1 /* $OpenBSD: s3_lib.c,v 1.244 2023/05/26 13:44:05 tb Exp $ */ 2 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) 3 * All rights reserved. 4 * 5 * This package is an SSL implementation written 6 * by Eric Young (eay@cryptsoft.com). 7 * The implementation was written so as to conform with Netscapes SSL. 8 * 9 * This library is free for commercial and non-commercial use as long as 10 * the following conditions are aheared to. The following conditions 11 * apply to all code found in this distribution, be it the RC4, RSA, 12 * lhash, DES, etc., code; not just the SSL code. The SSL documentation 13 * included with this distribution is covered by the same copyright terms 14 * except that the holder is Tim Hudson (tjh@cryptsoft.com). 15 * 16 * Copyright remains Eric Young's, and as such any Copyright notices in 17 * the code are not to be removed. 18 * If this package is used in a product, Eric Young should be given attribution 19 * as the author of the parts of the library used. 20 * This can be in the form of a textual message at program startup or 21 * in documentation (online or textual) provided with the package. 22 * 23 * Redistribution and use in source and binary forms, with or without 24 * modification, are permitted provided that the following conditions 25 * are met: 26 * 1. Redistributions of source code must retain the copyright 27 * notice, this list of conditions and the following disclaimer. 28 * 2. Redistributions in binary form must reproduce the above copyright 29 * notice, this list of conditions and the following disclaimer in the 30 * documentation and/or other materials provided with the distribution. 31 * 3. All advertising materials mentioning features or use of this software 32 * must display the following acknowledgement: 33 * "This product includes cryptographic software written by 34 * Eric Young (eay@cryptsoft.com)" 35 * The word 'cryptographic' can be left out if the rouines from the library 36 * being used are not cryptographic related :-). 37 * 4. If you include any Windows specific code (or a derivative thereof) from 38 * the apps directory (application code) you must include an acknowledgement: 39 * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)" 40 * 41 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND 42 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 43 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 44 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE 45 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 46 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 47 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 48 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 49 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 50 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 51 * SUCH DAMAGE. 52 * 53 * The licence and distribution terms for any publically available version or 54 * derivative of this code cannot be changed. i.e. this code cannot simply be 55 * copied and put under another distribution licence 56 * [including the GNU Public Licence.] 57 */ 58 /* ==================================================================== 59 * Copyright (c) 1998-2007 The OpenSSL Project. All rights reserved. 60 * 61 * Redistribution and use in source and binary forms, with or without 62 * modification, are permitted provided that the following conditions 63 * are met: 64 * 65 * 1. Redistributions of source code must retain the above copyright 66 * notice, this list of conditions and the following disclaimer. 67 * 68 * 2. Redistributions in binary form must reproduce the above copyright 69 * notice, this list of conditions and the following disclaimer in 70 * the documentation and/or other materials provided with the 71 * distribution. 72 * 73 * 3. All advertising materials mentioning features or use of this 74 * software must display the following acknowledgment: 75 * "This product includes software developed by the OpenSSL Project 76 * for use in the OpenSSL Toolkit. (http://www.openssl.org/)" 77 * 78 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to 79 * endorse or promote products derived from this software without 80 * prior written permission. For written permission, please contact 81 * openssl-core@openssl.org. 82 * 83 * 5. Products derived from this software may not be called "OpenSSL" 84 * nor may "OpenSSL" appear in their names without prior written 85 * permission of the OpenSSL Project. 86 * 87 * 6. Redistributions of any form whatsoever must retain the following 88 * acknowledgment: 89 * "This product includes software developed by the OpenSSL Project 90 * for use in the OpenSSL Toolkit (http://www.openssl.org/)" 91 * 92 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY 93 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 94 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR 95 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR 96 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, 97 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT 98 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; 99 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 100 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, 101 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) 102 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED 103 * OF THE POSSIBILITY OF SUCH DAMAGE. 104 * ==================================================================== 105 * 106 * This product includes cryptographic software written by Eric Young 107 * (eay@cryptsoft.com). This product includes software written by Tim 108 * Hudson (tjh@cryptsoft.com). 109 * 110 */ 111 /* ==================================================================== 112 * Copyright 2002 Sun Microsystems, Inc. ALL RIGHTS RESERVED. 113 * 114 * Portions of the attached software ("Contribution") are developed by 115 * SUN MICROSYSTEMS, INC., and are contributed to the OpenSSL project. 116 * 117 * The Contribution is licensed pursuant to the OpenSSL open source 118 * license provided above. 119 * 120 * ECC cipher suite support in OpenSSL originally written by 121 * Vipul Gupta and Sumit Gupta of Sun Microsystems Laboratories. 