSA, 323 .algorithm_auth = SSL_aRSA, 324 .algorithm_enc = SSL_AES128, 325 .algorithm_mac = SSL_SHA1, 326 .algorithm_ssl = SSL_TLSV1, 327 .algo_strength = SSL_HIGH, 328 .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF, 329 .strength_bits = 128, 330 .alg_bits = 128, 331 }, 332 333 /* Cipher 33 */ 334 { 335 .valid = 1, 336 .name = TLS1_TXT_DHE_RSA_WITH_AES_128_SHA, 337 .id = TLS1_CK_DHE_RSA_WITH_AES_128_SHA, 338 .algorithm_mkey = SSL_kDHE, 339 .algorithm_auth = SSL_aRSA, 340 .algorithm_enc = SSL_AES128, 341 .algorithm_mac = SSL_SHA1, 342 .algorithm_ssl = SSL_TLSV1, 343 .algo_strength = SSL_HIGH, 344 .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF, 345 .strength_bits = 128, 346 .alg_bits = 128, 347 }, 348 349 /* Cipher 34 */ 350 { 351 .valid = 1, 352 .name = TLS1_TXT_ADH_WITH_AES_128_SHA, 353 .id = TLS1_CK_ADH_WITH_AES_128_SHA, 354 .algorithm_mkey = SSL_kDHE, 355 .algorithm_auth = SSL_aNULL, 356 .algorithm_enc = SSL_AES128, 357 .algorithm_mac = SSL_SHA1, 358 .algorithm_ssl = SSL_TLSV1, 359 .algo_strength = SSL_HIGH, 360 .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF, 361 .strength_bits = 128, 362 .alg_bits = 128, 363 }, 364 365 /* Cipher 35 */ 366 { 367 .valid = 1, 368 .name = TLS1_TXT_RSA_WITH_AES_256_SHA, 369 .id = TLS1_CK_RSA_WITH_AES_256_SHA, 370 .algorithm_mkey = SSL_kRSA, 371 .algorithm_auth = SSL_aRSA, 372 .algorithm_enc = SSL_AES256, 373 .algorithm_mac = SSL_SHA1, 374 .algorithm_ssl = SSL_TLSV1, 375 .algo_strength = SSL_HIGH, 376 .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF, 377 .strength_bits = 256, 378 .alg_bits = 256, 379 }, 380 381 /* Cipher 39 */ 382 { 383 .valid = 1, 384 .name = TLS1_TXT_DHE_RSA_WITH_AES_256_SHA, 385 .id = TLS1_CK_DHE_RSA_WITH_AES_256_SHA, 386 .algorithm_mkey = SSL_kDHE, 387 .algorithm_auth = SSL_aRSA, 388 .algorithm_enc = SSL_AES256, 389 .algorithm_mac = SSL_SHA1, 390 .algorithm_ssl = SSL_TLSV1, 391 .algo_strength = SSL_HIGH, 392 .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF, 393 .strength_bits = 256, 394 .alg_bits = 256, 395 }, 396 397 /* Cipher 3A */ 398 { 399 .valid = 1, 400 .name = TLS1_TXT_ADH_WITH_AES_256_SHA, 401 .id = TLS1_CK_ADH_WITH_AES_256_SHA, 402 .algorithm_mkey = SSL_kDHE, 403 .algorithm_auth = SSL_aNULL, 404 .algorithm_enc = SSL_AES256, 405 .algorithm_mac = SSL_SHA1, 406 .algorithm_ssl = SSL_TLSV1, 407 .algo_strength = SSL_HIGH, 408 .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF, 409 .strength_bits = 256, 410 .alg_bits = 256, 411 }, 412 413 /* TLS v1.2 ciphersuites */ 414 /* Cipher 3B */ 415 { 416 .valid = 1, 417 .name = TLS1_TXT_RSA_WITH_NULL_SHA256, 418 .id = TLS1_CK_RSA_WITH_NULL_SHA256, 419 .algorithm_mkey = SSL_kRSA, 420 .algorithm_auth = SSL_aRSA, 421 .algorithm_enc = SSL_eNULL, 422 .algorithm_mac = SSL_SHA256, 423 .algorithm_ssl = SSL_TLSV1_2, 424 .algo_strength = SSL_STRONG_NONE, 425 .algorithm2 = SSL_HANDSHAKE_MAC_SHA256|TLS1_PRF_SHA256, 426 .strength_bits = 0, 427 .alg_bits = 0, 428 }, 429 430 /* Cipher 3C */ 431 { 432 .valid = 1, 433 .name = TLS1_TXT_RSA_WITH_AES_128_SHA256, 434 .id = TLS1_CK_RSA_WITH_AES_128_SHA256, 435 .algorithm_mkey = SSL_kRSA, 436 .algorithm_auth = SSL_aRSA, 437 .algorithm_enc = SSL_AES128, 438 .algorithm_mac = SSL_SHA256, 439 .algorithm_ssl = SSL_TLSV1_2, 440 .algo_strength = SSL_HIGH, 441 .algorithm2 = SSL_HANDSHAKE_MAC_SHA256|TLS1_PRF_SHA256, 442 .strength_bits = 128, 443 .alg_bits = 128, 444 }, 445 446 /* Cipher 3D */ 447 { 448 .valid = 1, 449 .name = TLS1_TXT_RSA_WITH_AES_256_SHA256, 450 .id = TLS1_CK_RSA_WITH_AES_256_SHA256, 451 .algorithm_mkey = SSL_kRSA, 452 .algorithm_auth = SSL_aRSA, 453 .algorithm_enc = SSL_AES256, 454 .algorithm_mac = SSL_SHA256, 455 .algorithm_ssl = SSL_TLSV1_2, 456 .algo_strength = SSL_HIGH, 457 .algorithm2 = SSL_HANDSHAKE_MAC_SHA256|TLS1_PRF_SHA256, 458 .strength_bits = 256, 459 .alg_bits = 256, 460 }, 461 462 #ifndef OPENSSL_NO_CAMELLIA 463 /* Camellia ciphersuites from RFC4132 (128-bit portion) */ 464 465 /* Cipher 41 */ 466 { 467 .valid = 1, 468 .name = TLS1_TXT_RSA_WITH_CAMELLIA_128_CBC_SHA, 469 .id = TLS1_CK_RSA_WITH_CAMELLIA_128_CBC_SHA, 470 .algorithm_mkey = SSL_kRSA, 471 .algorithm_auth = SSL_aRSA, 472 .algorithm_enc = SSL_CAMELLIA128, 473 .algorithm_mac = SSL_SHA1, 474 .algorithm_ssl = SSL_TLSV1, 475 .algo_strength = SSL_HIGH, 476 .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF, 477 .strength_bits = 128, 478 .alg_bits = 128, 479 }, 480 481 /* Cipher 45 */ 482 { 483 .valid = 1, 484 .name = TLS1_TXT_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA, 485 .id = TLS1_CK_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA, 486 .algorithm_mkey = SSL_kDHE, 487 .algorithm_auth = SSL_aRSA, 488 .algorithm_enc = SSL_CAMELLIA128, 489 .algorithm_mac = SSL_SHA1, 490 .algorithm_ssl = SSL_TLSV1, 491 .algo_strength = SSL_HIGH, 492 .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF, 493 .strength_bits = 128, 494 .alg_bits = 128, 495 }, 496 497 /* Cipher 46 */ 498 { 499 .valid = 1, 500 .name = TLS1_TXT_ADH_WITH_CAMELLIA_128_CBC_SHA, 501 .id = TLS1_CK_ADH_WITH_CAMELLIA_128_CBC_SHA, 502 .algorithm_mkey = SSL_kDHE, 503 .algorithm_auth = SSL_aNULL, 504 .algorithm_enc = SSL_CAMELLIA128, 505 .algorithm_mac = SSL_SHA1, 506 .algorithm_ssl = SSL_TLSV1, 507 .algo_strength = SSL_HIGH, 508 .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF, 509 .strength_bits = 128, 510 .alg_bits = 128, 511 }, 512 #endif /* OPENSSL_NO_CAMELLIA */ 513 514 /* TLS v1.2 ciphersuites */ 515 /* Cipher 67 */ 516 { 517 .valid = 1, 518 .name = TLS1_TXT_DHE_RSA_WITH_AES_128_SHA256, 519 .id = TLS1_CK_DHE_RSA_WITH_AES_128_SHA256, 520 .algorithm_mkey = SSL_kDHE, 521 .algorithm_auth = SSL_aRSA, 522 .algorithm_enc = SSL_AES128, 523 .algorithm_mac = SSL_SHA256, 524 .algorithm_ssl = SSL_TLSV1_2, 525 .algo_strength = SSL_HIGH, 526 .algorithm2 = SSL_HANDSHAKE_MAC_SHA256|TLS1_PRF_SHA256, 527 .strength_bits = 128, 528 .alg_bits = 128, 529 }, 530 531 /* Cipher 6B */ 532 { 533 .valid = 1, 534 .name = TLS1_TXT_DHE_RSA_WITH_AES_256_SHA256, 535 .id = TLS1_CK_DHE_RSA_WITH_AES_256_SHA256, 536 .algorithm_mkey = SSL_kDHE, 537 .algorithm_auth = SSL_aRSA, 538 .algorithm_enc = SSL_AES256, 539 .algorithm_mac = SSL_SHA256, 540 .algorithm_ssl = SSL_TLSV1_2, 541 .algo_strength = SSL_HIGH, 542 .algorithm2 = SSL_HANDSHAKE_MAC_SHA256|TLS1_PRF_SHA256, 543 .strength_bits = 256, 544 .alg_bits = 256, 545 }, 546 547 /* Cipher 6C */ 548 { 549 .valid = 1, 550 .name = TLS1_TXT_ADH_WITH_AES_128_SHA256, 551 .id = TLS1_CK_ADH_WITH_AES_128_SHA256, 552 .algorithm_mkey = SSL_kDHE, 553 .algorithm_auth = SSL_aNULL, 554 .algorithm_enc = SSL_AES128, 555 .algorithm_mac = SSL_SHA256, 556 .algorithm_ssl = SSL_TLSV1_2, 557 .algo_strength = SSL_HIGH, 558 .algorithm2 = SSL_HANDSHAKE_MAC_SHA256|TLS1_PRF_SHA256, 559 .strength_bits = 128, 560 .alg_bits = 128, 561 }, 562 563 /* Cipher 6D */ 564 { 565 .valid = 1, 566 .name = TLS1_TXT_ADH_WITH_AES_256_SHA256, 567 .id = TLS1_CK_ADH_WITH_AES_256_SHA256, 568 .algorithm_mkey = SSL_kDHE, 569 .algorithm_auth = SSL_aNULL, 570 .algorithm_enc = SSL_AES256, 571 .algorithm_mac = SSL_SHA256, 572 .algorithm_ssl = SSL_TLSV1_2, 573 .algo_strength = SSL_HIGH, 574 .algorithm2 = SSL_HANDSHAKE_MAC_SHA256|TLS1_PRF_SHA256, 575 .strength_bits = 256, 576 .alg_bits = 256, 577 }, 578 579 /* GOST Ciphersuites */ 580 581 /* Cipher 81 */ 582 { 583 .valid = 1, 584 .name = "GOST2001-GOST89-GOST89", 585 .id = 0x3000081, 586 .algorithm_mkey = SSL_kGOST, 587 .algorithm_auth = SSL_aGOST01, 588 .algorithm_enc = SSL_eGOST2814789CNT, 589 .algorithm_mac = SSL_GOST89MAC, 590 .algorithm_ssl = SSL_TLSV1, 591 .algo_strength = SSL_HIGH, 592 .algorithm2 = SSL_HANDSHAKE_MAC_GOST94|TLS1_PRF_GOST94| 593 TLS1_STREAM_MAC, 594 .strength_bits = 256, 595 .alg_bits = 256 596 }, 597 598 /* Cipher 83 */ 599 { 600 .valid = 1, 601 .name = "GOST2001-NULL-GOST94", 602 .id = 0x3000083, 603 .algorithm_mkey = SSL_kGOST, 604 .algorithm_auth = SSL_aGOST01, 605 .algorithm_enc = SSL_eNULL, 606 .algorithm_mac = SSL_GOST94, 607 .algorithm_ssl = SSL_TLSV1, 608 .algo_strength = SSL_STRONG_NONE, 609 .algorithm2 = SSL_HANDSHAKE_MAC_GOST94|TLS1_PRF_GOST94, 610 .strength_bits = 0, 611 .alg_bits = 0 612 }, 613 614 #ifndef OPENSSL_NO_CAMELLIA 615 /* Camellia ciphersuites from RFC4132 (256-bit portion) */ 616 617 /* Cipher 84 */ 618 { 619 .valid = 1, 620 .name = TLS1_TXT_RSA_WITH_CAMELLIA_256_CBC_SHA, 621 .id = TLS1_CK_RSA_WITH_CAMELLIA_256_CBC_SHA, 622 .algorithm_mkey = SSL_kRSA, 623 .algorithm_auth = SSL_aRSA, 624 .algorithm_enc = SSL_CAMELLIA256, 625 .algorithm_mac = SSL_SHA1, 626 .algorithm_ssl = SSL_TLSV1, 627 .algo_strength = SSL_HIGH, 628 .