122 * 123 */ 124 /* ==================================================================== 125 * Copyright 2005 Nokia. All rights reserved. 126 * 127 * The portions of the attached software ("Contribution") is developed by 128 * Nokia Corporation and is licensed pursuant to the OpenSSL open source 129 * license. 130 * 131 * The Contribution, originally written by Mika Kousa and Pasi Eronen of 132 * Nokia Corporation, consists of the "PSK" (Pre-Shared Key) ciphersuites 133 * support (see RFC 4279) to OpenSSL. 134 * 135 * No patent licenses or other rights except those expressly stated in 136 * the OpenSSL open source license shall be deemed granted or received 137 * expressly, by implication, estoppel, or otherwise. 138 * 139 * No assurances are provided by Nokia that the Contribution does not 140 * infringe the patent or other intellectual property rights of any third 141 * party or that the license provides you with all the necessary rights 142 * to make use of the Contribution. 143 * 144 * THE SOFTWARE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. IN 145 * ADDITION TO THE DISCLAIMERS INCLUDED IN THE LICENSE, NOKIA 146 * SPECIFICALLY DISCLAIMS ANY LIABILITY FOR CLAIMS BROUGHT BY YOU OR ANY 147 * OTHER ENTITY BASED ON INFRINGEMENT OF INTELLECTUAL PROPERTY RIGHTS OR 148 * OTHERWISE. 149 */ 150 151 #include <limits.h> 152 #include <stdio.h> 153 154 #include <openssl/bn.h> 155 #include <openssl/curve25519.h> 156 #include <openssl/dh.h> 157 #include <openssl/md5.h> 158 #include <openssl/objects.h> 159 #include <openssl/opensslconf.h> 160 161 #include "bytestring.h" 162 #include "dtls_local.h" 163 #include "ssl_local.h" 164 #include "ssl_sigalgs.h" 165 #include "ssl_tlsext.h" 166 #include "tls_content.h" 167 168 #define SSL3_NUM_CIPHERS (sizeof(ssl3_ciphers) / sizeof(SSL_CIPHER)) 169 170 /* 171 * FIXED_NONCE_LEN is a macro that provides in the correct value to set the 172 * fixed nonce length in algorithms2. It is the inverse of the 173 * SSL_CIPHER_AEAD_FIXED_NONCE_LEN macro. 174 */ 175 #define FIXED_NONCE_LEN(x) (((x / 2) & 0xf) << 24) 176 177 /* list of available SSLv3 ciphers (sorted by id) */ 178 const SSL_CIPHER ssl3_ciphers[] = { 179 180 /* The RSA ciphers */ 181 /* Cipher 01 */ 182 { 183 .valid = 1, 184 .name = SSL3_TXT_RSA_NULL_MD5, 185 .id = SSL3_CK_RSA_NULL_MD5, 186 .algorithm_mkey = SSL_kRSA, 187 .algorithm_auth = SSL_aRSA, 188 .algorithm_enc = SSL_eNULL, 189 .algorithm_mac = SSL_MD5, 190 .algorithm_ssl = SSL_SSLV3, 191 .algo_strength = SSL_STRONG_NONE, 192 .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF, 193 .strength_bits = 0, 194 .alg_bits = 0, 195 }, 196 197 /* Cipher 02 */ 198 { 199 .valid = 1, 200 .name = SSL3_TXT_RSA_NULL_SHA, 201 .id = SSL3_CK_RSA_NULL_SHA, 202 .algorithm_mkey = SSL_kRSA, 203 .algorithm_auth = SSL_aRSA, 204 .algorithm_enc = SSL_eNULL, 205 .algorithm_mac = SSL_SHA1, 206 .algorithm_ssl = SSL_SSLV3, 207 .algo_strength = SSL_STRONG_NONE, 208 .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF, 209 .strength_bits = 0, 210 .alg_bits = 0, 211 }, 212 213 /* Cipher 04 */ 214 { 215 .valid = 1, 216 .name = SSL3_TXT_RSA_RC4_128_MD5, 217 .id = SSL3_CK_RSA_RC4_128_MD5, 218 .algorithm_mkey = SSL_kRSA, 219 .algorithm_auth = SSL_aRSA, 220 .algorithm_enc = SSL_RC4, 221 .algorithm_mac = SSL_MD5, 222 .algorithm_ssl = SSL_SSLV3, 223 .algo_strength = SSL_LOW, 224 .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF, 225 .strength_bits = 128, 226 .alg_bits = 128, 227 }, 228 229 /* Cipher 05 */ 230 { 231 .valid = 1, 232 .name = SSL3_TXT_RSA_RC4_128_SHA, 233 .id = SSL3_CK_RSA_RC4_128_SHA, 234 .algorithm_mkey = SSL_kRSA, 235 .algorithm_auth = SSL_aRSA, 236 .algorithm_enc = SSL_RC4, 237 .algorithm_mac = SSL_SHA1, 238 .algorithm_ssl = SSL_SSLV3, 239 .algo_strength = SSL_LOW, 240 .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF, 241 .strength_bits = 128, 242 .alg_bits = 128, 243 }, 244 245 /* Cipher 0A */ 246 { 247 .valid = 1, 248 .name = SSL3_TXT_RSA_DES_192_CBC3_SHA, 249 .id = SSL3_CK_RSA_DES_192_CBC3_SHA, 250 .algorithm_mkey = SSL_kRSA, 251 .algorithm_auth = SSL_aRSA, 252 .algorithm_enc = SSL_3DES, 253 .algorithm_mac = SSL_SHA1, 254 .algorithm_ssl = SSL_SSLV3, 255 .algo_strength = SSL_MEDIUM, 256 .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF, 257 .strength_bits = 112, 258 .alg_bits = 168, 259 }, 260 261 /* 262 * Ephemeral DH (DHE) ciphers. 263 */ 264 265 /* Cipher 16 */ 266 { 267 .valid = 1, 268 .name = SSL3_TXT_EDH_RSA_DES_192_CBC3_SHA, 269 .id = SSL3_CK_EDH_RSA_DES_192_CBC3_SHA, 270 .algorithm_mkey = SSL_kDHE, 271 .algorithm_auth = SSL_aRSA, 272 .algorithm_enc = SSL_3DES, 273 .algorithm_mac = SSL_SHA1, 274 .algorithm_ssl = SSL_SSLV3, 275 .algo_strength = SSL_MEDIUM, 276 .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF, 277 .strength_bits = 112, 278 .alg_bits = 168, 279 }, 280 281 /* Cipher 18 */ 282 { 283 .valid = 1, 284 .name = SSL3_TXT_ADH_RC4_128_MD5, 285 .id = SSL3_CK_ADH_RC4_128_MD5, 286 .algorithm_mkey = SSL_kDHE, 287 .algorithm_auth = SSL_aNULL, 288 .algorithm_enc = SSL_RC4, 289 .algorithm_mac = SSL_MD5, 290 .algorithm_ssl = SSL_SSLV3, 291 .algo_strength = SSL_LOW, 292 .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF, 293 .strength_bits = 128, 294 .alg_bits = 128, 295 }, 296 297 /* Cipher 1B */ 298 { 299 .valid = 1, 300 .name = SSL3_TXT_ADH_DES_192_CBC_SHA, 301 .id = SSL3_CK_ADH_DES_192_CBC_SHA, 302 .algorithm_mkey = SSL_kDHE, 303 .algorithm_auth = SSL_aNULL, 304 .algorithm_enc = SSL_3DES, 305 .algorithm_mac = SSL_SHA1, 306 .algorithm_ssl = SSL_SSLV3, 307 .algo_strength = SSL_MEDIUM, 308 .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF, 309 .strength_bits = 112, 310 .alg_bits = 168, 311 }, 312 313 /* 314 * AES ciphersuites. 315 */ 316 317 /* Cipher 2F */ 318 { 319 .valid = 1, 320 .name = TLS1_TXT_RSA_WITH_AES_128_SHA, 321 .id = TLS1_CK_RSA_WITH_AES_128_SHA, 322 .algorithm_mkey = SSL_kRSA, 323 .algorithm_auth = SSL_aRSA, 324 .algorithm_enc = SSL_AES128, 325 .algorithm_mac = SSL_SHA1, 326 .algorithm_ssl = SSL_TLSV1, 327 .algo_strength = SSL_HIGH, 328 .