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF, 629 .strength_bits = 256, 630 .alg_bits = 256, 631 }, 632 633 /* Cipher 88 */ 634 { 635 .valid = 1, 636 .name = TLS1_TXT_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA, 637 .id = TLS1_CK_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA, 638 .algorithm_mkey = SSL_kDHE, 639 .algorithm_auth = SSL_aRSA, 640 .algorithm_enc = SSL_CAMELLIA256, 641 .algorithm_mac = SSL_SHA1, 642 .algorithm_ssl = SSL_TLSV1, 643 .algo_strength = SSL_HIGH, 644 .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF, 645 .strength_bits = 256, 646 .alg_bits = 256, 647 }, 648 649 /* Cipher 89 */ 650 { 651 .valid = 1, 652 .name = TLS1_TXT_ADH_WITH_CAMELLIA_256_CBC_SHA, 653 .id = TLS1_CK_ADH_WITH_CAMELLIA_256_CBC_SHA, 654 .algorithm_mkey = SSL_kDHE, 655 .algorithm_auth = SSL_aNULL, 656 .algorithm_enc = SSL_CAMELLIA256, 657 .algorithm_mac = SSL_SHA1, 658 .algorithm_ssl = SSL_TLSV1, 659 .algo_strength = SSL_HIGH, 660 .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF, 661 .strength_bits = 256, 662 .alg_bits = 256, 663 }, 664 #endif /* OPENSSL_NO_CAMELLIA */ 665 666 /* 667 * GCM ciphersuites from RFC5288. 668 */ 669 670 /* Cipher 9C */ 671 { 672 .valid = 1, 673 .name = TLS1_TXT_RSA_WITH_AES_128_GCM_SHA256, 674 .id = TLS1_CK_RSA_WITH_AES_128_GCM_SHA256, 675 .algorithm_mkey = SSL_kRSA, 676 .algorithm_auth = SSL_aRSA, 677 .algorithm_enc = SSL_AES128GCM, 678 .algorithm_mac = SSL_AEAD, 679 .algorithm_ssl = SSL_TLSV1_2, 680 .algo_strength = SSL_HIGH, 681 .algorithm2 = SSL_HANDSHAKE_MAC_SHA256|TLS1_PRF_SHA256| 682 FIXED_NONCE_LEN(4)| 683 SSL_CIPHER_ALGORITHM2_VARIABLE_NONCE_IN_RECORD, 684 .strength_bits = 128, 685 .alg_bits = 128, 686 }, 687 688 /* Cipher 9D */ 689 { 690 .valid = 1, 691 .name = TLS1_TXT_RSA_WITH_AES_256_GCM_SHA384, 692 .id = TLS1_CK_RSA_WITH_AES_256_GCM_SHA384, 693 .algorithm_mkey = SSL_kRSA, 694 .algorithm_auth = SSL_aRSA, 695 .algorithm_enc = SSL_AES256GCM, 696 .algorithm_mac = SSL_AEAD, 697 .algorithm_ssl = SSL_TLSV1_2, 698 .algo_strength = SSL_HIGH, 699 .algorithm2 = SSL_HANDSHAKE_MAC_SHA384|TLS1_PRF_SHA384| 700 FIXED_NONCE_LEN(4)| 701 SSL_CIPHER_ALGORITHM2_VARIABLE_NONCE_IN_RECORD, 702 .strength_bits = 256, 703 .alg_bits = 256, 704 }, 705 706 /* Cipher 9E */ 707 { 708 .valid = 1, 709 .name = TLS1_TXT_DHE_RSA_WITH_AES_128_GCM_SHA256, 710 .id = TLS1_CK_DHE_RSA_WITH_AES_128_GCM_SHA256, 711 .algorithm_mkey = SSL_kDHE, 712 .algorithm_auth = SSL_aRSA, 713 .algorithm_enc = SSL_AES128GCM, 714 .algorithm_mac = SSL_AEAD, 715 .algorithm_ssl = SSL_TLSV1_2, 716 .algo_strength = SSL_HIGH, 717 .algorithm2 = SSL_HANDSHAKE_MAC_SHA256|TLS1_PRF_SHA256| 718 FIXED_NONCE_LEN(4)| 719 SSL_CIPHER_ALGORITHM2_VARIABLE_NONCE_IN_RECORD, 720 .strength_bits = 128, 721 .alg_bits = 128, 722 }, 723 724 /* Cipher 9F */ 725 { 726 .valid = 1, 727 .name = TLS1_TXT_DHE_RSA_WITH_AES_256_GCM_SHA384, 728 .id = TLS1_CK_DHE_RSA_WITH_AES_256_GCM_SHA384, 729 .algorithm_mkey = SSL_kDHE, 730 .algorithm_auth = SSL_aRSA, 731 .algorithm_enc = SSL_AES256GCM, 732 .algorithm_mac = SSL_AEAD, 733 .algorithm_ssl = SSL_TLSV1_2, 734 .algo_strength = SSL_HIGH, 735 .algorithm2 = SSL_HANDSHAKE_MAC_SHA384|TLS1_PRF_SHA384| 736 FIXED_NONCE_LEN(4)| 737 SSL_CIPHER_ALGORITHM2_VARIABLE_NONCE_IN_RECORD, 738 .strength_bits = 256, 739 .alg_bits = 256, 740 }, 741 742 /* Cipher A6 */ 743 { 744 .valid = 1, 745 .name = TLS1_TXT_ADH_WITH_AES_128_GCM_SHA256, 746 .id = TLS1_CK_ADH_WITH_AES_128_GCM_SHA256, 747 .algorithm_mkey = SSL_kDHE, 748 .algorithm_auth = SSL_aNULL, 749 .algorithm_enc = SSL_AES128GCM, 750 .algorithm_mac = SSL_AEAD, 751 .algorithm_ssl = SSL_TLSV1_2, 752 .algo_strength = SSL_HIGH, 753 .algorithm2 = SSL_HANDSHAKE_MAC_SHA256|TLS1_PRF_SHA256| 754 FIXED_NONCE_LEN(4)| 755 SSL_CIPHER_ALGORITHM2_VARIABLE_NONCE_IN_RECORD, 756 .strength_bits = 128, 757 .alg_bits = 128, 758 }, 759 760 /* Cipher A7 */ 761 { 762 .valid = 1, 763 .name = TLS1_TXT_ADH_WITH_AES_256_GCM_SHA384, 764 .id = TLS1_CK_ADH_WITH_AES_256_GCM_SHA384, 765 .algorithm_mkey = SSL_kDHE, 766 .algorithm_auth = SSL_aNULL, 767 .algorithm_enc = SSL_AES256GCM, 768 .algorithm_mac = SSL_AEAD, 769 .algorithm_ssl = SSL_TLSV1_2, 770 .algo_strength = SSL_HIGH, 771 .algorithm2 = SSL_HANDSHAKE_MAC_SHA384|TLS1_PRF_SHA384| 772 FIXED_NONCE_LEN(4)| 773 SSL_CIPHER_ALGORITHM2_VARIABLE_NONCE_IN_RECORD, 774 .strength_bits = 256, 775 .alg_bits = 256, 776 }, 777 778 #ifndef OPENSSL_NO_CAMELLIA 779 /* TLS 1.2 Camellia SHA-256 ciphersuites from RFC5932 */ 780 781 /* Cipher BA */ 782 { 783 .valid = 1, 784 .name = TLS1_TXT_RSA_WITH_CAMELLIA_128_CBC_SHA256, 785 .id = TLS1_CK_RSA_WITH_CAMELLIA_128_CBC_SHA256, 786 .algorithm_mkey = SSL_kRSA, 787 .algorithm_auth = SSL_aRSA, 788 .algorithm_enc = SSL_CAMELLIA128, 789 .algorithm_mac = SSL_SHA256, 790 .algorithm_ssl = SSL_TLSV1_2, 791 .algo_strength = SSL_HIGH, 792 .algorithm2 = SSL_HANDSHAKE_MAC_SHA256|TLS1_PRF_SHA256, 793 .strength_bits = 128, 794 .alg_bits = 128, 795 }, 796 797 /* Cipher BE */ 798 { 799 .valid = 1, 800 .name = TLS1_TXT_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA256, 801 .id = TLS1_CK_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA256, 802 .algorithm_mkey = SSL_kDHE, 803 .algorithm_auth = SSL_aRSA, 804 .algorithm_enc = SSL_CAMELLIA128, 805 .algorithm_mac = SSL_SHA256, 806 .algorithm_ssl = SSL_TLSV1_2, 807 .algo_strength = SSL_HIGH, 808 .algorithm2 = SSL_HANDSHAKE_MAC_SHA256|TLS1_PRF_SHA256, 809 .strength_bits = 128, 810 .alg_bits = 128, 811 }, 812 813 /* Cipher BF */ 814 { 815 .valid = 1, 816 .name = TLS1_TXT_ADH_WITH_CAMELLIA_128_CBC_SHA256, 817 .id = TLS1_CK_ADH_WITH_CAMELLIA_128_CBC_SHA256, 818 .algorithm_mkey = SSL_kDHE, 819 .algorithm_auth = SSL_aNULL, 820 .algorithm_enc = SSL_CAMELLIA128, 821 .algorithm_mac = SSL_SHA256, 822 .algorithm_ssl = SSL_TLSV1_2, 823 .algo_strength = SSL_HIGH, 824 .algorithm2 = SSL_HANDSHAKE_MAC_SHA256|TLS1_PRF_SHA256, 825 .strength_bits = 128, 826 .alg_bits = 128, 827 }, 828 829 /* Cipher C0 */ 830 { 831 .valid = 1, 832 .name = TLS1_TXT_RSA_WITH_CAMELLIA_256_CBC_SHA256, 833 .id = TLS1_CK_RSA_WITH_CAMELLIA_256_CBC_SHA256, 834 .algorithm_mkey = SSL_kRSA, 835 .algorithm_auth = SSL_aRSA, 836 .algorithm_enc = SSL_CAMELLIA256, 837 .algorithm_mac = SSL_SHA256, 838 .algorithm_ssl = SSL_TLSV1_2, 839 .algo_strength = SSL_HIGH, 840 .algorithm2 = SSL_HANDSHAKE_MAC_SHA256|TLS1_PRF_SHA256, 841 .strength_bits = 256, 842 .alg_bits = 256, 843 }, 844 845 /* Cipher C4 */ 846 { 847 .valid = 1, 848 .name = TLS1_TXT_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA256, 849 .id = TLS1_CK_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA256, 850 .algorithm_mkey = SSL_kDHE, 851 .algorithm_auth = SSL_aRSA, 852 .algorithm_enc = SSL_CAMELLIA256, 853 .algorithm_mac = SSL_SHA256, 854 .algorithm_ssl = SSL_TLSV1_2, 855 .algo_strength = SSL_HIGH, 856 .algorithm2 = SSL_HANDSHAKE_MAC_SHA256|TLS1_PRF_SHA256, 857 .strength_bits = 256, 858 .alg_bits = 256, 859 }, 860 861 /* Cipher C5 */ 862 { 863 .valid = 1, 864 .name = TLS1_TXT_ADH_WITH_CAMELLIA_256_CBC_SHA256, 865 .id = TLS1_CK_ADH_WITH_CAMELLIA_256_CBC_SHA256, 866 .algorithm_mkey = SSL_kDHE, 867 .algorithm_auth = SSL_aNULL, 868 .algorithm_enc = SSL_CAMELLIA256, 869 .algorithm_mac = SSL_SHA256, 870 .algorithm_ssl = SSL_TLSV1_2, 871 .algo_strength = SSL_HIGH, 872 .algorithm2 = SSL_HANDSHAKE_MAC_SHA256|TLS1_PRF_SHA256, 873 .strength_bits = 256, 874 .alg_bits = 256, 875 }, 876 #endif /* OPENSSL_NO_CAMELLIA */ 877 878 /* 879 * TLSv1.3 cipher suites. 880 */ 881 882 #ifdef LIBRESSL_HAS_TLS1_3 883 /* Cipher 1301 */ 884 { 885 .valid = 1, 886 .name = TLS1_3_RFC_AES_128_GCM_SHA256, 887 .id = TLS1_3_CK_AES_128_GCM_SHA256, 888 .algorithm_mkey = SSL_kTLS1_3, 889 .algorithm_auth = SSL_aTLS1_3, 890 .algorithm_enc = SSL_AES128GCM, 891 .algorithm_mac = SSL_AEAD, 892 .algorithm_ssl = SSL_TLSV1_3, 893 .algo_strength = SSL_HIGH, 894 .algorithm2 = SSL_HANDSHAKE_MAC_SHA256, /* XXX */ 895 .strength_bits = 128, 896 .alg_bits = 128, 897 }, 898 899 /* Cipher 1302 */ 900 { 901 .valid = 1, 902 .name = TLS1_3_RFC_AES_256_GCM_SHA384, 903 .id = TLS1_3_CK_AES_256_GCM_SHA384, 904 .algorithm_mkey = SSL_kTLS1_3, 905 .algorithm_auth = SSL_aTLS1_3, 906 .algorithm_enc = SSL_AES256GCM, 907 .algorithm_mac = SSL_AEAD, 908 .algorithm_ssl = SSL_TLSV1_3, 909 .algo_strength = SSL_HIGH, 910 .algorithm2 = SSL_HANDSHAKE_MAC_SHA384, /* XXX */ 911 .strength_bits = 256, 912 .alg_bits = 256, 913 }, 914 915 /* Cipher 1303 */ 916 { 917 .valid = 1, 918 .name = TLS1_3_RFC_CHACHA20_POLY1305_SHA256, 919 .id = TLS1_3_CK_CHACHA20_POLY1305_SHA256, 920 .algorithm_mkey = SSL_kTLS1_3, 921 .algorithm_auth = SSL_aTLS1_3, 922 .algorithm_enc = SSL_CHACHA20POLY1305, 923 .algorithm_mac = SSL_AEAD, 924 .algorithm_ssl = SSL_TLSV1_3, 925 .algo_strength = SSL_HIGH, 926 .algorithm2 = SSL_HANDSHAKE_MAC_SHA256, /* XXX */ 927 .strength_bits = 256, 928 .alg_bits = 256, 929 }, 930 #endif 931 932 /* Cipher C006 */ 933 { 934 .valid = 1, 935 .name = TLS1_TXT_ECDHE_ECDSA_WITH_NULL_SHA, 936 .id = TLS1_CK_ECDHE_ECDSA_WITH_NULL_SHA, 937 .algorithm_mkey = SSL_kECDHE, 938 .algorithm_auth = SSL_aECDSA, 939 .algorithm_enc = SSL_eNULL, 940 .algorithm_mac = SSL_SHA1, 941 .algorithm_ssl = SSL_TLSV1, 942 .algo_strength = SSL_STRONG_NONE, 943 .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF, 944 .strength_bits = 0, 945 .alg_bits = 0, 946 }, 947 948 /* Cipher C007 */ 949 { 950 .valid = 1, 951 .name = TLS1_TXT_ECDHE_ECDSA_WITH_RC4_128_SHA, 952 .id = TLS1_CK_ECDHE_ECDSA_WITH_RC4_128_SHA, 953 .algorithm_mkey = SSL_kECDHE, 954 .algorithm_auth = SSL_aECDSA, 955 .algorithm_enc = SSL_RC4, 956 .algorithm_mac = SSL_SHA1, 957 .algorithm_ssl = SSL_TLSV1, 958 .algo_strength = SSL_LOW, 959 .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF, 960 .strength_bits = 128, 961 .alg_bits = 128, 962 }, 963 964 /* Cipher C008 */ 965 { 966 .valid = 1, 967 .name = TLS1_TXT_ECDHE_ECDSA_WITH_DES_192_CBC3_SHA, 968 .id = TLS1_CK_ECDHE_ECDSA_WITH_DES_192_CBC3_SHA, 969 .algorithm_mkey = SSL_kECDHE, 970 .algorithm_auth = SSL_aECDSA, 971 .algorithm_enc = SSL_3DES, 972 .algorithm_mac = SSL_SHA1, 973 .algorithm_ssl = SSL_TLSV1, 974 .algo_strength = SSL_MEDIUM, 975 .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF, 976 .strength_bits = 112, 977 .alg_bits = 168, 978 }, 979 980 /* Cipher C009 */ 981 { 982 .valid = 1, 983 .name = TLS1_TXT_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, 984 .id = TLS1_CK_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, 985 .algorithm_mkey = SSL_kECDHE, 986 .algorithm_auth = SSL_aECDSA, 987 .algorithm_enc = SSL_AES128, 988 .algorithm_mac = SSL_SHA1, 989 .algorithm_ssl = SSL_TLSV1, 990 .algo_strength = SSL_HIGH, 991 .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF, 992 .strength_bits = 128, 993 .alg_bits = 128, 994 }, 995 996 /* Cipher C00A */ 997 { 998 .valid = 1, 999 .name = TLS1_TXT_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, 1000 .id = TLS1_CK_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, 1001 .algorithm_mkey = SSL_kECDHE, 1002 .algorithm_auth = SSL_aECDSA, 1003 .algorithm_enc = SSL_AES256, 1004 .algorithm_mac = SSL_SHA1, 1005 .algorithm_ssl = SSL_TLSV1, 1006 .algo_strength = SSL_HIGH, 1007 .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF, 1008 .strength_bits = 256, 1009 .alg_bits = 256, 1010 }, 1011 1012 /* Cipher C010 */ 1013 { 1014 .valid = 1, 1015 .name = TLS1_TXT_ECDHE_RSA_WITH_NULL_SHA, 1016 .id = TLS1_CK_ECDHE_RSA_WITH_NULL_SHA, 1017 .algorithm_mkey = SSL_kECDHE, 1018 .algorithm_auth = SSL_aRSA, 1019 .algorithm_enc = SSL_eNULL, 1020 .algorithm_mac = SSL_SHA1, 1021 .algorithm_ssl = SSL_TLSV1, 1022 .algo_strength = SSL_STRONG_NONE, 1023 .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF, 1024 .strength_bits = 0, 1025 .alg_bits = 0, 1026 }, 1027 1028 /* Cipher C011 */ 1029 { 1030 .valid = 1, 1031 .name = TLS1_TXT_ECDHE_RSA_WITH_RC4_128_SHA, 1032 .id = TLS1_CK_ECDHE_RSA_WITH_RC4_128_SHA, 1033 .algorithm_mkey = SSL_kECDHE, 1034 .algorithm_auth = SSL_aRSA, 1035 .algorithm_enc = SSL_RC4, 1036 .algorithm_mac = SSL_SHA1, 1037 .algorithm_ssl = SSL_TLSV1, 1038 .algo_strength = SSL_LOW, 1039 .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF, 1040 .strength_bits = 128, 1041 .alg_bits = 128, 1042 }, 1043 1044 /* Cipher C012 */ 1045 { 1046 .valid = 1, 1047 .name = TLS1_TXT_ECDHE_RSA_WITH_DES_192_CBC3_SHA, 1048 .id = TLS1_CK_ECDHE_RSA_WITH_DES_192_CBC3_SHA, 1049 .algorithm_mkey = SSL_kECDHE, 1050 .algorithm_auth = SSL_aRSA, 1051 .algorithm_enc = SSL_3DES, 1052 .algorithm_mac = SSL_SHA1, 1053 .algorithm_ssl = SSL_TLSV1, 1054 .algo_strength = SSL_MEDIUM, 1055 .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF, 1056 .strength_bits = 112, 1057 .alg_bits = 168, 1058 }, 1059 1060 /* Cipher C013 */ 1061 { 1062 .valid = 1, 1063 .name = TLS1_TXT_ECDHE_RSA_WITH_AES_128_CBC_SHA, 1064 .id = TLS1_CK_ECDHE_RSA_WITH_AES_128_CBC_SHA, 1065 .algorithm_mkey = SSL_kECDHE, 1066 .algorithm_auth = SSL_aRSA, 1067 .algorithm_enc = SSL_AES128, 1068 .algorithm_mac = SSL_SHA1, 1069 .algorithm_ssl = SSL_TLSV1, 1070 .algo_strength = SSL_HIGH, 1071 .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF, 1072 .strength_bits = 128, 1073 .alg_bits = 128, 1074 }, 1075 1076 /* Cipher C014 */ 1077 { 1078 .valid = 1, 1079 .name = TLS1_TXT_ECDHE_RSA_WITH_AES_256_CBC_SHA, 1080 .id = TLS1_CK_ECDHE_RSA_WITH_AES_256_CBC_SHA, 1081 .algorithm_mkey = SSL_kECDHE, 1082 .algorithm_auth = SSL_aRSA, 1083 .algorithm_enc = SSL_AES256, 1084 .algorithm_mac = SSL_SHA1, 1085 .algorithm_ssl = SSL_TLSV1, 1086 .algo_strength = SSL_HIGH, 1087 .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF, 1088 .strength_bits = 256, 1089 .alg_bits = 256, 1090 }, 1091 1092 /* Cipher C015 */ 1093 { 1094 .valid = 1, 1095 .name = TLS1_TXT_ECDH_anon_WITH_NULL_SHA, 1096 .id = TLS1_CK_ECDH_anon_WITH_NULL_SHA, 1097 .algorithm_mkey = SSL_kECDHE, 1098 .algorithm_auth = SSL_aNULL, 1099 .algorithm_enc = SSL_eNULL, 1100 .algorithm_mac = SSL_SHA1, 1101 .algorithm_ssl = SSL_TLSV1, 1102 .algo_strength = SSL_STRONG_NONE, 1103 .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF, 1104 .strength_bits = 0, 1105 .alg_bits = 0, 1106 }, 1107 1108 /* Cipher C016 */ 1109 { 1110 .valid = 1, 1111 .name = TLS1_TXT_ECDH_anon_WITH_RC4_128_SHA, 1112 .id = TLS1_CK_ECDH_anon_WITH_RC4_128_SHA, 1113 .algorithm_mkey = SSL_kECDHE, 1114 .algorithm_auth = SSL_aNULL, 1115 .algorithm_enc = SSL_RC4, 1116 .algorithm_mac = SSL_SHA1, 1117 .algorithm_ssl = SSL_TLSV1, 1118 .algo_strength = SSL_LOW, 1119 .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF, 1120 .strength_bits = 128, 1121 .alg_bits = 128, 1122 }, 1123 1124 /* Cipher C017 */ 1125 { 1126 .valid = 1, 1127 .name = TLS1_TXT_ECDH_anon_WITH_DES_192_CBC3_SHA, 1128 .id = TLS1_CK_ECDH_anon_WITH_DES_192_CBC3_SHA, 1129 .algorithm_mkey = SSL_kECDHE, 1130 .algorithm_auth = SSL_aNULL, 1131 .algorithm_enc = SSL_3DES, 1132 .algorithm_mac = SSL_SHA1, 1133 .algorithm_ssl = SSL_TLSV1, 1134 .algo_strength = SSL_MEDIUM, 1135 .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF, 1136 .strength_bits = 112, 1137 .alg_bits = 168, 1138 }, 1139 1140 /* Cipher C018 */ 1141 { 1142 .valid = 1, 1143 .name = TLS1_TXT_ECDH_anon_WITH_AES_128_CBC_SHA, 1144 .id = TLS1_CK_ECDH_anon_WITH_AES_128_CBC_SHA, 1145 .algorithm_mkey = SSL_kECDHE, 1146 .algorithm_auth = SSL_aNULL, 1147 .algorithm_enc = SSL_AES128, 1148 .algorithm_mac = SSL_SHA1, 1149 .algorithm_ssl = SSL_TLSV1, 1150 .algo_strength = SSL_HIGH, 1151 .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF, 1152 .strength_bits = 128, 1153 .alg_bits = 128, 1154 }, 1155 1156 /* Cipher C019 */ 1157 { 1158 .valid = 1, 1159 .name = TLS1_TXT_ECDH_anon_WITH_AES_256_CBC_SHA, 1160 .id = TLS1_CK_ECDH_anon_WITH_AES_256_CBC_SHA, 1161 .algorithm_mkey = SSL_kECDHE, 1162 .algorithm_auth = SSL_aNULL, 1163 .algorithm_enc = SSL_AES256, 1164 .algorithm_mac = SSL_SHA1, 1165 .algorithm_ssl = SSL_TLSV1, 1166 .algo_strength = SSL_HIGH, 1167 .