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF, 329 .strength_bits = 128, 330 .alg_bits = 128, 331 }, 332 333 /* Cipher 33 */ 334 { 335 .valid = 1, 336 .name = TLS1_TXT_DHE_RSA_WITH_AES_128_SHA, 337 .id = TLS1_CK_DHE_RSA_WITH_AES_128_SHA, 338 .algorithm_mkey = SSL_kDHE, 339 .algorithm_auth = SSL_aRSA, 340 .algorithm_enc = SSL_AES128, 341 .algorithm_mac = SSL_SHA1, 342 .algorithm_ssl = SSL_TLSV1, 343 .algo_strength = SSL_HIGH, 344 .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF, 345 .strength_bits = 128, 346 .alg_bits = 128, 347 }, 348 349 /* Cipher 34 */ 350 { 351 .valid = 1, 352 .name = TLS1_TXT_ADH_WITH_AES_128_SHA, 353 .id = TLS1_CK_ADH_WITH_AES_128_SHA, 354 .algorithm_mkey = SSL_kDHE, 355 .algorithm_auth = SSL_aNULL, 356 .algorithm_enc = SSL_AES128, 357 .algorithm_mac = SSL_SHA1, 358 .algorithm_ssl = SSL_TLSV1, 359 .algo_strength = SSL_HIGH, 360 .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF, 361 .strength_bits = 128, 362 .alg_bits = 128, 363 }, 364 365 /* Cipher 35 */ 366 { 367 .valid = 1, 368 .name = TLS1_TXT_RSA_WITH_AES_256_SHA, 369 .id = TLS1_CK_RSA_WITH_AES_256_SHA, 370 .algorithm_mkey = SSL_kRSA, 371 .algorithm_auth = SSL_aRSA, 372 .algorithm_enc = SSL_AES256, 373 .algorithm_mac = SSL_SHA1, 374 .algorithm_ssl = SSL_TLSV1, 375 .algo_strength = SSL_HIGH, 376 .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF, 377 .strength_bits = 256, 378 .alg_bits = 256, 379 }, 380 381 /* Cipher 39 */ 382 { 383 .valid = 1, 384 .name = TLS1_TXT_DHE_RSA_WITH_AES_256_SHA, 385 .id = TLS1_CK_DHE_RSA_WITH_AES_256_SHA, 386 .algorithm_mkey = SSL_kDHE, 387 .algorithm_auth = SSL_aRSA, 388 .algorithm_enc = SSL_AES256, 389 .algorithm_mac = SSL_SHA1, 390 .algorithm_ssl = SSL_TLSV1, 391 .algo_strength = SSL_HIGH, 392 .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF, 393 .strength_bits = 256, 394 .alg_bits = 256, 395 }, 396 397 /* Cipher 3A */ 398 { 399 .valid = 1, 400 .name = TLS1_TXT_ADH_WITH_AES_256_SHA, 401 .id = TLS1_CK_ADH_WITH_AES_256_SHA, 402 .algorithm_mkey = SSL_kDHE, 403 .algorithm_auth = SSL_aNULL, 404 .algorithm_enc = SSL_AES256, 405 .algorithm_mac = SSL_SHA1, 406 .algorithm_ssl = SSL_TLSV1, 407 .algo_strength = SSL_HIGH, 408 .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF, 409 .strength_bits = 256, 410 .alg_bits = 256, 411 }, 412 413 /* TLS v1.2 ciphersuites */ 414 /* Cipher 3B */ 415 { 416 .valid = 1, 417 .name = TLS1_TXT_RSA_WITH_NULL_SHA256, 418 .id = TLS1_CK_RSA_WITH_NULL_SHA256, 419 .algorithm_mkey = SSL_kRSA, 420 .algorithm_auth = SSL_aRSA, 421 .algorithm_enc = SSL_eNULL, 422 .algorithm_mac = SSL_SHA256, 423 .algorithm_ssl = SSL_TLSV1_2, 424 .algo_strength = SSL_STRONG_NONE, 425 .algorithm2 = SSL_HANDSHAKE_MAC_SHA256|TLS1_PRF_SHA256, 426 .strength_bits = 0, 427 .alg_bits = 0, 428 }, 429 430 /* Cipher 3C */ 431 { 432 .valid = 1, 433 .name = TLS1_TXT_RSA_WITH_AES_128_SHA256, 434 .id = TLS1_CK_RSA_WITH_AES_128_SHA256, 435 .algorithm_mkey = SSL_kRSA, 436 .algorithm_auth = SSL_aRSA, 437 .algorithm_enc = SSL_AES128, 438 .algorithm_mac = SSL_SHA256, 439 .algorithm_ssl = SSL_TLSV1_2, 440 .algo_strength = SSL_HIGH, 441 .algorithm2 = SSL_HANDSHAKE_MAC_SHA256|TLS1_PRF_SHA256, 442 .strength_bits = 128, 443 .alg_bits = 128, 444 }, 445 446 /* Cipher 3D */ 447 { 448 .valid = 1, 449 .name = TLS1_TXT_RSA_WITH_AES_256_SHA256, 450 .id = TLS1_CK_RSA_WITH_AES_256_SHA256, 451 .algorithm_mkey = SSL_kRSA, 452 .algorithm_auth = SSL_aRSA, 453 .algorithm_enc = SSL_AES256, 454 .algorithm_mac = SSL_SHA256, 455 .algorithm_ssl = SSL_TLSV1_2, 456 .algo_strength = SSL_HIGH, 457 .algorithm2 = SSL_HANDSHAKE_MAC_SHA256|TLS1_PRF_SHA256, 458 .strength_bits = 256, 459 .alg_bits = 256, 460 }, 461 462 #ifndef OPENSSL_NO_CAMELLIA 463 /* Camellia ciphersuites from RFC4132 (128-bit portion) */ 464 465 /* Cipher 41 */ 466 { 467 .valid = 1, 468 .name = TLS1_TXT_RSA_WITH_CAMELLIA_128_CBC_SHA, 469 .id = TLS1_CK_RSA_WITH_CAMELLIA_128_CBC_SHA, 470 .algorithm_mkey = SSL_kRSA, 471 .algorithm_auth = SSL_aRSA, 472 .algorithm_enc = SSL_CAMELLIA128, 473 .algorithm_mac = SSL_SHA1, 474 .algorithm_ssl = SSL_TLSV1, 475 .algo_strength = SSL_HIGH, 476 .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF, 477 .strength_bits = 128, 478 .alg_bits = 128, 479 }, 480 481 /* Cipher 45 */ 482 { 483 .valid = 1, 484 .name = TLS1_TXT_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA, 485 .id = TLS1_CK_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA, 486 .algorithm_mkey = SSL_kDHE, 487 .algorithm_auth = SSL_aRSA, 488 .algorithm_enc = SSL_CAMELLIA128, 489 .algorithm_mac = SSL_SHA1, 490 .algorithm_ssl = SSL_TLSV1, 491 .algo_strength = SSL_HIGH, 492 .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF, 493 .strength_bits = 128, 494 .alg_bits = 128, 495 }, 496 497 /* Cipher 46 */ 498 { 499 .valid = 1, 500 .name = TLS1_TXT_ADH_WITH_CAMELLIA_128_CBC_SHA, 501 .id = TLS1_CK_ADH_WITH_CAMELLIA_128_CBC_SHA, 502 .algorithm_mkey = SSL_kDHE, 503 .algorithm_auth = SSL_aNULL, 504 .algorithm_enc = SSL_CAMELLIA128, 505 .algorithm_mac = SSL_SHA1, 506 .algorithm_ssl = SSL_TLSV1, 507 .algo_strength = SSL_HIGH, 508 .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF, 509 .strength_bits = 128, 510 .alg_bits = 128, 511 }, 512 #endif /* OPENSSL_NO_CAMELLIA */ 513 514 /* TLS v1.2 ciphersuites */ 515 /* Cipher 67 */ 516 { 517 .valid = 1, 518 .name = TLS1_TXT_DHE_RSA_WITH_AES_128_SHA256, 519 .id = TLS1_CK_DHE_RSA_WITH_AES_128_SHA256, 520 .algorithm_mkey = SSL_kDHE, 521 .algorithm_auth = SSL_aRSA, 522 .algorithm_enc = SSL_AES128, 523 .algorithm_mac = SSL_SHA256, 524 .algorithm_ssl = SSL_TLSV1_2, 525 .algo_strength = SSL_HIGH, 526 .algorithm2 = SSL_HANDSHAKE_MAC_SHA256|TLS1_PRF_SHA256, 527 .strength_bits = 128, 528 .alg_bits = 128, 529 }, 530 531 /* Cipher 6B */ 532 { 533 .valid = 1, 534 .name = TLS1_TXT_DHE_RSA_WITH_AES_256_SHA256, 535 .id = TLS1_CK_DHE_RSA_WITH_AES_256_SHA256, 536 .algorithm_mkey = SSL_kDHE, 537 .algorithm_auth = SSL_aRSA, 538 .algorithm_enc = SSL_AES256, 539 .algorithm_mac = SSL_SHA256, 540 .algorithm_ssl = SSL_TLSV1_2, 541 .algo_strength = SSL_HIGH, 542 .algorithm2 = SSL_HANDSHAKE_MAC_SHA256|TLS1_PRF_SHA256, 543 .strength_bits = 256, 544 .alg_bits = 256, 545 }, 546 547 /* Cipher 6C */ 548 { 549 .valid = 1, 550 .name = TLS1_TXT_ADH_WITH_AES_128_SHA256, 551 .id = TLS1_CK_ADH_WITH_AES_128_SHA256, 552 .algorithm_mkey = SSL_kDHE, 553 .algorithm_auth = SSL_aNULL, 554 .algorithm_enc = SSL_AES128, 