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF, 1168 .strength_bits = 256, 1169 .alg_bits = 256, 1170 }, 1171 1172 1173 /* HMAC based TLS v1.2 ciphersuites from RFC5289 */ 1174 1175 /* Cipher C023 */ 1176 { 1177 .valid = 1, 1178 .name = TLS1_TXT_ECDHE_ECDSA_WITH_AES_128_SHA256, 1179 .id = TLS1_CK_ECDHE_ECDSA_WITH_AES_128_SHA256, 1180 .algorithm_mkey = SSL_kECDHE, 1181 .algorithm_auth = SSL_aECDSA, 1182 .algorithm_enc = SSL_AES128, 1183 .algorithm_mac = SSL_SHA256, 1184 .algorithm_ssl = SSL_TLSV1_2, 1185 .algo_strength = SSL_HIGH, 1186 .algorithm2 = SSL_HANDSHAKE_MAC_SHA256|TLS1_PRF_SHA256, 1187 .strength_bits = 128, 1188 .alg_bits = 128, 1189 }, 1190 1191 /* Cipher C024 */ 1192 { 1193 .valid = 1, 1194 .name = TLS1_TXT_ECDHE_ECDSA_WITH_AES_256_SHA384, 1195 .id = TLS1_CK_ECDHE_ECDSA_WITH_AES_256_SHA384, 1196 .algorithm_mkey = SSL_kECDHE, 1197 .algorithm_auth = SSL_aECDSA, 1198 .algorithm_enc = SSL_AES256, 1199 .algorithm_mac = SSL_SHA384, 1200 .algorithm_ssl = SSL_TLSV1_2, 1201 .algo_strength = SSL_HIGH, 1202 .algorithm2 = SSL_HANDSHAKE_MAC_SHA384|TLS1_PRF_SHA384, 1203 .strength_bits = 256, 1204 .alg_bits = 256, 1205 }, 1206 1207 /* Cipher C027 */ 1208 { 1209 .valid = 1, 1210 .name = TLS1_TXT_ECDHE_RSA_WITH_AES_128_SHA256, 1211 .id = TLS1_CK_ECDHE_RSA_WITH_AES_128_SHA256, 1212 .algorithm_mkey = SSL_kECDHE, 1213 .algorithm_auth = SSL_aRSA, 1214 .algorithm_enc = SSL_AES128, 1215 .algorithm_mac = SSL_SHA256, 1216 .algorithm_ssl = SSL_TLSV1_2, 1217 .algo_strength = SSL_HIGH, 1218 .algorithm2 = SSL_HANDSHAKE_MAC_SHA256|TLS1_PRF_SHA256, 1219 .strength_bits = 128, 1220 .alg_bits = 128, 1221 }, 1222 1223 /* Cipher C028 */ 1224 { 1225 .valid = 1, 1226 .name = TLS1_TXT_ECDHE_RSA_WITH_AES_256_SHA384, 1227 .id = TLS1_CK_ECDHE_RSA_WITH_AES_256_SHA384, 1228 .algorithm_mkey = SSL_kECDHE, 1229 .algorithm_auth = SSL_aRSA, 1230 .algorithm_enc = SSL_AES256, 1231 .algorithm_mac = SSL_SHA384, 1232 .algorithm_ssl = SSL_TLSV1_2, 1233 .algo_strength = SSL_HIGH, 1234 .algorithm2 = SSL_HANDSHAKE_MAC_SHA384|TLS1_PRF_SHA384, 1235 .strength_bits = 256, 1236 .alg_bits = 256, 1237 }, 1238 1239 /* GCM based TLS v1.2 ciphersuites from RFC5289 */ 1240 1241 /* Cipher C02B */ 1242 { 1243 .valid = 1, 1244 .name = TLS1_TXT_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, 1245 .id = TLS1_CK_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, 1246 .algorithm_mkey = SSL_kECDHE, 1247 .algorithm_auth = SSL_aECDSA, 1248 .algorithm_enc = SSL_AES128GCM, 1249 .algorithm_mac = SSL_AEAD, 1250 .algorithm_ssl = SSL_TLSV1_2, 1251 .algo_strength = SSL_HIGH, 1252 .algorithm2 = SSL_HANDSHAKE_MAC_SHA256|TLS1_PRF_SHA256| 1253 FIXED_NONCE_LEN(4)| 1254 SSL_CIPHER_ALGORITHM2_VARIABLE_NONCE_IN_RECORD, 1255 .strength_bits = 128, 1256 .alg_bits = 128, 1257 }, 1258 1259 /* Cipher C02C */ 1260 { 1261 .valid = 1, 1262 .name = TLS1_TXT_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, 1263 .id = TLS1_CK_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, 1264 .algorithm_mkey = SSL_kECDHE, 1265 .algorithm_auth = SSL_aECDSA, 1266 .algorithm_enc = SSL_AES256GCM, 1267 .algorithm_mac = SSL_AEAD, 1268 .algorithm_ssl = SSL_TLSV1_2, 1269 .algo_strength = SSL_HIGH, 1270 .algorithm2 = SSL_HANDSHAKE_MAC_SHA384|TLS1_PRF_SHA384| 1271 FIXED_NONCE_LEN(4)| 1272 SSL_CIPHER_ALGORITHM2_VARIABLE_NONCE_IN_RECORD, 1273 .strength_bits = 256, 1274 .alg_bits = 256, 1275 }, 1276 1277 /* Cipher C02F */ 1278 { 1279 .valid = 1, 1280 .name = TLS1_TXT_ECDHE_RSA_WITH_AES_128_GCM_SHA256, 1281 .id = TLS1_CK_ECDHE_RSA_WITH_AES_128_GCM_SHA256, 1282 .algorithm_mkey = SSL_kECDHE, 1283 .algorithm_auth = SSL_aRSA, 1284 .algorithm_enc = SSL_AES128GCM, 1285 .algorithm_mac = SSL_AEAD, 1286 .algorithm_ssl = SSL_TLSV1_2, 1287 .algo_strength = SSL_HIGH, 1288 .algorithm2 = SSL_HANDSHAKE_MAC_SHA256|TLS1_PRF_SHA256| 1289 FIXED_NONCE_LEN(4)| 1290 SSL_CIPHER_ALGORITHM2_VARIABLE_NONCE_IN_RECORD, 1291 .strength_bits = 128, 1292 .alg_bits = 128, 1293 }, 1294 1295 /* Cipher C030 */ 1296 { 1297 .valid = 1, 1298 .name = TLS1_TXT_ECDHE_RSA_WITH_AES_256_GCM_SHA384, 1299 .id = TLS1_CK_ECDHE_RSA_WITH_AES_256_GCM_SHA384, 1300 .algorithm_mkey = SSL_kECDHE, 1301 .algorithm_auth = SSL_aRSA, 1302 .algorithm_enc = SSL_AES256GCM, 1303 .algorithm_mac = SSL_AEAD, 1304 .algorithm_ssl = SSL_TLSV1_2, 1305 .algo_strength = SSL_HIGH, 1306 .algorithm2 = SSL_HANDSHAKE_MAC_SHA384|TLS1_PRF_SHA384| 1307 FIXED_NONCE_LEN(4)| 1308 SSL_CIPHER_ALGORITHM2_VARIABLE_NONCE_IN_RECORD, 1309 .strength_bits = 256, 1310 .alg_bits = 256, 1311 }, 1312 1313 /* Cipher CCA8 */ 1314 { 1315 .valid = 1, 1316 .name = TLS1_TXT_ECDHE_RSA_WITH_CHACHA20_POLY1305, 1317 .id = TLS1_CK_ECDHE_RSA_CHACHA20_POLY1305, 1318 .algorithm_mkey = SSL_kECDHE, 1319 .algorithm_auth = SSL_aRSA, 1320 .algorithm_enc = SSL_CHACHA20POLY1305, 1321 .algorithm_mac = SSL_AEAD, 1322 .algorithm_ssl = SSL_TLSV1_2, 1323 .algo_strength = SSL_HIGH, 1324 .algorithm2 = SSL_HANDSHAKE_MAC_SHA256|TLS1_PRF_SHA256| 1325 FIXED_NONCE_LEN(12), 1326 .strength_bits = 256, 1327 .alg_bits = 256, 1328 }, 1329 1330 /* Cipher CCA9 */ 1331 { 1332 .valid = 1, 1333 .name = TLS1_TXT_ECDHE_ECDSA_WITH_CHACHA20_POLY1305, 1334 .id = TLS1_CK_ECDHE_ECDSA_CHACHA20_POLY1305, 1335 .algorithm_mkey = SSL_kECDHE, 1336 .algorithm_auth = SSL_aECDSA, 1337 .algorithm_enc = SSL_CHACHA20POLY1305, 1338 .algorithm_mac = SSL_AEAD, 1339 .algorithm_ssl = SSL_TLSV1_2, 1340 .algo_strength = SSL_HIGH, 1341 .algorithm2 = SSL_HANDSHAKE_MAC_SHA256|TLS1_PRF_SHA256| 1342 FIXED_NONCE_LEN(12), 1343 .strength_bits = 256, 1344 .alg_bits = 256, 1345 }, 1346 1347 /* Cipher CCAA */ 1348 { 1349 .valid = 1, 1350 .name = TLS1_TXT_DHE_RSA_WITH_CHACHA20_POLY1305, 1351 .id = TLS1_CK_DHE_RSA_CHACHA20_POLY1305, 1352 .algorithm_mkey = SSL_kDHE, 1353 .algorithm_auth = SSL_aRSA, 1354 .algorithm_enc = SSL_CHACHA20POLY1305, 1355 .algorithm_mac = SSL_AEAD, 1356 .algorithm_ssl = SSL_TLSV1_2, 1357 .algo_strength = SSL_HIGH, 1358 .algorithm2 = SSL_HANDSHAKE_MAC_SHA256|TLS1_PRF_SHA256| 1359 FIXED_NONCE_LEN(12), 1360 .strength_bits = 256, 1361 .alg_bits = 256, 1362 }, 1363 1364 /* Cipher FF85 FIXME IANA */ 1365 { 1366 .valid = 1, 1367 .name = "GOST2012256-GOST89-GOST89", 1368 .id = 0x300ff85, /* FIXME IANA */ 1369 .algorithm_mkey = SSL_kGOST, 1370 .algorithm_auth = SSL_aGOST01, 1371 .algorithm_enc = SSL_eGOST2814789CNT, 1372 .algorithm_mac = SSL_GOST89MAC, 1373 .algorithm_ssl = SSL_TLSV1, 1374 .algo_strength = SSL_HIGH, 1375 .algorithm2 = SSL_HANDSHAKE_MAC_STREEBOG256|TLS1_PRF_STREEBOG256| 1376 TLS1_STREAM_MAC, 1377 .strength_bits = 256, 1378 .alg_bits = 256 1379 }, 1380 1381 /* Cipher FF87 FIXME IANA */ 1382 { 1383 .valid = 1, 1384 .name = "GOST2012256-NULL-STREEBOG256", 1385 .id = 0x300ff87, /* FIXME IANA */ 1386 .algorithm_mkey = SSL_kGOST, 1387 .algorithm_auth = SSL_aGOST01, 1388 .algorithm_enc = SSL_eNULL, 1389 .algorithm_mac = SSL_STREEBOG256, 1390 .algorithm_ssl = SSL_TLSV1, 1391 .algo_strength = SSL_STRONG_NONE, 1392 .algorithm2 = SSL_HANDSHAKE_MAC_STREEBOG256|TLS1_PRF_STREEBOG256, 1393 .strength_bits = 0, 1394 .alg_bits = 0 1395 }, 1396 1397 1398 /* end of list */ 1399 }; 1400 1401 int 1402 ssl3_num_ciphers(void) 1403 { 1404 return (SSL3_NUM_CIPHERS); 1405 } 1406 1407 const SSL_CIPHER * 1408 ssl3_get_cipher(unsigned int u) 1409 { 1410 if (u < SSL3_NUM_CIPHERS) 1411 return (&(ssl3_ciphers[SSL3_NUM_CIPHERS - 1 - u])); 1412 else 1413 return (NULL); 1414 } 1415 1416 const SSL_CIPHER * 1417 ssl3_get_cipher_by_id(unsigned int id) 1418 { 1419 const SSL_CIPHER *cp; 1420 SSL_CIPHER c; 1421 1422 c.id = id; 1423 cp = OBJ_bsearch_ssl_cipher_id(&c, ssl3_ciphers, SSL3_NUM_CIPHERS); 1424 if (cp != NULL && cp->valid == 1) 1425 return (cp); 1426 1427 return (NULL); 1428 } 1429 1430 const SSL_CIPHER * 1431 ssl3_get_cipher_by_value(uint16_t value) 1432 { 1433 return ssl3_get_cipher_by_id(SSL3_CK_ID | value); 1434 } 1435 1436 uint16_t 1437 ssl3_cipher_get_value(const SSL_CIPHER *c) 1438 { 1439 return (c->id & SSL3_CK_VALUE_MASK); 1440 } 1441 1442 int 1443 ssl3_pending(const SSL *s) 1444 { 1445 if (s->s3->rcontent == NULL) 1446 return 0; 1447 if (tls_content_type(s->s3->rcontent) != SSL3_RT_APPLICATION_DATA) 1448 return 0; 1449 1450 return tls_content_remaining(s->s3->rcontent); 1451 } 1452 1453 int 1454 ssl3_handshake_msg_hdr_len(SSL *s) 1455 { 1456 return (SSL_is_dtls(s) ? DTLS1_HM_HEADER_LENGTH : 1457 SSL3_HM_HEADER_LENGTH); 1458 } 1459 1460 int 1461 ssl3_handshake_msg_start(SSL *s, CBB *handshake, CBB *body, uint8_t msg_type) 1462 { 1463 int ret = 0; 1464 1465 if (!CBB_init(handshake, SSL3_RT_MAX_PLAIN_LENGTH)) 1466 goto err; 1467 if (!CBB_add_u8(handshake, msg_type)) 1468 goto err; 1469 if (SSL_is_dtls(s)) { 1470 unsigned char *data; 1471 1472 if (!CBB_add_space(handshake, &data, DTLS1_HM_HEADER_LENGTH - 1473 SSL3_HM_HEADER_LENGTH)) 1474 goto err; 1475 } 1476 if (!CBB_add_u24_length_prefixed(handshake, body)) 1477 goto err; 1478 1479 ret = 1; 1480 1481 err: 1482 return (ret); 1483 } 1484 1485 int 1486 ssl3_handshake_msg_finish(SSL *s, CBB *handshake) 1487 { 1488 unsigned char *data = NULL; 1489 size_t outlen; 1490 int ret = 0; 1491 1492 if (!CBB_finish(handshake, &data, &outlen)) 1493 goto err; 1494 1495 if (outlen > INT_MAX) 1496 goto err; 1497 1498 if (!BUF_MEM_grow_clean(s->init_buf, outlen)) 1499 goto err; 1500 1501 memcpy(s->init_buf->data, data, outlen); 1502 1503 s->init_num = (int)outlen; 1504 s->init_off = 0; 1505 1506 if (SSL_is_dtls(s)) { 1507 unsigned long len; 1508 uint8_t msg_type; 1509 CBS cbs; 1510 1511 CBS_init(&cbs, data, outlen); 1512 if (!CBS_get_u8(&cbs, &msg_type)) 1513 goto err; 1514 1515 len = outlen - ssl3_handshake_msg_hdr_len(s); 1516 1517 dtls1_set_message_header(s, msg_type, len, 0, len); 1518 dtls1_buffer_message(s, 0); 1519 } 1520 1521 ret = 1; 1522 1523 err: 1524 free(data); 1525 1526 return (ret); 1527 } 1528 1529 int 1530 ssl3_handshake_write(SSL *s) 1531 { 1532 return ssl3_record_write(s, SSL3_RT_HANDSHAKE); 1533 } 1534 1535 int 1536 ssl3_record_write(SSL *s, int type) 1537 { 1538 if (SSL_is_dtls(s)) 1539 return dtls1_do_write(s, type); 1540 1541 return ssl3_do_write(s, type); 1542 } 1543 1544 int 1545 ssl3_new(SSL *s) 1546 { 1547 if ((s->s3 = calloc(1, sizeof(*s->s3))) == NULL) 1548 return (0); 1549 1550 s->method->ssl_clear(s); 1551 1552 return (1); 1553 } 1554 1555 void 1556 ssl3_free(SSL *s) 1557 { 1558 if (s == NULL) 1559 return; 1560 1561 tls1_cleanup_key_block(s); 1562 ssl3_release_read_buffer(s); 1563 ssl3_release_write_buffer(s); 1564 1565 tls_content_free(s->s3->rcontent); 1566 1567 tls_buffer_free(s->s3->alert_fragment); 1568 tls_buffer_free(s->s3->handshake_fragment); 1569 1570 freezero(s->s3->hs.sigalgs, s->s3->hs.sigalgs_len); 1571 sk_X509_pop_free(s->s3->hs.peer_certs, X509_free); 1572 sk_X509_pop_free(s->s3->hs.peer_certs_no_leaf, X509_free); 1573 tls_key_share_free(s->s3->hs.key_share); 1574 1575 tls13_secrets_destroy(s->s3->hs.tls13.secrets); 1576 freezero(s->s3->hs.tls13.cookie, s->s3->hs.tls13.cookie_len); 1577 tls13_clienthello_hash_clear(&s->s3->hs.tls13); 1578 1579 tls_buffer_free(s->s3->hs.tls13.quic_read_buffer); 1580 1581 sk_X509_NAME_pop_free(s->s3->hs.tls12.ca_names, X509_NAME_free); 1582 sk_X509_pop_free(s->verified_chain, X509_free); 1583 s->verified_chain = NULL; 1584 1585 tls1_transcript_free(s); 1586 tls1_transcript_hash_free(s); 1587 1588 free(s->s3->alpn_selected); 1589 1590 freezero(s->s3->peer_quic_transport_params, 1591 s->s3->peer_quic_transport_params_len); 1592 1593 freezero(s->s3, sizeof(*s->s3)); 1594 1595 s->s3 = NULL; 1596 } 1597 1598 void 1599 ssl3_clear(SSL *s) 1600 { 1601 unsigned char *rp, *wp; 1602 size_t rlen, wlen; 1603 1604 tls1_cleanup_key_block(s); 1605 sk_X509_NAME_pop_free(s->s3->hs.tls12.ca_names, X509_NAME_free); 1606 sk_X509_pop_free(s->verified_chain, X509_free); 1607 s->verified_chain = NULL; 1608 1609 tls_buffer_free(s->s3->alert_fragment); 1610 s->s3->alert_fragment = NULL; 1611 tls_buffer_free(s->s3->handshake_fragment); 1612 s->s3->handshake_fragment = NULL; 1613 1614 freezero(s->s3->hs.sigalgs, s->s3->hs.sigalgs_len); 1615 s->s3->hs.sigalgs = NULL; 1616 s->s3->hs.sigalgs_len = 0; 1617 1618 sk_X509_pop_free(s->s3->hs.peer_certs, X509_free); 1619 s->s3->hs.peer_certs = NULL; 1620 sk_X509_pop_free(s->s3->hs.peer_certs_no_leaf, X509_free); 1621 s->s3->hs.peer_certs_no_leaf = NULL; 1622 1623 tls_key_share_free(s->s3->hs.key_share); 1624 s->s3->hs.key_share = NULL; 1625 1626 tls13_secrets_destroy(s->s3->hs.tls13.secrets); 1627 s->s3->hs.tls13.secrets = NULL; 1628 freezero(s->s3->hs.tls13.cookie, s->s3->hs.tls13.cookie_len); 1629 s->s3->hs.tls13.cookie = NULL; 1630 s->s3->hs.tls13.cookie_len = 0; 1631 tls13_clienthello_hash_clear(&s->s3->hs.tls13); 1632 1633 tls_buffer_free(s->s3->hs.tls13.quic_read_buffer); 1634 s->s3->hs.tls13.quic_read_buffer = NULL; 1635 s->s3->hs.tls13.quic_read_level = ssl_encryption_initial; 1636 s->s3->hs.tls13.quic_write_level = ssl_encryption_initial; 1637 1638 s->s3->hs.extensions_seen = 0; 1639 1640 rp = s->s3->rbuf.buf; 1641 wp = s->s3->wbuf.buf; 1642 rlen = s->s3->rbuf.len; 1643 wlen = s->s3->wbuf.len; 1644 1645 tls_content_free(s->s3->rcontent); 1646 s->s3->rcontent = NULL; 1647 1648 tls1_transcript_free(s); 1649 tls1_transcript_hash_free(s); 1650 1651 free(s->s3->alpn_selected); 1652 s->s3->alpn_selected = NULL; 1653 s->s3->alpn_selected_len = 0; 1654 1655 freezero(s->s3->peer_quic_transport_params, 1656 s->s3->peer_quic_transport_params_len); 1657 s->s3->peer_quic_transport_params = NULL; 1658 s->s3->peer_quic_transport_params_len = 0; 1659 1660 memset(s->s3, 0, sizeof(*s->s3)); 1661 1662 s->s3->rbuf.buf = rp; 1663 s->s3->wbuf.buf = wp; 1664 s->s3->rbuf.len = rlen; 1665 s->s3->wbuf.len = wlen; 1666 1667 ssl_free_wbio_buffer(s); 1668 1669 /* Not needed... */ 1670 s->s3->renegotiate = 0; 1671 s->s3->total_renegotiations = 0; 1672 s->s3->num_renegotiations = 0; 1673 s->s3->in_read_app_data = 0; 1674 1675 s->packet_length = 0; 1676 s->version = TLS1_VERSION; 1677 1678 s->s3->hs.state = SSL_ST_BEFORE|((s->server) ? SSL_ST_ACCEPT : SSL_ST_CONNECT); 1679 } 1680 1681 long 1682 _SSL_get_shared_group(SSL *s, long n) 1683 { 1684 size_t count; 1685 int nid; 1686 1687 /* OpenSSL document that they return -1 for clients. They return 0. */ 1688 if (!s->server) 1689 return 0; 1690 1691 if (n == -1) { 1692 if (!tls1_count_shared_groups(s, &count)) 1693 return 0; 1694 1695 if (count > LONG_MAX) 1696 count = LONG_MAX; 1697 1698 return count; 1699 } 1700 1701 /* Undocumented special case added for Suite B profile support. */ 1702 if (n == -2) 1703 n = 0; 1704 1705 if (n < 0) 1706 return 0; 1707 1708 if (!tls1_get_shared_group_by_index(s, n, &nid)) 1709 return NID_undef; 1710 1711 return nid; 1712 } 1713 1714 long 1715 _SSL_get_peer_tmp_key(SSL *s, EVP_PKEY **key) 1716 { 1717 EVP_PKEY *pkey = NULL; 1718 int ret = 0; 1719 1720 *key = NULL; 1721 1722 if (s->s3->hs.key_share == NULL) 1723 goto err; 1724 1725 if ((pkey = EVP_PKEY_new()) == NULL) 1726 goto err; 1727 if (!tls_key_share_peer_pkey(s->s3->hs.key_share, pkey)) 1728 goto err; 1729 1730 *key = pkey; 1731 pkey = NULL; 1732 1733 ret = 1; 1734 1735 err: 1736 EVP_PKEY_free(pkey); 1737 1738 return (ret); 1739 } 1740 1741 static int 1742 _SSL_session_reused(SSL *s) 1743 { 1744 return s->hit; 1745 } 1746 1747 static int 1748 _SSL_num_renegotiations(SSL *s) 1749 { 1750 return s->s3->num_renegotiations; 1751 } 1752 1753 static int 1754 _SSL_clear_num_renegotiations(SSL *s) 1755 { 1756 int renegs; 1757 1758 renegs = s->s3->num_renegotiations; 1759 s->s3->num_renegotiations = 0; 1760 1761 return renegs; 1762 } 1763 1764 static int 1765 _SSL_total_renegotiations(SSL *s) 1766 { 1767 return s->s3->total_renegotiations; 1768 } 1769 1770 static int 1771 _SSL_set_tmp_dh(SSL *s, DH *dh) 1772 { 1773 DH *dhe_params; 1774 1775 if (dh == NULL) { 1776 SSLerror(s, ERR_R_PASSED_NULL_PARAMETER); 1777 return 0; 1778 } 1779 1780 if (!ssl_security_dh(s, dh)) { 1781 SSLerror(s, SSL_R_DH_KEY_TOO_SMALL); 1782 return 0; 1783 } 1784 1785 if ((dhe_params = DHparams_dup(dh)) == NULL) { 1786 SSLerror(s, ERR_R_DH_LIB); 1787 return 0; 1788 } 1789 1790 DH_free(s->cert->dhe_params); 1791 s->cert->dhe_params = dhe_params; 1792 1793 return 1; 1794 } 1795 1796 static int 1797 _SSL_set_dh_auto(SSL *s, int state) 1798 { 1799 s->cert->dhe_params_auto = state; 1800 return 1; 1801 } 1802 1803 static int 1804 _SSL_set_tmp_ecdh(SSL *s, EC_KEY *ecdh) 1805 { 1806 const EC_GROUP *group; 1807 int nid; 1808 1809 if (ecdh == NULL) 1810 return 0; 1811 if ((group = EC_KEY_get0_group(ecdh)) == NULL) 1812 return 0; 1813 1814 nid = EC_GROUP_get_curve_name(group); 1815 return SSL_set1_groups(s, &nid, 1); 1816 } 1817 1818 static int 1819 _SSL_set_ecdh_auto(SSL *s, int state) 1820 { 1821 return 1; 1822 } 1823 1824 static int 1825 _SSL_set_tlsext_host_name(SSL *s, const char *name) 1826 { 1827 int is_ip; 1828 CBS cbs; 1829 1830 free(s->tlsext_hostname); 1831 s->tlsext_hostname = NULL; 1832 1833 if (name == NULL) 1834 return 1; 1835 1836 CBS_init(&cbs, name, strlen(name)); 1837 1838 if (!tlsext_sni_is_valid_hostname(&cbs, &is_ip)) { 