555 .algorithm_mac = SSL_SHA256, 556 .algorithm_ssl = SSL_TLSV1_2, 557 .algo_strength = SSL_HIGH, 558 .algorithm2 = SSL_HANDSHAKE_MAC_SHA256|TLS1_PRF_SHA256, 559 .strength_bits = 128, 560 .alg_bits = 128, 561 }, 562 563 /* Cipher 6D */ 564 { 565 .valid = 1, 566 .name = TLS1_TXT_ADH_WITH_AES_256_SHA256, 567 .id = TLS1_CK_ADH_WITH_AES_256_SHA256, 568 .algorithm_mkey = SSL_kDHE, 569 .algorithm_auth = SSL_aNULL, 570 .algorithm_enc = SSL_AES256, 571 .algorithm_mac = SSL_SHA256, 572 .algorithm_ssl = SSL_TLSV1_2, 573 .algo_strength = SSL_HIGH, 574 .algorithm2 = SSL_HANDSHAKE_MAC_SHA256|TLS1_PRF_SHA256, 575 .strength_bits = 256, 576 .alg_bits = 256, 577 }, 578 579 /* GOST Ciphersuites */ 580 581 /* Cipher 81 */ 582 { 583 .valid = 1, 584 .name = "GOST2001-GOST89-GOST89", 585 .id = 0x3000081, 586 .algorithm_mkey = SSL_kGOST, 587 .algorithm_auth = SSL_aGOST01, 588 .algorithm_enc = SSL_eGOST2814789CNT, 589 .algorithm_mac = SSL_GOST89MAC, 590 .algorithm_ssl = SSL_TLSV1, 591 .algo_strength = SSL_HIGH, 592 .algorithm2 = SSL_HANDSHAKE_MAC_GOST94|TLS1_PRF_GOST94| 593 TLS1_STREAM_MAC, 594 .strength_bits = 256, 595 .alg_bits = 256 596 }, 597 598 /* Cipher 83 */ 599 { 600 .valid = 1, 601 .name = "GOST2001-NULL-GOST94", 602 .id = 0x3000083, 603 .algorithm_mkey = SSL_kGOST, 604 .algorithm_auth = SSL_aGOST01, 605 .algorithm_enc = SSL_eNULL, 606 .algorithm_mac = SSL_GOST94, 607 .algorithm_ssl = SSL_TLSV1, 608 .algo_strength = SSL_STRONG_NONE, 609 .algorithm2 = SSL_HANDSHAKE_MAC_GOST94|TLS1_PRF_GOST94, 610 .strength_bits = 0, 611 .alg_bits = 0 612 }, 613 614 #ifndef OPENSSL_NO_CAMELLIA 615 /* Camellia ciphersuites from RFC4132 (256-bit portion) */ 616 617 /* Cipher 84 */ 618 { 619 .valid = 1, 620 .name = TLS1_TXT_RSA_WITH_CAMELLIA_256_CBC_SHA, 621 .id = TLS1_CK_RSA_WITH_CAMELLIA_256_CBC_SHA, 622 .algorithm_mkey = SSL_kRSA, 623 .algorithm_auth = SSL_aRSA, 624 .algorithm_enc = SSL_CAMELLIA256, 625 .algorithm_mac = SSL_SHA1, 626 .algorithm_ssl = SSL_TLSV1, 627 .algo_strength = SSL_HIGH, 628 .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF, 629 .strength_bits = 256, 630 .alg_bits = 256, 631 }, 632 633 /* Cipher 88 */ 634 { 635 .valid = 1, 636 .name = TLS1_TXT_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA, 637 .id = TLS1_CK_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA, 638 .algorithm_mkey = SSL_kDHE, 639 .algorithm_auth = SSL_aRSA, 640 .algorithm_enc = SSL_CAMELLIA256, 641 .algorithm_mac = SSL_SHA1, 642 .algorithm_ssl = SSL_TLSV1, 643 .algo_strength = SSL_HIGH, 644 .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF, 645 .strength_bits = 256, 646 .alg_bits = 256, 647 }, 648 649 /* Cipher 89 */ 650 { 651 .valid = 1, 652 .name = TLS1_TXT_ADH_WITH_CAMELLIA_256_CBC_SHA, 653 .id = TLS1_CK_ADH_WITH_CAMELLIA_256_CBC_SHA, 654 .algorithm_mkey = SSL_kDHE, 655 .algorithm_auth = SSL_aNULL, 656 .algorithm_enc = SSL_CAMELLIA256, 657 .algorithm_mac = SSL_SHA1, 658 .algorithm_ssl = SSL_TLSV1, 659 .algo_strength = SSL_HIGH, 660 .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF, 661 .strength_bits = 256, 662 .alg_bits = 256, 663 }, 664 #endif /* OPENSSL_NO_CAMELLIA */ 665 666 /* 667 * GCM ciphersuites from RFC5288. 668 */ 669 670 /* Cipher 9C */ 671 { 672 .valid = 1, 673 .name = TLS1_TXT_RSA_WITH_AES_128_GCM_SHA256, 674 .id = TLS1_CK_RSA_WITH_AES_128_GCM_SHA256, 675 .algorithm_mkey = SSL_kRSA, 676 .algorithm_auth = SSL_aRSA, 677 .algorithm_enc = SSL_AES128GCM, 678 .algorithm_mac = SSL_AEAD, 679 .algorithm_ssl = SSL_TLSV1_2, 680 .algo_strength = SSL_HIGH, 681 .algorithm2 = SSL_HANDSHAKE_MAC_SHA256|TLS1_PRF_SHA256| 682 FIXED_NONCE_LEN(4)| 683 SSL_CIPHER_ALGORITHM2_VARIABLE_NONCE_IN_RECORD, 684 .strength_bits = 128, 685 .alg_bits = 128, 686 }, 687 688 /* Cipher 9D */ 689 { 690 .valid = 1, 691 .name = TLS1_TXT_RSA_WITH_AES_256_GCM_SHA384, 692 .id = TLS1_CK_RSA_WITH_AES_256_GCM_SHA384, 693 .algorithm_mkey = SSL_kRSA, 694 .algorithm_auth = SSL_aRSA, 695 .algorithm_enc = SSL_AES256GCM, 696 .algorithm_mac = SSL_AEAD, 697 .algorithm_ssl = SSL_TLSV1_2, 698 .algo_strength = SSL_HIGH, 699 .algorithm2 = SSL_HANDSHAKE_MAC_SHA384|TLS1_PRF_SHA384| 700 FIXED_NONCE_LEN(4)| 701 SSL_CIPHER_ALGORITHM2_VARIABLE_NONCE_IN_RECORD, 702 .strength_bits = 256, 703 .alg_bits = 256, 704 }, 705 706 /* Cipher 9E */ 707 { 708 .valid = 1, 709 .name = TLS1_TXT_DHE_RSA_WITH_AES_128_GCM_SHA256, 710 .id = TLS1_CK_DHE_RSA_WITH_AES_128_GCM_SHA256, 711 .algorithm_mkey = SSL_kDHE, 712 .algorithm_auth = SSL_aRSA, 713 .algorithm_enc = SSL_AES128GCM, 714 .algorithm_mac = SSL_AEAD, 715 .algorithm_ssl = SSL_TLSV1_2, 716 .algo_strength = SSL_HIGH, 717 .algorithm2 = SSL_HANDSHAKE_MAC_SHA256|TLS1_PRF_SHA256| 718 FIXED_NONCE_LEN(4)| 719 SSL_CIPHER_ALGORITHM2_VARIABLE_NONCE_IN_RECORD, 720 .strength_bits = 128, 721 .alg_bits = 128, 722 }, 723 724 /* Cipher 9F */ 725 { 726 .valid = 1, 727 .name = TLS1_TXT_DHE_RSA_WITH_AES_256_GCM_SHA384, 728 .id = TLS1_CK_DHE_RSA_WITH_AES_256_GCM_SHA384, 729 .algorithm_mkey = SSL_kDHE, 730 .algorithm_auth = SSL_aRSA, 731 .algorithm_enc = SSL_AES256GCM, 732 .algorithm_mac = SSL_AEAD, 733 .algorithm_ssl = SSL_TLSV1_2, 734 .algo_strength = SSL_HIGH, 735 .algorithm2 = SSL_HANDSHAKE_MAC_SHA384|TLS1_PRF_SHA384| 736 FIXED_NONCE_LEN(4)| 737 SSL_CIPHER_ALGORITHM2_VARIABLE_NONCE_IN_RECORD, 738 .strength_bits = 256, 739 .alg_bits = 256, 740 }, 741 742 /* Cipher A6 */ 743 { 744 .valid = 1, 745 .name = TLS1_TXT_ADH_WITH_AES_128_GCM_SHA256, 746 .id = TLS1_CK_ADH_WITH_AES_128_GCM_SHA256, 747 .algorithm_mkey = SSL_kDHE, 748 .algorithm_auth = SSL_aNULL, 749 .algorithm_enc = SSL_AES128GCM, 750 .algorithm_mac = SSL_AEAD, 751 .algorithm_ssl = SSL_TLSV1_2, 752 .algo_strength = SSL_HIGH, 753 .algorithm2 = SSL_HANDSHAKE_MAC_SHA256|TLS1_PRF_SHA256| 754 FIXED_NONCE_LEN(4)| 755 SSL_CIPHER_ALGORITHM2_VARIABLE_NONCE_IN_RECORD, 756 .strength_bits = 128, 757 .alg_bits = 128, 758 }, 759 760 /* Cipher A7 */ 761 { 762 .valid = 1, 763 .name = TLS1_TXT_ADH_WITH_AES_256_GCM_SHA384, 764 .id = TLS1_CK_ADH_WITH_AES_256_GCM_SHA384, 765 .algorithm_mkey = SSL_kDHE, 766 .algorithm_auth = SSL_aNULL, 767 .algorithm_enc = SSL_AES256GCM, 768 .algorithm_mac = SSL_AEAD, 769 .algorithm_ssl = SSL_TLSV1_2, 770 .algo_strength = SSL_HIGH, 771 .algorithm2 = SSL_HANDSHAKE_MAC_SHA384|TLS1_PRF_SHA384| 772 FIXED_NONCE_LEN(4)| 773 SSL_CIPHER_ALGORITHM2_VARIABLE_NONCE_IN_RECORD, 774 .strength_bits = 256, 775 .alg_bits = 256, 776 }, 777 778 #ifndef OPENSSL_NO_CAMELLIA 779 /* TLS 1.2 Camellia SHA-256 ciphersuites from RFC5932 */ 780 781 /* Cipher BA */ 782 { 783 .valid = 1, 784 .name = TLS1_TXT_RSA_WITH_CAMELLIA_128_CBC_SHA256, 785 .id = TLS1_CK_RSA_WITH_CAMELLIA_128_CBC_SHA256, 786 .algorithm_mkey = SSL_kRSA, 787 .algorithm_auth = SSL_aRSA, 788 .algorithm_enc = SSL_CAMELLIA128, 789 .algorithm_mac = SSL_SHA256, 790 .algorithm_ssl = SSL_TLSV1_2, 791 .algo_strength = SSL_HIGH, 792 .algorithm2 = SSL_HANDSHAKE_MAC_SHA256|TLS1_PRF_SHA256, 793 .strength_bits = 128, 794 .alg_bits = 128, 795 }, 796 797 /* Cipher BE */ 798 { 799 .valid = 1, 800 .name = TLS1_TXT_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA256, 801 .id = TLS1_CK_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA256, 802 .algorithm_mkey = SSL_kDHE, 803 .algorithm_auth = SSL_aRSA, 804 .algorithm_enc = SSL_CAMELLIA128, 805 .algorithm_mac = SSL_SHA256, 806 .algorithm_ssl = SSL_TLSV1_2, 807 .algo_strength = SSL_HIGH, 808 .algorithm2 = SSL_HANDSHAKE_MAC_SHA256|TLS1_PRF_SHA256, 809 .strength_bits = 128, 810 .alg_bits = 128, 811 }, 812 813 /* Cipher BF */ 814 { 815 .valid = 1, 816 .name = TLS1_TXT_ADH_WITH_CAMELLIA_128_CBC_SHA256, 817 .id = TLS1_CK_ADH_WITH_CAMELLIA_128_CBC_SHA256, 818 .algorithm_mkey = SSL_kDHE, 819 .algorithm_auth = SSL_aNULL, 820 .algorithm_enc = SSL_CAMELLIA128, 821 .algorithm_mac = SSL_SHA256, 822 .algorithm_ssl = SSL_TLSV1_2, 823 .algo_strength = SSL_HIGH, 824 .algorithm2 = SSL_HANDSHAKE_MAC_SHA256|TLS1_PRF_SHA256, 825 .strength_bits = 128, 826 .alg_bits = 128, 827 }, 828 829 /* Cipher C0 */ 830 { 831 .valid = 1, 832 .name = TLS1_TXT_RSA_WITH_CAMELLIA_256_CBC_SHA256, 833 .id = TLS1_CK_RSA_WITH_CAMELLIA_256_CBC_SHA256, 834 .algorithm_mkey = SSL_kRSA, 835 .algorithm_auth = SSL_aRSA, 836 .algorithm_enc = SSL_CAMELLIA256, 837 .algorithm_mac = SSL_SHA256, 838 .algorithm_ssl = SSL_TLSV1_2, 839 .algo_strength = SSL_HIGH, 840 .algorithm2 = SSL_HANDSHAKE_MAC_SHA256|TLS1_PRF_SHA256, 841 .strength_bits = 256, 842 .alg_bits = 256, 843 }, 844 845 /* Cipher C4 */ 846 { 847 .valid = 1, 848 .name = TLS1_TXT_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA256, 849 .id = TLS1_CK_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA256, 850 .algorithm_mkey = SSL_kDHE, 851 .algorithm_auth = SSL_aRSA, 852 .algorithm_enc = SSL_CAMELLIA256, 853 .algorithm_mac = SSL_SHA256, 854 .algorithm_ssl = SSL_TLSV1_2, 855 .algo_strength = SSL_HIGH, 856 .algorithm2 = SSL_HANDSHAKE_MAC_SHA256|TLS1_PRF_SHA256, 857 .strength_bits = 256, 858 .alg_bits = 256, 859 }, 860 861 /* Cipher C5 */ 862 { 863 .valid = 1, 864 .name = TLS1_TXT_ADH_WITH_CAMELLIA_256_CBC_SHA256, 865 .id = TLS1_CK_ADH_WITH_CAMELLIA_256_CBC_SHA256, 866 .algorithm_mkey = SSL_kDHE, 867 .algorithm_auth = SSL_aNULL, 868 .algorithm_enc = SSL_CAMELLIA256, 869 .algorithm_mac = SSL_SHA256, 870 .algorithm_ssl = SSL_TLSV1_2, 871 .algo_strength = SSL_HIGH, 872 .algorithm2 = SSL_HANDSHAKE_MAC_SHA256|TLS1_PRF_SHA256, 873 .strength_bits = 256, 874 .alg_bits = 256, 875 }, 876 #endif /* OPENSSL_NO_CAMELLIA */ 877 878 /* 879 * TLSv1.3 cipher suites. 880 */ 881 882 #ifdef LIBRESSL_HAS_TLS1_3 883 /* Cipher 1301 */ 884 { 885 .valid = 1, 886 .name = TLS1_3_RFC_AES_128_GCM_SHA256, 887 .id = TLS1_3_CK_AES_128_GCM_SHA256, 888 .algorithm_mkey = SSL_kTLS1_3, 889 .algorithm_auth = SSL_aTLS1_3, 890 .algorithm_enc = SSL_AES128GCM, 891 .algorithm_mac = SSL_AEAD, 892 .algorithm_ssl = SSL_TLSV1_3, 893 .algo_strength = SSL_HIGH, 894 .algorithm2 = SSL_HANDSHAKE_MAC_SHA256, /* XXX */ 895 .strength_bits = 128, 896 .alg_bits = 128, 897 }, 898 899 /* Cipher 1302 */ 900 { 901 .valid = 1, 902 .name = TLS1_3_RFC_AES_256_GCM_SHA384, 903 .id = TLS1_3_CK_AES_256_GCM_SHA384, 904 .algorithm_mkey = SSL_kTLS1_3, 905 .algorithm_auth = SSL_aTLS1_3, 906 .algorithm_enc = SSL_AES256GCM, 907 .algorithm_mac = SSL_AEAD, 908 .algorithm_ssl = SSL_TLSV1_3, 909 .algo_strength = SSL_HIGH, 910 .algorithm2 = SSL_HANDSHAKE_MAC_SHA384, /* XXX */ 911 .strength_bits = 256, 912 .alg_bits = 256, 913 }, 914 915 /* Cipher 1303 */ 916 { 917 .valid = 1, 918 .name = TLS1_3_RFC_CHACHA20_POLY1305_SHA256, 919 .id = TLS1_3_CK_CHACHA20_POLY1305_SHA256, 920 .algorithm_mkey = SSL_kTLS1_3, 921 .algorithm_auth = SSL_aTLS1_3, 922 .algorithm_enc = SSL_CHACHA20POLY1305, 923 .algorithm_mac = SSL_AEAD, 924 .algorithm_ssl = SSL_TLSV1_3, 925 .algo_strength = SSL_HIGH, 926 .algorithm2 = SSL_HANDSHAKE_MAC_SHA256, /* XXX */ 927 .strength_bits = 256, 928 .alg_bits = 256, 929 }, 930 #endif 931 932 /* Cipher C006 */ 933 { 934 .valid = 1, 935 .name = TLS1_TXT_ECDHE_ECDSA_WITH_NULL_SHA, 936 .id = TLS1_CK_ECDHE_ECDSA_WITH_NULL_SHA, 937 .algorithm_mkey = SSL_kECDHE, 938 .algorithm_auth = SSL_aECDSA, 939 .algorithm_enc = SSL_eNULL, 940 .algorithm_mac = SSL_SHA1, 941 .algorithm_ssl = SSL_TLSV1, 942 .algo_strength = SSL_STRONG_NONE, 943 .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF, 944 .strength_bits = 0, 945 .alg_bits = 0, 946 }, 947 948 /* Cipher C007 */ 949 { 950 .valid = 1, 951 .name = TLS1_TXT_ECDHE_ECDSA_WITH_RC4_128_SHA, 952 .id = TLS1_CK_ECDHE_ECDSA_WITH_RC4_128_SHA, 953 .algorithm_mkey = SSL_kECDHE, 954 .algorithm_auth = SSL_aECDSA, 955 .algorithm_enc = SSL_RC4, 956 .algorithm_mac = SSL_SHA1, 957 .algorithm_ssl = SSL_TLSV1, 958 .algo_strength = SSL_LOW, 959 .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF, 960 .strength_bits = 128, 961 .alg_bits = 128, 962 }, 963 964 /* Cipher C008 */ 965 { 966 .valid = 1, 967 .name = TLS1_TXT_ECDHE_ECDSA_WITH_DES_192_CBC3_SHA, 968 .id = TLS1_CK_ECDHE_ECDSA_WITH_DES_192_CBC3_SHA, 969 .algorithm_mkey = SSL_kECDHE, 970 .algorithm_auth = SSL_aECDSA, 971 .algorithm_enc = SSL_3DES, 972 .algorithm_mac = SSL_SHA1, 973 .algorithm_ssl = SSL_TLSV1, 974 .algo_strength = SSL_MEDIUM, 975 .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF, 976 .strength_bits = 112, 977 .alg_bits = 168, 978 }, 979 980 /* Cipher C009 */ 981 { 982 .valid = 1, 983 .name = TLS1_TXT_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, 984 .id = TLS1_CK_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, 985 .algorithm_mkey = SSL_kECDHE, 986 .algorithm_auth = SSL_aECDSA, 987 .algorithm_enc = SSL_AES128, 988 .algorithm_mac = SSL_SHA1, 989 .algorithm_ssl = SSL_TLSV1, 990 .algo_strength = SSL_HIGH, 991 .