1839 SSLerror(s, SSL_R_SSL3_EXT_INVALID_SERVERNAME); 1840 return 0; 1841 } 1842 if ((s->tlsext_hostname = strdup(name)) == NULL) { 1843 SSLerror(s, ERR_R_INTERNAL_ERROR); 1844 return 0; 1845 } 1846 1847 return 1; 1848 } 1849 1850 static int 1851 _SSL_set_tlsext_debug_arg(SSL *s, void *arg) 1852 { 1853 s->tlsext_debug_arg = arg; 1854 return 1; 1855 } 1856 1857 static int 1858 _SSL_get_tlsext_status_type(SSL *s) 1859 { 1860 return s->tlsext_status_type; 1861 } 1862 1863 static int 1864 _SSL_set_tlsext_status_type(SSL *s, int type) 1865 { 1866 s->tlsext_status_type = type; 1867 return 1; 1868 } 1869 1870 static int 1871 _SSL_get_tlsext_status_exts(SSL *s, STACK_OF(X509_EXTENSION) **exts) 1872 { 1873 *exts = s->tlsext_ocsp_exts; 1874 return 1; 1875 } 1876 1877 static int 1878 _SSL_set_tlsext_status_exts(SSL *s, STACK_OF(X509_EXTENSION) *exts) 1879 { 1880 /* XXX - leak... */ 1881 s->tlsext_ocsp_exts = exts; 1882 return 1; 1883 } 1884 1885 static int 1886 _SSL_get_tlsext_status_ids(SSL *s, STACK_OF(OCSP_RESPID) **ids) 1887 { 1888 *ids = s->tlsext_ocsp_ids; 1889 return 1; 1890 } 1891 1892 static int 1893 _SSL_set_tlsext_status_ids(SSL *s, STACK_OF(OCSP_RESPID) *ids) 1894 { 1895 /* XXX - leak... */ 1896 s->tlsext_ocsp_ids = ids; 1897 return 1; 1898 } 1899 1900 static int 1901 _SSL_get_tlsext_status_ocsp_resp(SSL *s, unsigned char **resp) 1902 { 1903 if (s->tlsext_ocsp_resp != NULL && 1904 s->tlsext_ocsp_resp_len < INT_MAX) { 1905 *resp = s->tlsext_ocsp_resp; 1906 return (int)s->tlsext_ocsp_resp_len; 1907 } 1908 1909 *resp = NULL; 1910 1911 return -1; 1912 } 1913 1914 static int 1915 _SSL_set_tlsext_status_ocsp_resp(SSL *s, unsigned char *resp, int resp_len) 1916 { 1917 free(s->tlsext_ocsp_resp); 1918 s->tlsext_ocsp_resp = NULL; 1919 s->tlsext_ocsp_resp_len = 0; 1920 1921 if (resp_len < 0) 1922 return 0; 1923 1924 s->tlsext_ocsp_resp = resp; 1925 s->tlsext_ocsp_resp_len = (size_t)resp_len; 1926 1927 return 1; 1928 } 1929 1930 int 1931 SSL_set0_chain(SSL *ssl, STACK_OF(X509) *chain) 1932 { 1933 return ssl_cert_set0_chain(NULL, ssl, chain); 1934 } 1935 1936 int 1937 SSL_set1_chain(SSL *ssl, STACK_OF(X509) *chain) 1938 { 1939 return ssl_cert_set1_chain(NULL, ssl, chain); 1940 } 1941 1942 int 1943 SSL_add0_chain_cert(SSL *ssl, X509 *x509) 1944 { 1945 return ssl_cert_add0_chain_cert(NULL, ssl, x509); 1946 } 1947 1948 int 1949 SSL_add1_chain_cert(SSL *ssl, X509 *x509) 1950 { 1951 return ssl_cert_add1_chain_cert(NULL, ssl, x509); 1952 } 1953 1954 int 1955 SSL_get0_chain_certs(const SSL *ssl, STACK_OF(X509) **out_chain) 1956 { 1957 *out_chain = NULL; 1958 1959 if (ssl->cert->key != NULL) 1960 *out_chain = ssl->cert->key->chain; 1961 1962 return 1; 1963 } 1964 1965 int 1966 SSL_clear_chain_certs(SSL *ssl) 1967 { 1968 return ssl_cert_set0_chain(NULL, ssl, NULL); 1969 } 1970 1971 int 1972 SSL_set1_groups(SSL *s, const int *groups, size_t groups_len) 1973 { 1974 return tls1_set_groups(&s->tlsext_supportedgroups, 1975 &s->tlsext_supportedgroups_length, groups, groups_len); 1976 } 1977 1978 int 1979 SSL_set1_groups_list(SSL *s, const char *groups) 1980 { 1981 return tls1_set_group_list(&s->tlsext_supportedgroups, 1982 &s->tlsext_supportedgroups_length, groups); 1983 } 1984 1985 static int 1986 _SSL_get_signature_nid(SSL *s, int *nid) 1987 { 1988 const struct ssl_sigalg *sigalg; 1989 1990 if ((sigalg = s->s3->hs.our_sigalg) == NULL) 1991 return 0; 1992 1993 *nid = EVP_MD_type(sigalg->md()); 1994 1995 return 1; 1996 } 1997 1998 static int 1999 _SSL_get_peer_signature_nid(SSL *s, int *nid) 2000 { 2001 const struct ssl_sigalg *sigalg; 2002 2003 if ((sigalg = s->s3->hs.peer_sigalg) == NULL) 2004 return 0; 2005 2006 *nid = EVP_MD_type(sigalg->md()); 2007 2008 return 1; 2009 } 2010 2011 int 2012 SSL_get_signature_type_nid(const SSL *s, int *nid) 2013 { 2014 const struct ssl_sigalg *sigalg; 2015 2016 if ((sigalg = s->s3->hs.our_sigalg) == NULL) 2017 return 0; 2018 2019 *nid = sigalg->key_type; 2020 if (sigalg->key_type == EVP_PKEY_RSA && 2021 (sigalg->flags & SIGALG_FLAG_RSA_PSS)) 2022 *nid = EVP_PKEY_RSA_PSS; 2023 2024 return 1; 2025 } 2026 2027 int 2028 SSL_get_peer_signature_type_nid(const SSL *s, int *nid) 2029 { 2030 const struct ssl_sigalg *sigalg; 2031 2032 if ((sigalg = s->s3->hs.peer_sigalg) == NULL) 2033 return 0; 2034 2035 *nid = sigalg->key_type; 2036 if (sigalg->key_type == EVP_PKEY_RSA && 2037 (sigalg->flags & SIGALG_FLAG_RSA_PSS)) 2038 *nid = EVP_PKEY_RSA_PSS; 2039 2040 return 1; 2041 } 2042 2043 long 2044 ssl3_ctrl(SSL *s, int cmd, long larg, void *parg) 2045 { 2046 switch (cmd) { 2047 case SSL_CTRL_GET_SESSION_REUSED: 2048 return _SSL_session_reused(s); 2049 2050 case SSL_CTRL_GET_NUM_RENEGOTIATIONS: 2051 return _SSL_num_renegotiations(s); 2052 2053 case SSL_CTRL_CLEAR_NUM_RENEGOTIATIONS: 2054 return _SSL_clear_num_renegotiations(s); 2055 2056 case SSL_CTRL_GET_TOTAL_RENEGOTIATIONS: 2057 return _SSL_total_renegotiations(s); 2058 2059 case SSL_CTRL_SET_TMP_DH: 2060 return _SSL_set_tmp_dh(s, parg); 2061 2062 case SSL_CTRL_SET_TMP_DH_CB: 2063 SSLerror(s, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED); 2064 return 0; 2065 2066 case SSL_CTRL_SET_DH_AUTO: 2067 return _SSL_set_dh_auto(s, larg); 2068 2069 case SSL_CTRL_SET_TMP_ECDH: 2070 return _SSL_set_tmp_ecdh(s, parg); 2071 2072 case SSL_CTRL_SET_TMP_ECDH_CB: 2073 SSLerror(s, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED); 2074 return 0; 2075 2076 case SSL_CTRL_SET_ECDH_AUTO: 2077 return _SSL_set_ecdh_auto(s, larg); 2078 2079 case SSL_CTRL_SET_TLSEXT_HOSTNAME: 2080 if (larg != TLSEXT_NAMETYPE_host_name) { 2081 SSLerror(s, SSL_R_SSL3_EXT_INVALID_SERVERNAME_TYPE); 2082 return 0; 2083 } 2084 return _SSL_set_tlsext_host_name(s, parg); 2085 2086 case SSL_CTRL_SET_TLSEXT_DEBUG_ARG: 2087 return _SSL_set_tlsext_debug_arg(s, parg); 2088 2089 case SSL_CTRL_GET_TLSEXT_STATUS_REQ_TYPE: 2090 return _SSL_get_tlsext_status_type(s); 2091 2092 case SSL_CTRL_SET_TLSEXT_STATUS_REQ_TYPE: 2093 return _SSL_set_tlsext_status_type(s, larg); 2094 2095 case SSL_CTRL_GET_TLSEXT_STATUS_REQ_EXTS: 2096 return _SSL_get_tlsext_status_exts(s, parg); 2097 2098 case SSL_CTRL_SET_TLSEXT_STATUS_REQ_EXTS: 2099 return _SSL_set_tlsext_status_exts(s, parg); 2100 2101 case SSL_CTRL_GET_TLSEXT_STATUS_REQ_IDS: 2102 return _SSL_get_tlsext_status_ids(s, parg); 2103 2104 case SSL_CTRL_SET_TLSEXT_STATUS_REQ_IDS: 2105 return _SSL_set_tlsext_status_ids(s, parg); 2106 2107 case SSL_CTRL_GET_TLSEXT_STATUS_REQ_OCSP_RESP: 2108 return _SSL_get_tlsext_status_ocsp_resp(s, parg); 2109 2110 case SSL_CTRL_SET_TLSEXT_STATUS_REQ_OCSP_RESP: 2111 return _SSL_set_tlsext_status_ocsp_resp(s, parg, larg); 2112 2113 case SSL_CTRL_CHAIN: 2114 if (larg == 0) 2115 return SSL_set0_chain(s, (STACK_OF(X509) *)parg); 2116 else 2117 return SSL_set1_chain(s, (STACK_OF(X509) *)parg); 2118 2119 case SSL_CTRL_CHAIN_CERT: 2120 if (larg == 0) 2121 return SSL_add0_chain_cert(s, (X509 *)parg); 2122 else 2123 return SSL_add1_chain_cert(s, (X509 *)parg); 2124 2125 case SSL_CTRL_GET_CHAIN_CERTS: 2126 return SSL_get0_chain_certs(s, (STACK_OF(X509) **)parg); 2127 2128 case SSL_CTRL_SET_GROUPS: 2129 return SSL_set1_groups(s, parg, larg); 2130 2131 case SSL_CTRL_SET_GROUPS_LIST: 2132 return SSL_set1_groups_list(s, parg); 2133 2134 case SSL_CTRL_GET_SHARED_GROUP: 2135 return _SSL_get_shared_group(s, larg); 2136 2137 /* XXX - rename to SSL_CTRL_GET_PEER_TMP_KEY and remove server check. */ 2138 case SSL_CTRL_GET_SERVER_TMP_KEY: 2139 if (s->server != 0) 2140 return 0; 2141 return _SSL_get_peer_tmp_key(s, parg); 2142 2143 case SSL_CTRL_GET_MIN_PROTO_VERSION: 2144 return SSL_get_min_proto_version(s); 2145 2146 case SSL_CTRL_GET_MAX_PROTO_VERSION: 2147 return SSL_get_max_proto_version(s); 2148 2149 case SSL_CTRL_SET_MIN_PROTO_VERSION: 2150 if (larg < 0 || larg > UINT16_MAX) 2151 return 0; 2152 return SSL_set_min_proto_version(s, larg); 2153 2154 case SSL_CTRL_SET_MAX_PROTO_VERSION: 2155 if (larg < 0 || larg > UINT16_MAX) 2156 return 0; 2157 return SSL_set_max_proto_version(s, larg); 2158 2159 case SSL_CTRL_GET_SIGNATURE_NID: 2160 return _SSL_get_signature_nid(s, parg); 2161 2162 case SSL_CTRL_GET_PEER_SIGNATURE_NID: 2163 return _SSL_get_peer_signature_nid(s, parg); 2164 2165 /* 2166 * Legacy controls that should eventually be removed. 