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF, 992 .strength_bits = 128, 993 .alg_bits = 128, 994 }, 995 996 /* Cipher C00A */ 997 { 998 .valid = 1, 999 .name = TLS1_TXT_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, 1000 .id = TLS1_CK_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, 1001 .algorithm_mkey = SSL_kECDHE, 1002 .algorithm_auth = SSL_aECDSA, 1003 .algorithm_enc = SSL_AES256, 1004 .algorithm_mac = SSL_SHA1, 1005 .algorithm_ssl = SSL_TLSV1, 1006 .algo_strength = SSL_HIGH, 1007 .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF, 1008 .strength_bits = 256, 1009 .alg_bits = 256, 1010 }, 1011 1012 /* Cipher C010 */ 1013 { 1014 .valid = 1, 1015 .name = TLS1_TXT_ECDHE_RSA_WITH_NULL_SHA, 1016 .id = TLS1_CK_ECDHE_RSA_WITH_NULL_SHA, 1017 .algorithm_mkey = SSL_kECDHE, 1018 .algorithm_auth = SSL_aRSA, 1019 .algorithm_enc = SSL_eNULL, 1020 .algorithm_mac = SSL_SHA1, 1021 .algorithm_ssl = SSL_TLSV1, 1022 .algo_strength = SSL_STRONG_NONE, 1023 .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF, 1024 .strength_bits = 0, 1025 .alg_bits = 0, 1026 }, 1027 1028 /* Cipher C011 */ 1029 { 1030 .valid = 1, 1031 .name = TLS1_TXT_ECDHE_RSA_WITH_RC4_128_SHA, 1032 .id = TLS1_CK_ECDHE_RSA_WITH_RC4_128_SHA, 1033 .algorithm_mkey = SSL_kECDHE, 1034 .algorithm_auth = SSL_aRSA, 1035 .algorithm_enc = SSL_RC4, 1036 .algorithm_mac = SSL_SHA1, 1037 .algorithm_ssl = SSL_TLSV1, 1038 .algo_strength = SSL_LOW, 1039 .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF, 1040 .strength_bits = 128, 1041 .alg_bits = 128, 1042 }, 1043 1044 /* Cipher C012 */ 1045 { 1046 .valid = 1, 1047 .name = TLS1_TXT_ECDHE_RSA_WITH_DES_192_CBC3_SHA, 1048 .id = TLS1_CK_ECDHE_RSA_WITH_DES_192_CBC3_SHA, 1049 .algorithm_mkey = SSL_kECDHE, 1050 .algorithm_auth = SSL_aRSA, 1051 .algorithm_enc = SSL_3DES, 1052 .algorithm_mac = SSL_SHA1, 1053 .algorithm_ssl = SSL_TLSV1, 1054 .algo_strength = SSL_MEDIUM, 1055 .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF, 1056 .strength_bits = 112, 1057 .alg_bits = 168, 1058 }, 1059 1060 /* Cipher C013 */ 1061 { 1062 .valid = 1, 1063 .name = TLS1_TXT_ECDHE_RSA_WITH_AES_128_CBC_SHA, 1064 .id = TLS1_CK_ECDHE_RSA_WITH_AES_128_CBC_SHA, 1065 .algorithm_mkey = SSL_kECDHE, 1066 .algorithm_auth = SSL_aRSA, 1067 .algorithm_enc = SSL_AES128, 1068 .algorithm_mac = SSL_SHA1, 1069 .algorithm_ssl = SSL_TLSV1, 1070 .algo_strength = SSL_HIGH, 1071 .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF, 1072 .strength_bits = 128, 1073 .alg_bits = 128, 1074 }, 1075 1076 /* Cipher C014 */ 1077 { 1078 .valid = 1, 1079 .name = TLS1_TXT_ECDHE_RSA_WITH_AES_256_CBC_SHA, 1080 .id = TLS1_CK_ECDHE_RSA_WITH_AES_256_CBC_SHA, 1081 .algorithm_mkey = SSL_kECDHE, 1082 .algorithm_auth = SSL_aRSA, 1083 .algorithm_enc = SSL_AES256, 1084 .algorithm_mac = SSL_SHA1, 1085 .algorithm_ssl = SSL_TLSV1, 1086 .algo_strength = SSL_HIGH, 1087 .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF, 1088 .strength_bits = 256, 1089 .alg_bits = 256, 1090 }, 1091 1092 /* Cipher C015 */ 1093 { 1094 .valid = 1, 1095 .name = TLS1_TXT_ECDH_anon_WITH_NULL_SHA, 1096 .id = TLS1_CK_ECDH_anon_WITH_NULL_SHA, 1097 .algorithm_mkey = SSL_kECDHE, 1098 .algorithm_auth = SSL_aNULL, 1099 .algorithm_enc = SSL_eNULL, 1100 .algorithm_mac = SSL_SHA1, 1101 .algorithm_ssl = SSL_TLSV1, 1102 .algo_strength = SSL_STRONG_NONE, 1103 .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF, 1104 .strength_bits = 0, 1105 .alg_bits = 0, 1106 }, 1107 1108 /* Cipher C016 */ 1109 { 1110 .valid = 1, 1111 .name = TLS1_TXT_ECDH_anon_WITH_RC4_128_SHA, 1112 .id = TLS1_CK_ECDH_anon_WITH_RC4_128_SHA, 1113 .algorithm_mkey = SSL_kECDHE, 1114 .algorithm_auth = SSL_aNULL, 1115 .algorithm_enc = SSL_RC4, 1116 .algorithm_mac = SSL_SHA1, 1117 .algorithm_ssl = SSL_TLSV1, 1118 .algo_strength = SSL_LOW, 1119 .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF, 1120 .strength_bits = 128, 1121 .alg_bits = 128, 1122 }, 1123 1124 /* Cipher C017 */ 1125 { 1126 .valid = 1, 1127 .name = TLS1_TXT_ECDH_anon_WITH_DES_192_CBC3_SHA, 1128 .id = TLS1_CK_ECDH_anon_WITH_DES_192_CBC3_SHA, 1129 .algorithm_mkey = SSL_kECDHE, 1130 .algorithm_auth = SSL_aNULL, 1131 .algorithm_enc = SSL_3DES, 1132 .algorithm_mac = SSL_SHA1, 1133 .algorithm_ssl = SSL_TLSV1, 1134 .algo_strength = SSL_MEDIUM, 1135 .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF, 1136 .strength_bits = 112, 1137 .alg_bits = 168, 1138 }, 1139 1140 /* Cipher C018 */ 1141 { 1142 .valid = 1, 1143 .name = TLS1_TXT_ECDH_anon_WITH_AES_128_CBC_SHA, 1144 .id = TLS1_CK_ECDH_anon_WITH_AES_128_CBC_SHA, 1145 .algorithm_mkey = SSL_kECDHE, 1146 .algorithm_auth = SSL_aNULL, 1147 .algorithm_enc = SSL_AES128, 1148 .algorithm_mac = SSL_SHA1, 1149 .algorithm_ssl = SSL_TLSV1, 1150 .algo_strength = SSL_HIGH, 1151 .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF, 1152 .strength_bits = 128, 1153 .alg_bits = 128, 1154 }, 1155 1156 /* Cipher C019 */ 1157 { 1158 .valid = 1, 1159 .name = TLS1_TXT_ECDH_anon_WITH_AES_256_CBC_SHA, 1160 .id = TLS1_CK_ECDH_anon_WITH_AES_256_CBC_SHA, 1161 .algorithm_mkey = SSL_kECDHE, 1162 .algorithm_auth = SSL_aNULL, 1163 .algorithm_enc = SSL_AES256, 1164 .algorithm_mac = SSL_SHA1, 1165 .algorithm_ssl = SSL_TLSV1, 1166 .algo_strength = SSL_HIGH, 1167 .