2167 */ 2168 case SSL_CTRL_GET_CLIENT_CERT_REQUEST: 2169 return 0; 2170 2171 case SSL_CTRL_GET_FLAGS: 2172 return (int)(s->s3->flags); 2173 2174 case SSL_CTRL_NEED_TMP_RSA: 2175 return 0; 2176 2177 case SSL_CTRL_SET_TMP_RSA: 2178 case SSL_CTRL_SET_TMP_RSA_CB: 2179 SSLerror(s, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED); 2180 return 0; 2181 } 2182 2183 return 0; 2184 } 2185 2186 long 2187 ssl3_callback_ctrl(SSL *s, int cmd, void (*fp)(void)) 2188 { 2189 switch (cmd) { 2190 case SSL_CTRL_SET_TMP_RSA_CB: 2191 SSLerror(s, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED); 2192 return 0; 2193 2194 case SSL_CTRL_SET_TMP_DH_CB: 2195 s->cert->dhe_params_cb = (DH *(*)(SSL *, int, int))fp; 2196 return 1; 2197 2198 case SSL_CTRL_SET_TMP_ECDH_CB: 2199 return 1; 2200 2201 case SSL_CTRL_SET_TLSEXT_DEBUG_CB: 2202 s->tlsext_debug_cb = (void (*)(SSL *, int , int, 2203 unsigned char *, int, void *))fp; 2204 return 1; 2205 } 2206 2207 return 0; 2208 } 2209 2210 static int 2211 _SSL_CTX_set_tmp_dh(SSL_CTX *ctx, DH *dh) 2212 { 2213 DH *dhe_params; 2214 2215 if (dh == NULL) { 2216 SSLerrorx(ERR_R_PASSED_NULL_PARAMETER); 2217 return 0; 2218 } 2219 2220 if (!ssl_ctx_security_dh(ctx, dh)) { 2221 SSLerrorx(SSL_R_DH_KEY_TOO_SMALL); 2222 return 0; 2223 } 2224 2225 if ((dhe_params = DHparams_dup(dh)) == NULL) { 2226 SSLerrorx(ERR_R_DH_LIB); 2227 return 0; 2228 } 2229 2230 DH_free(ctx->cert->dhe_params); 2231 ctx->cert->dhe_params = dhe_params; 2232 2233 return 1; 2234 } 2235 2236 static int 2237 _SSL_CTX_set_dh_auto(SSL_CTX *ctx, int state) 2238 { 2239 ctx->cert->dhe_params_auto = state; 2240 return 1; 2241 } 2242 2243 static int 2244 _SSL_CTX_set_tmp_ecdh(SSL_CTX *ctx, EC_KEY *ecdh) 2245 { 2246 const EC_GROUP *group; 2247 int nid; 2248 2249 if (ecdh == NULL) 2250 return 0; 2251 if ((group = EC_KEY_get0_group(ecdh)) == NULL) 2252 return 0; 2253 2254 nid = EC_GROUP_get_curve_name(group); 2255 return SSL_CTX_set1_groups(ctx, &nid, 1); 2256 } 2257 2258 static int 2259 _SSL_CTX_set_ecdh_auto(SSL_CTX *ctx, int state) 2260 { 2261 return 1; 2262 } 2263 2264 static int 2265 _SSL_CTX_set_tlsext_servername_arg(SSL_CTX *ctx, void *arg) 2266 { 2267 ctx->tlsext_servername_arg = arg; 2268 return 1; 2269 } 2270 2271 static int 2272 _SSL_CTX_get_tlsext_ticket_keys(SSL_CTX *ctx, unsigned char *keys, int keys_len) 2273 { 2274 if (keys == NULL) 2275 return 48; 2276 2277 if (keys_len != 48) { 2278 SSLerrorx(SSL_R_INVALID_TICKET_KEYS_LENGTH); 2279 return 0; 2280 } 2281 2282 memcpy(keys, ctx->tlsext_tick_key_name, 16); 2283 memcpy(keys + 16, ctx->tlsext_tick_hmac_key, 16); 2284 memcpy(keys + 32, ctx->tlsext_tick_aes_key, 16); 2285 2286 return 1; 2287 } 2288 2289 static int 2290 _SSL_CTX_set_tlsext_ticket_keys(SSL_CTX *ctx, unsigned char *keys, int keys_len) 2291 { 2292 if (keys == NULL) 2293 return 48; 2294 2295 if (keys_len != 48) { 2296 SSLerrorx(SSL_R_INVALID_TICKET_KEYS_LENGTH); 2297 return 0; 2298 } 2299 2300 memcpy(ctx->tlsext_tick_key_name, keys, 16); 2301 memcpy(ctx->tlsext_tick_hmac_key, keys + 16, 16); 2302 memcpy(ctx->tlsext_tick_aes_key, keys + 32, 16); 2303 2304 return 1; 2305 } 2306 2307 static int 2308 _SSL_CTX_get_tlsext_status_arg(SSL_CTX *ctx, void **arg) 2309 { 2310 *arg = ctx->tlsext_status_arg; 2311 return 1; 2312 } 2313 2314 static int 2315 _SSL_CTX_set_tlsext_status_arg(SSL_CTX *ctx, void *arg) 2316 { 2317 ctx->tlsext_status_arg = arg; 2318 return 1; 2319 } 2320 2321 int 2322 SSL_CTX_set0_chain(SSL_CTX *ctx, STACK_OF(X509) *chain) 2323 { 2324 return ssl_cert_set0_chain(ctx, NULL, chain); 2325 } 2326 2327 int 2328 SSL_CTX_set1_chain(SSL_CTX *ctx, STACK_OF(X509) *chain) 2329 { 2330 return ssl_cert_set1_chain(ctx, NULL, chain); 2331 } 2332 2333 int 2334 SSL_CTX_add0_chain_cert(SSL_CTX *ctx, X509 *x509) 2335 { 2336 return ssl_cert_add0_chain_cert(ctx, NULL, x509); 2337 } 2338 2339 int 2340 SSL_CTX_add1_chain_cert(SSL_CTX *ctx, X509 *x509) 2341 { 2342 return ssl_cert_add1_chain_cert(ctx, NULL, x509); 2343 } 2344 2345 int 2346 SSL_CTX_get0_chain_certs(const SSL_CTX *ctx, STACK_OF(X509) **out_chain) 2347 { 2348 *out_chain = NULL; 2349 2350 if (ctx->cert->key != NULL) 2351 *out_chain = ctx->cert->key->chain; 2352 2353 return 1; 2354 } 2355 2356 int 2357 SSL_CTX_clear_chain_certs(SSL_CTX *ctx) 2358 { 2359 return ssl_cert_set0_chain(ctx, NULL, NULL); 2360 } 2361 2362 static int 2363 _SSL_CTX_add_extra_chain_cert(SSL_CTX *ctx, X509 *cert) 2364 { 2365 if (ctx->extra_certs == NULL) { 2366 if ((ctx->extra_certs = sk_X509_new_null()) == NULL) 2367 return 0; 2368 } 2369 if (sk_X509_push(ctx->extra_certs, cert) == 0) 2370 return 0; 2371 2372 return 1; 2373 } 2374 2375 static int 2376 _SSL_CTX_get_extra_chain_certs(SSL_CTX *ctx, STACK_OF(X509) **certs) 2377 { 2378 *certs = ctx->extra_certs; 2379 if (*certs == NULL) 2380 *certs = ctx->cert->key->chain; 2381 2382 return 1; 2383 } 2384 2385 static int 2386 _SSL_CTX_get_extra_chain_certs_only(SSL_CTX *ctx, STACK_OF(X509) **certs) 2387 { 2388 *certs = ctx->extra_certs; 2389 return 1; 2390 } 2391 2392 static int 2393 _SSL_CTX_clear_extra_chain_certs(SSL_CTX *ctx) 2394 { 2395 sk_X509_pop_free(ctx->extra_certs, X509_free); 2396 ctx->extra_certs = NULL; 2397 return 1; 2398 } 2399 2400 int 2401 SSL_CTX_set1_groups(SSL_CTX *ctx, const int *groups, size_t groups_len) 2402 { 2403 return tls1_set_groups(&ctx->tlsext_supportedgroups, 2404 &ctx->tlsext_supportedgroups_length, groups, groups_len); 2405 } 2406 2407 int 2408 SSL_CTX_set1_groups_list(SSL_CTX *ctx, const char *groups) 2409 { 2410 return tls1_set_group_list(&ctx->tlsext_supportedgroups, 2411 &ctx->tlsext_supportedgroups_length, groups); 2412 } 2413 2414 long 2415 ssl3_ctx_ctrl(SSL_CTX *ctx, int cmd, long larg, void *parg) 2416 { 2417 switch (cmd) { 2418 case SSL_CTRL_SET_TMP_DH: 2419 return _SSL_CTX_set_tmp_dh(ctx, parg); 2420 2421 case SSL_CTRL_SET_TMP_DH_CB: 2422 SSLerrorx(ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED); 2423 return 0; 2424 2425 case SSL_CTRL_SET_DH_AUTO: 2426 return _SSL_CTX_set_dh_auto(ctx, larg); 2427 2428 case SSL_CTRL_SET_TMP_ECDH: 2429 return _SSL_CTX_set_tmp_ecdh(ctx, parg); 2430 2431 case SSL_CTRL_SET_TMP_ECDH_CB: 2432 SSLerrorx(ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED); 2433 return 0; 2434 2435 case SSL_CTRL_SET_ECDH_AUTO: 2436 return _SSL_CTX_set_ecdh_auto(ctx, larg); 2437 2438 case SSL_CTRL_SET_TLSEXT_SERVERNAME_ARG: 2439 return _SSL_CTX_set_tlsext_servername_arg(ctx, parg); 2440 2441 case SSL_CTRL_GET_TLSEXT_TICKET_KEYS: 2442 return _SSL_CTX_get_tlsext_ticket_keys(ctx, parg, larg); 2443 2444 case SSL_CTRL_SET_TLSEXT_TICKET_KEYS: 2445 return _SSL_CTX_set_tlsext_ticket_keys(ctx, parg, larg); 2446 2447 case SSL_CTRL_GET_TLSEXT_STATUS_REQ_CB_ARG: 2448 return _SSL_CTX_get_tlsext_status_arg(ctx, parg); 2449 2450 case SSL_CTRL_SET_TLSEXT_STATUS_REQ_CB_ARG: 2451 return _SSL_CTX_set_tlsext_status_arg(ctx, parg); 2452 2453 case SSL_CTRL_CHAIN: 2454 if (larg == 0) 2455 return SSL_CTX_set0_chain(ctx, (STACK_OF(X509) *)parg); 2456 else 2457 return SSL_CTX_set1_chain(ctx, (STACK_OF(X509) *)parg); 2458 2459 case SSL_CTRL_CHAIN_CERT: 2460 if (larg == 0) 2461 return SSL_CTX_add0_chain_cert(ctx, (X509 *)parg); 2462 else 2463 return SSL_CTX_add1_chain_cert(ctx, (X509 *)parg); 2464 2465 case SSL_CTRL_GET_CHAIN_CERTS: 2466 return SSL_CTX_get0_chain_certs(ctx, (STACK_OF(X509) **)parg); 2467 2468 case SSL_CTRL_EXTRA_CHAIN_CERT: 2469 return _SSL_CTX_add_extra_chain_cert(ctx, parg); 2470 2471 case SSL_CTRL_GET_EXTRA_CHAIN_CERTS: 2472 if (larg == 0) 2473 return _SSL_CTX_get_extra_chain_certs(ctx, parg); 2474 else 2475 return _SSL_CTX_get_extra_chain_certs_only(ctx, parg); 2476 2477 case SSL_CTRL_CLEAR_EXTRA_CHAIN_CERTS: 2478 return _SSL_CTX_clear_extra_chain_certs(ctx); 2479 2480 case SSL_CTRL_SET_GROUPS: 2481 return SSL_CTX_set1_groups(ctx, parg, larg); 2482 2483 case SSL_CTRL_SET_GROUPS_LIST: 2484 return SSL_CTX_set1_groups_list(ctx, parg); 2485 2486 case SSL_CTRL_GET_MIN_PROTO_VERSION: 2487 return SSL_CTX_get_min_proto_version(ctx); 2488 2489 case SSL_CTRL_GET_MAX_PROTO_VERSION: 2490 return SSL_CTX_get_max_proto_version(ctx); 2491 2492 case SSL_CTRL_SET_MIN_PROTO_VERSION: 2493 if (larg < 0 || larg > UINT16_MAX) 2494 return 0; 2495 return SSL_CTX_set_min_proto_version(ctx, larg); 2496 2497 case SSL_CTRL_SET_MAX_PROTO_VERSION: 2498 if (larg < 0 || larg > UINT16_MAX) 2499 return 0; 2500 return SSL_CTX_set_max_proto_version(ctx, larg); 2501 2502 /* 2503 * Legacy controls that should eventually be removed. 2504 */ 2505 case SSL_CTRL_NEED_TMP_RSA: 2506 return 0; 2507 2508 case SSL_CTRL_SET_TMP_RSA: 2509 case SSL_CTRL_SET_TMP_RSA_CB: 2510 SSLerrorx(ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED); 2511 return 0; 2512 } 2513 2514 return 0; 2515 } 2516 2517 long 2518 ssl3_ctx_callback_ctrl(SSL_CTX *ctx, int cmd, void (*fp)(void)) 2519 { 2520 switch (cmd) { 2521 case SSL_CTRL_SET_TMP_RSA_CB: 2522 SSLerrorx(ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED); 2523 return 0; 2524 2525 case SSL_CTRL_SET_TMP_DH_CB: 2526 ctx->cert->dhe_params_cb = 2527 (DH *(*)(SSL *, int, int))fp; 2528 return 1; 2529 2530 case SSL_CTRL_SET_TMP_ECDH_CB: 2531 return 1; 2532 2533 case SSL_CTRL_SET_TLSEXT_SERVERNAME_CB: 2534 ctx->tlsext_servername_callback = 2535 (int (*)(SSL *, int *, void *))fp; 2536 return 1; 2537 2538 case SSL_CTRL_GET_TLSEXT_STATUS_REQ_CB: 2539 *(int (**)(SSL *, void *))fp = ctx->tlsext_status_cb; 2540 return 1; 2541 2542 case SSL_CTRL_SET_TLSEXT_STATUS_REQ_CB: 2543 ctx->tlsext_status_cb = (int (*)(SSL *, void *))fp; 2544 return 1; 2545 2546 case SSL_CTRL_SET_TLSEXT_TICKET_KEY_CB: 2547 ctx->tlsext_ticket_key_cb = (int (*)(SSL *, unsigned char *, 2548 unsigned char *, EVP_CIPHER_CTX *, HMAC_CTX *, int))fp; 2549 return 1; 2550 } 2551 2552 return 0; 2553 } 2554 2555 SSL_CIPHER * 2556 ssl3_choose_cipher(SSL *s, STACK_OF(SSL_CIPHER) *clnt, 2557 STACK_OF(SSL_CIPHER) *srvr) 2558 { 2559 unsigned long alg_k, alg_a, mask_k, mask_a; 2560 STACK_OF(SSL_CIPHER) *prio, *allow; 2561 SSL_CIPHER *c, *ret = NULL; 2562 int can_use_ecc; 2563 int i, ii, nid, ok; 2564 SSL_CERT *cert; 2565 2566 /* Let's see which ciphers we can support */ 2567 cert = s->cert; 2568 2569 can_use_ecc = tls1_get_supported_group(s, &nid); 2570 2571 /* 2572 * Do not set the compare functions, because this may lead to a 2573 * reordering by "id". We want to keep the original ordering. 2574 * We may pay a price in performance during sk_SSL_CIPHER_find(), 2575 * but would have to pay with the price of sk_SSL_CIPHER_dup(). 2576 */ 2577 2578 if (s->options & SSL_OP_CIPHER_SERVER_PREFERENCE) { 2579 prio = srvr; 2580 allow = clnt; 2581 } else { 2582 prio = clnt; 2583 allow = srvr; 2584 } 2585 2586 for (i = 0; i < sk_SSL_CIPHER_num(prio); i++) { 2587 c = sk_SSL_CIPHER_value(prio, i); 2588 2589 /* Skip TLS v1.2 only ciphersuites if not supported. */ 2590 if ((c->algorithm_ssl & SSL_TLSV1_2) && 2591 !SSL_USE_TLS1_2_CIPHERS(s)) 2592 continue; 2593 2594 /* Skip TLS v1.3 only ciphersuites if not supported. */ 2595 if ((c->algorithm_ssl & SSL_TLSV1_3) && 2596 !SSL_USE_TLS1_3_CIPHERS(s)) 2597 continue; 2598 2599 /* If TLS v1.3, only allow TLS v1.3 ciphersuites. */ 2600 if (SSL_USE_TLS1_3_CIPHERS(s) && 2601 !(c->algorithm_ssl & SSL_TLSV1_3)) 2602 continue; 2603 2604 if (!ssl_security_shared_cipher(s, c)) 2605 continue; 2606 2607 ssl_set_cert_masks(cert, c); 2608 mask_k = cert->mask_k; 2609 mask_a = cert->mask_a; 2610 2611 alg_k = c->algorithm_mkey; 2612 alg_a = c->algorithm_auth; 2613 2614 ok = (alg_k & mask_k) && (alg_a & mask_a); 2615 2616 /* 2617 * If we are considering an ECC cipher suite that uses our 2618 * certificate check it. 2619 */ 2620 if (alg_a & SSL_aECDSA) 2621 ok = ok && tls1_check_ec_server_key(s); 2622 /* 2623 * If we are considering an ECC cipher suite that uses 2624 * an ephemeral EC key check it. 2625 */ 2626 if (alg_k & SSL_kECDHE) 2627 ok = ok && can_use_ecc; 2628 2629 if (!ok) 2630 continue; 2631 ii = sk_SSL_CIPHER_find(allow, c); 2632 if (ii >= 0) { 2633 ret = sk_SSL_CIPHER_value(allow, ii); 2634 break; 2635 } 2636 } 2637 return (ret); 2638 } 2639 2640 int 2641 ssl3_get_req_cert_types(SSL *s, CBB *cbb) 2642 { 2643 unsigned long alg_k; 2644 2645 alg_k = s->s3->hs.cipher->algorithm_mkey; 2646 2647 #ifndef OPENSSL_NO_GOST 2648 if ((alg_k & SSL_kGOST) != 0) { 2649 if (!CBB_add_u8(cbb, TLS_CT_GOST01_SIGN)) 2650 return 0; 2651 if (!CBB_add_u8(cbb, TLS_CT_GOST12_256_SIGN)) 2652 return 0; 2653 if (!CBB_add_u8(cbb, TLS_CT_GOST12_512_SIGN)) 2654 return 0; 2655 if (!CBB_add_u8(cbb, TLS_CT_GOST12_256_SIGN_COMPAT)) 2656 return 0; 2657 if (!CBB_add_u8(cbb, TLS_CT_GOST12_512_SIGN_COMPAT)) 2658 return 0; 2659 } 2660 #endif 2661 2662 if ((alg_k & SSL_kDHE) != 0) { 2663 if (!CBB_add_u8(cbb, SSL3_CT_RSA_FIXED_DH)) 2664 return 0; 2665 } 2666 2667 if (!CBB_add_u8(cbb, SSL3_CT_RSA_SIGN)) 2668 return 0; 2669 2670 /* 2671 * ECDSA certs can be used with RSA cipher suites as well 2672 * so we don't need to check for SSL_kECDH or SSL_kECDHE. 2673 */ 2674 if (!CBB_add_u8(cbb, TLS_CT_ECDSA_SIGN)) 2675 return 0; 2676 2677 return 1; 2678 } 2679 2680 int 2681 ssl3_shutdown(SSL *s) 2682 { 2683 int ret; 2684 2685 /* 2686 * Don't do anything much if we have not done the handshake or 2687 * we don't want to send messages :-) 2688 */ 2689 if ((s->quiet_shutdown) || (s->s3->hs.state == SSL_ST_BEFORE)) { 2690 s->shutdown = (SSL_SENT_SHUTDOWN|SSL_RECEIVED_SHUTDOWN); 2691 return (1); 2692 } 2693 2694 if (!(s->shutdown & SSL_SENT_SHUTDOWN)) { 2695 s->shutdown|=SSL_SENT_SHUTDOWN; 2696 ssl3_send_alert(s, SSL3_AL_WARNING, SSL_AD_CLOSE_NOTIFY); 2697 /* 2698 * Our shutdown alert has been sent now, and if it still needs 2699 * to be written, s->s3->alert_dispatch will be true 2700 */ 2701 if (s->s3->alert_dispatch) 2702 return (-1); /* return WANT_WRITE */ 2703 } else if (s->s3->alert_dispatch) { 2704 /* resend it if not sent */ 2705 ret = ssl3_dispatch_alert(s); 2706 if (ret == -1) { 2707 /* 2708 * We only get to return -1 here the 2nd/Nth 2709 * invocation, we must have already signalled 2710 * return 0 upon a previous invoation, 2711 * return WANT_WRITE 2712 */ 2713 return (ret); 2714 } 2715 } else if (!(s->shutdown & SSL_RECEIVED_SHUTDOWN)) { 2716 /* If we are waiting for a close from our peer, we are closed */ 2717 s->method->ssl_read_bytes(s, 0, NULL, 0, 0); 2718 if (!(s->shutdown & SSL_RECEIVED_SHUTDOWN)) { 2719 return (-1); /* return WANT_READ */ 2720 } 2721 } 2722 2723 if ((s->shutdown == (SSL_SENT_SHUTDOWN|SSL_RECEIVED_SHUTDOWN)) && 2724 !s->s3->alert_dispatch) 2725 return (1); 2726 else 2727 return (0); 2728 } 2729 2730 int 2731 ssl3_write(SSL *s, const void *buf, int len) 2732 { 2733 errno = 0; 2734 2735 if (s->s3->renegotiate) 2736 ssl3_renegotiate_check(s); 2737 2738 return s->method->ssl_write_bytes(s, SSL3_RT_APPLICATION_DATA, 2739 buf, len); 2740 } 2741 2742 static int 2743 ssl3_read_internal(SSL *s, void *buf, int len, int peek) 2744 { 2745 int ret; 2746 2747 errno = 0; 2748 if (s->s3->renegotiate) 2749 ssl3_renegotiate_check(s); 2750 s->s3->in_read_app_data = 1; 2751 2752 ret = s->method->ssl_read_bytes(s, SSL3_RT_APPLICATION_DATA, buf, len, 2753 peek); 2754 if ((ret == -1) && (s->s3->in_read_app_data == 2)) { 2755 /* 2756 * ssl3_read_bytes decided to call s->handshake_func, 2757 * which called ssl3_read_bytes to read handshake data. 2758 * However, ssl3_read_bytes actually found application data 2759 * and thinks that application data makes sense here; so disable 2760 * handshake processing and try to read application data again. 2761 */ 2762 s->in_handshake++; 2763 ret = s->method->ssl_read_bytes(s, SSL3_RT_APPLICATION_DATA, 2764 buf, len, peek); 2765 s->in_handshake--; 2766 } else 2767 s->s3->in_read_app_data = 0; 2768 2769 return (ret); 2770 } 2771 2772 int 2773 ssl3_read(SSL *s, void *buf, int len) 2774 { 2775 return ssl3_read_internal(s, buf, len, 0); 2776 } 2777 2778 int 2779 ssl3_peek(SSL *s, void *buf, int len) 2780 { 2781 return ssl3_read_internal(s, buf, len, 1); 2782 } 2783 2784 int 2785 ssl3_renegotiate(SSL *s) 2786 { 2787 if (s->handshake_func == NULL) 2788 return 1; 2789 2790 if (s->s3->flags & SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS) 2791 return 0; 2792 2793 s->s3->renegotiate = 1; 2794 2795 return 1; 2796 } 2797 2798 int 2799 ssl3_renegotiate_check(SSL *s) 2800 { 2801 if (!s->s3->renegotiate) 2802 return 0; 2803 if (SSL_in_init(s) || s->s3->rbuf.left != 0 || s->s3->wbuf.left != 0) 2804 return 0; 2805 2806 s->s3->hs.state = SSL_ST_RENEGOTIATE; 2807 s->s3->renegotiate = 0; 2808 s->s3->num_renegotiations++; 2809 s->s3->total_renegotiations++; 2810 2811 return 1; 2812 } 2813