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF, 1168 .strength_bits = 256, 1169 .alg_bits = 256, 1170 }, 1171 1172 1173 /* HMAC based TLS v1.2 ciphersuites from RFC5289 */ 1174 1175 /* Cipher C023 */ 1176 { 1177 .valid = 1, 1178 .name = TLS1_TXT_ECDHE_ECDSA_WITH_AES_128_SHA256, 1179 .id = TLS1_CK_ECDHE_ECDSA_WITH_AES_128_SHA256, 1180 .algorithm_mkey = SSL_kECDHE, 1181 .algorithm_auth = SSL_aECDSA, 1182 .algorithm_enc = SSL_AES128, 1183 .algorithm_mac = SSL_SHA256, 1184 .algorithm_ssl = SSL_TLSV1_2, 1185 .algo_strength = SSL_HIGH, 1186 .algorithm2 = SSL_HANDSHAKE_MAC_SHA256|TLS1_PRF_SHA256, 1187 .strength_bits = 128, 1188 .alg_bits = 128, 1189 }, 1190 1191 /* Cipher C024 */ 1192 { 1193 .valid = 1, 1194 .name = TLS1_TXT_ECDHE_ECDSA_WITH_AES_256_SHA384, 1195 .id = TLS1_CK_ECDHE_ECDSA_WITH_AES_256_SHA384, 1196 .algorithm_mkey = SSL_kECDHE, 1197 .algorithm_auth = SSL_aECDSA, 1198 .algorithm_enc = SSL_AES256, 1199 .algorithm_mac = SSL_SHA384, 1200 .algorithm_ssl = SSL_TLSV1_2, 1201 .algo_strength = SSL_HIGH, 1202 .algorithm2 = SSL_HANDSHAKE_MAC_SHA384|TLS1_PRF_SHA384, 1203 .strength_bits = 256, 1204 .alg_bits = 256, 1205 }, 1206 1207 /* Cipher C027 */ 1208 { 1209 .valid = 1, 1210 .name = TLS1_TXT_ECDHE_RSA_WITH_AES_128_SHA256, 1211 .id = TLS1_CK_ECDHE_RSA_WITH_AES_128_SHA256, 1212 .algorithm_mkey = SSL_kECDHE, 1213 .algorithm_auth = SSL_aRSA, 1214 .algorithm_enc = SSL_AES128, 1215 .algorithm_mac = SSL_SHA256, 1216 .algorithm_ssl = SSL_TLSV1_2, 1217 .algo_strength = SSL_HIGH, 1218 .algorithm2 = SSL_HANDSHAKE_MAC_SHA256|TLS1_PRF_SHA256, 1219 .strength_bits = 128, 1220 .alg_bits = 128, 1221 }, 1222 1223 /* Cipher C028 */ 1224 { 1225 .valid = 1, 1226 .name = TLS1_TXT_ECDHE_RSA_WITH_AES_256_SHA384, 1227 .id = TLS1_CK_ECDHE_RSA_WITH_AES_256_SHA384, 1228 .algorithm_mkey = SSL_kECDHE, 1229 .algorithm_auth = SSL_aRSA, 1230 .algorithm_enc = SSL_AES256, 1231 .algorithm_mac = SSL_SHA384, 1232 .algorithm_ssl = SSL_TLSV1_2, 1233 .algo_strength = SSL_HIGH, 1234 .algorithm2 = SSL_HANDSHAKE_MAC_SHA384|TLS1_PRF_SHA384, 1235 .strength_bits = 256, 1236 .alg_bits = 256, 1237 }, 1238 1239 /* GCM based TLS v1.2 ciphersuites from RFC5289 */ 1240 1241 /* Cipher C02B */ 1242 { 1243 .valid = 1, 1244 .name = TLS1_TXT_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, 1245 .id = TLS1_CK_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, 1246 .algorithm_mkey = SSL_kECDHE, 1247 .algorithm_auth = SSL_aECDSA, 1248 .algorithm_enc = SSL_AES128GCM, 1249 .algorithm_mac = SSL_AEAD, 1250 .algorithm_ssl = SSL_TLSV1_2, 1251 .algo_strength = SSL_HIGH, 1252 .algorithm2 = SSL_HANDSHAKE_MAC_SHA256|TLS1_PRF_SHA256| 1253 FIXED_NONCE_LEN(4)| 1254 SSL_CIPHER_ALGORITHM2_VARIABLE_NONCE_IN_RECORD, 1255 .strength_bits = 128, 1256 .alg_bits = 128, 1257 }, 1258 1259 /* Cipher C02C */ 1260 { 1261 .valid = 1, 1262 .name = TLS1_TXT_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, 1263 .id = TLS1_CK_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, 1264 .algorithm_mkey = SSL_kECDHE, 1265 .algorithm_auth = SSL_aECDSA, 1266 .algorithm_enc = SSL_AES256GCM, 1267 .algorithm_mac = SSL_AEAD, 1268 .algorithm_ssl = SSL_TLSV1_2, 1269 .algo_strength = SSL_HIGH, 1270 .algorithm2 = SSL_HANDSHAKE_MAC_SHA384|TLS1_PRF_SHA384| 1271 FIXED_NONCE_LEN(4)| 1272 SSL_CIPHER_ALGORITHM2_VARIABLE_NONCE_IN_RECORD, 1273 .strength_bits = 256, 1274 .alg_bits = 256, 1275 }, 1276 1277 /* Cipher C02F */ 1278 { 1279 .valid = 1, 1280 .name = TLS1_TXT_ECDHE_RSA_WITH_AES_128_GCM_SHA256, 1281 .id = TLS1_CK_ECDHE_RSA_WITH_AES_128_GCM_SHA256, 1282 .algorithm_mkey = SSL_kECDHE, 1283 .algorithm_auth = SSL_aRSA, 1284 .algorithm_enc = SSL_AES128GCM, 1285 .algorithm_mac = SSL_AEAD, 1286 .algorithm_ssl = SSL_TLSV1_2, 1287 .algo_strength = SSL_HIGH, 1288 .algorithm2 = SSL_HANDSHAKE_MAC_SHA256|TLS1_PRF_SHA256| 1289 FIXED_NONCE_LEN(4)| 1290 SSL_CIPHER_ALGORITHM2_VARIABLE_NONCE_IN_RECORD, 1291 .strength_bits = 128, 1292 .alg_bits = 128, 1293 }, 1294 1295 /* Cipher C030 */ 1296 { 1297 .valid = 1, 1298 .name = TLS1_TXT_ECDHE_RSA_WITH_AES_256_GCM_SHA384, 1299 .id = TLS1_CK_ECDHE_RSA_WITH_AES_256_GCM_SHA384, 1300 .algorithm_mkey = SSL_kECDHE, 1301 .algorithm_auth = SSL_aRSA, 1302 .algorithm_enc = SSL_AES256GCM, 1303 .algorithm_mac = SSL_AEAD, 1304 .algorithm_ssl = SSL_TLSV1_2, 1305 .algo_strength = SSL_HIGH, 1306 .algorithm2 = SSL_HANDSHAKE_MAC_SHA384|TLS1_PRF_SHA384| 1307 FIXED_NONCE_LEN(4)| 1308 SSL_CIPHER_ALGORITHM2_VARIABLE_NONCE_IN_RECORD, 1309 .strength_bits = 256, 1310 .alg_bits = 256, 1311 }, 1312 1313 /* Cipher CCA8 */ 1314 { 1315 .valid = 1, 1316 .name = TLS1_TXT_ECDHE_RSA_WITH_CHACHA20_POLY1305, 1317 .id = TLS1_CK_ECDHE_RSA_CHACHA20_POLY1305, 1318 .algorithm_mkey = SSL_kECDHE, 1319 .algorithm_auth = SSL_aRSA, 1320 .algorithm_enc = SSL_CHACHA20POLY1305, 1321 .algorithm_mac = SSL_AEAD, 1322 .algorithm_ssl = SSL_TLSV1_2, 1323 .algo_strength = SSL_HIGH, 1324 .algorithm2 = SSL_HANDSHAKE_MAC_SHA256|TLS1_PRF_SHA256| 1325 FIXED_NONCE_LEN(12), 1326 .strength_bits = 256, 1327 .alg_bits = 256, 1328 }, 1329 1330 /* Cipher CCA9 */ 1331 { 1332 .valid = 1, 1333 .name = TLS1_TXT_ECDHE_ECDSA_WITH_CHACHA20_POLY1305, 1334 .id = TLS1_CK_ECDHE_ECDSA_CHACHA20_POLY1305, 1335 .algorithm_mkey = SSL_kECDHE, 1336 .algorithm_auth = SSL_aECDSA, 1337 .algorithm_enc = SSL_CHACHA20POLY1305, 1338 .algorithm_mac = SSL_AEAD, 1339 .algorithm_ssl = SSL_TLSV1_2, 1340 .algo_strength = SSL_HIGH, 1341 .algorithm2 = SSL_HANDSHAKE_MAC_SHA256|TLS1_PRF_SHA256| 1342 FIXED_NONCE_LEN(12), 1343 .strength_bits = 256, 1344 .alg_bits = 256, 1345 }, 1346 1347 /* Cipher CCAA */ 1348 { 1349 .valid = 1, 1350 .name = TLS1_TXT_DHE_RSA_WITH_CHACHA20_POLY1305, 1351 .id = TLS1_CK_DHE_RSA_CHACHA20_POLY1305, 1352 .algorithm_mkey = SSL_kDHE, 1353 .algorithm_auth = SSL_aRSA, 1354 .algorithm_enc = SSL_CHACHA20POLY1305, 1355 .algorithm_mac = SSL_AEAD, 1356 .algorithm_ssl = SSL_TLSV1_2, 1357 .algo_strength = SSL_HIGH, 1358 .algorithm2 = SSL_HANDSHAKE_MAC_SHA256|TLS1_PRF_SHA256| 1359 FIXED_NONCE_LEN(12), 1360 .strength_bits = 256, 1361 .alg_bits = 256, 1362 }, 1363 1364 /* Cipher FF85 FIXME IANA */ 1365 { 1366 .valid = 1, 1367 .name = "GOST2012256-GOST89-GOST89", 1368 .id = 0x300ff85, /* FIXME IANA */ 1369 .algorithm_mkey = SSL_kGOST, 1370 .algorithm_auth = SSL_aGOST01, 1371 .algorithm_enc = SSL_eGOST2814789CNT, 1372 .algorithm_mac = SSL_GOST89MAC, 1373 .algorithm_ssl = SSL_TLSV1, 1374 .algo_strength = SSL_HIGH, 1375 .algorithm2 = SSL_HANDSHAKE_MAC_STREEBOG256|TLS1_PRF_STREEBOG256| 1376 TLS1_STREAM_MAC, 1377 .strength_bits = 256, 1378 .alg_bits = 256 1379 }, 1380 1381 /* Cipher FF87 FIXME IANA */ 1382 { 1383 .valid = 1, 1384 .name = "GOST2012256-NULL-STREEBOG256", 1385 .id = 0x300ff87, /* FIXME IANA */ 1386 .algorithm_mkey = SSL_kGOST, 1387 .algorithm_auth = SSL_aGOST01, 1388 .algorithm_enc = SSL_eNULL, 1389 .algorithm_mac = SSL_STREEBOG256, 1390 .algorithm_ssl = SSL_TLSV1, 1391 .algo_strength = SSL_STRONG_NONE, 1392 .algorithm2 = SSL_HANDSHAKE_MAC_STREEBOG256|TLS1_PRF_STREEBOG256, 1393 .strength_bits = 0, 1394 .alg_bits = 0 1395 }, 1396 1397 1398 /* end of list */ 1399 }; 1400 1401 int 1402 ssl3_num_ciphers(void) 1403 { 1404 return (SSL3_NUM_CIPHERS); 1405 } 1406 1407 const SSL_CIPHER * 1408 ssl3_get_cipher(unsigned int u) 1409 { 1410 if (u < SSL3_NUM_CIPHERS) 1411 return (&(ssl3_ciphers[SSL3_NUM_CIPHERS - 1 - u])); 1412 else 1413 return (NULL); 1414 } 1415 1416 const SSL_CIPHER * 1417 ssl3_get_cipher_by_id(unsigned int id) 1418 { 1419 const SSL_CIPHER *cp; 1420 SSL_CIPHER c; 1421 1422 c.id = id; 1423 cp = OBJ_bsearch_ssl_cipher_id(&c, ssl3_ciphers, SSL3_NUM_CIPHERS); 1424 if (cp != NULL && cp->valid == 1) 1425 return (cp); 1426 1427 return (NULL); 1428 } 1429 1430 const SSL_CIPHER * 1431 ssl3_get_cipher_by_value(uint16_t value) 1432 { 1433 return ssl3_get_cipher_by_id(SSL3_CK_ID | value); 1434 } 1435 1436 uint16_t 1437 ssl3_cipher_get_value(const SSL_CIPHER *c) 1438 { 1439 return (c->id & SSL3_CK_VALUE_MASK); 1440 } 1441 1442 int 1443 ssl3_pending(const SSL *s) 1444 { 1445 if (s->s3->rcontent == NULL) 1446 return 0; 1447 if (tls_content_type(s->s3->rcontent) != SSL3_RT_APPLICATION_DATA) 1448 return 0; 1449 1450 return tls_content_remaining(s->s3->rcontent); 1451 } 1452 1453 int 1454 ssl3_handshake_msg_hdr_len(SSL *s) 1455 { 1456 return (SSL_is_dtls(s) ? DTLS1_HM_HEADER_LENGTH : 1457 SSL3_HM_HEADER_LENGTH); 1458 } 1459 1460 int 1461 ssl3_handshake_msg_start(SSL *s, CBB *handshake, CBB *body, uint8_t msg_type) 1462 { 1463 int ret = 0; 1464 1465 if (!CBB_init(handshake, SSL3_RT_MAX_PLAIN_LENGTH)) 1466 goto err; 1467 if (!CBB_add_u8(handshake, msg_type)) 1468 goto err; 1469 if (SSL_is_dtls(s)) { 1470 unsigned char *data; 1471 1472 if (!CBB_add_space(handshake, &data, DTLS1_HM_HEADER_LENGTH - 1473 SSL3_HM_HEADER_LENGTH)) 1474 goto err; 1475 } 1476 if (!CBB_add_u24_length_prefixed(handshake, body)) 1477 goto err; 1478 1479 ret = 1; 1480 1481 err: 1482 return (ret); 1483 } 1484 1485 int 1486 ssl3_handshake_msg_finish(SSL *s, CBB *handshake) 1487 { 1488 unsigned char *data = NULL; 1489 size_t outlen; 1490 int ret = 0; 1491 1492 if (!CBB_finish(handshake, &data, &outlen)) 1493 goto err; 1494 1495 if (outlen > INT_MAX) 1496 goto err; 1497 1498 if (!BUF_MEM_grow_clean(s->init_buf, outlen)) 1499 goto err; 1500 1501 memcpy(s->init_buf->data, data, outlen); 1502 1503 s->init_num = (int)outlen; 1504 s->init_off = 0; 1505 1506 if (SSL_is_dtls(s)) { 1507 unsigned long len; 1508 uint8_t msg_type; 1509 CBS cbs; 1510 1511 CBS_init(&cbs, data, outlen); 1512 if (!CBS_get_u8(&cbs, &msg_type)) 1513 goto err; 1514 1515 len = outlen - ssl3_handshake_msg_hdr_len(s); 1516 1517 dtls1_set_message_header(s, msg_type, len, 0, len); 1518 dtls1_buffer_message(s, 0); 1519 } 1520 1521 ret = 1; 1522 1523 err: 1524 free(data); 1525 1526 return (ret); 1527 } 1528 1529 int 1530 ssl3_handshake_write(SSL *s) 1531 { 1532 return ssl3_record_write(s, SSL3_RT_HANDSHAKE); 1533 } 1534 1535 int 1536 ssl3_record_write(SSL *s, int type) 1537 { 1538 if (SSL_is_dtls(s)) 1539 return dtls1_do_write(s, type); 1540 1541 return ssl3_do_write(s, type); 1542 } 1543 1544 int 1545 ssl3_new(SSL *s) 1546 { 1547 if ((s->s3 = calloc(1, sizeof(*s->s3))) == NULL) 1548 return (0); 1549 1550 s->method->ssl_clear(s); 1551 1552 return (1); 1553 } 1554 1555 void 1556 ssl3_free(SSL *s) 1557 { 1558 if (s == NULL) 1559 return; 1560 1561 tls1_cleanup_key_block(s); 1562 ssl3_release_read_buffer(s); 1563 ssl3_release_write_buffer(s); 1564 1565 tls_content_free(s->s3->rcontent); 1566 1567 tls_buffer_free(s->s3->alert_fragment); 1568 tls_buffer_free(s->s3->handshake_fragment); 1569 1570 freezero(s->s3->hs.sigalgs, s->s3->hs.sigalgs_len); 1571 sk_X509_pop_free(s->s3->hs.peer_certs, X509_free); 1572 sk_X509_pop_free(s->s3->hs.peer_certs_no_leaf, X509_free); 1573 sk_X509_pop_free(s->s3->hs.verified_chain, X509_free); 1574 tls_key_share_free(s->s3->hs.key_share); 1575 1576 tls13_secrets_destroy(s->s3->hs.tls13.secrets); 1577 freezero(s->s3->hs.tls13.cookie, s->s3->hs.tls13.cookie_len); 1578 tls13_clienthello_hash_clear(&s->s3->hs.tls13); 1579 1580 tls_buffer_free(s->s3->hs.tls13.quic_read_buffer); 1581 1582 sk_X509_NAME_pop_free(s->s3->hs.tls12.ca_names, X509_NAME_free); 1583 1584 tls1_transcript_free(s); 1585 tls1_transcript_hash_free(s); 1586 1587 free(s->s3->alpn_selected); 1588 1589 freezero(s->s3->peer_quic_transport_params, 1590 s->s3->peer_quic_transport_params_len); 1591 1592 freezero(s->s3, sizeof(*s->s3)); 1593 1594 s->s3 = NULL; 1595 } 1596 1597 void 1598 ssl3_clear(SSL *s) 1599 { 1600 unsigned char *rp, *wp; 1601 size_t rlen, wlen; 1602 1603 tls1_cleanup_key_block(s); 1604 sk_X509_NAME_pop_free(s->s3->hs.tls12.ca_names, X509_NAME_free); 1605 1606 tls_buffer_free(s->s3->alert_fragment); 1607 s->s3->alert_fragment = NULL; 1608 tls_buffer_free(s->s3->handshake_fragment); 1609 s->s3->handshake_fragment = NULL; 1610 1611 freezero(s->s3->hs.sigalgs, s->s3->hs.sigalgs_len); 1612 s->s3->hs.sigalgs = NULL; 1613 s->s3->hs.sigalgs_len = 0; 1614 1615 sk_X509_pop_free(s->s3->hs.peer_certs, X509_free); 1616 s->s3->hs.peer_certs = NULL; 1617 sk_X509_pop_free(s->s3->hs.peer_certs_no_leaf, X509_free); 1618 s->s3->hs.peer_certs_no_leaf = NULL; 1619 sk_X509_pop_free(s->s3->hs.verified_chain, X509_free); 1620 s->s3->hs.verified_chain = NULL; 1621 1622 tls_key_share_free(s->s3->hs.key_share); 1623 s->s3->hs.key_share = NULL; 1624 1625 tls13_secrets_destroy(s->s3->hs.tls13.secrets); 1626 s->s3->hs.tls13.secrets = NULL; 1627 freezero(s->s3->hs.tls13.cookie, s->s3->hs.tls13.cookie_len); 1628 s->s3->hs.tls13.cookie = NULL; 1629 s->s3->hs.tls13.cookie_len = 0; 1630 tls13_clienthello_hash_clear(&s->s3->hs.tls13); 1631 1632 tls_buffer_free(s->s3->hs.tls13.quic_read_buffer); 1633 s->s3->hs.tls13.quic_read_buffer = NULL; 1634 s->s3->hs.tls13.quic_read_level = ssl_encryption_initial; 1635 s->s3->hs.tls13.quic_write_level = ssl_encryption_initial; 1636 1637 s->s3->hs.extensions_seen = 0; 1638 1639 rp = s->s3->rbuf.buf; 1640 wp = s->s3->wbuf.buf; 1641 rlen = s->s3->rbuf.len; 1642 wlen = s->s3->wbuf.len; 1643 1644 tls_content_free(s->s3->rcontent); 1645 s->s3->rcontent = NULL; 1646 1647 tls1_transcript_free(s); 1648 tls1_transcript_hash_free(s); 1649 1650 free(s->s3->alpn_selected); 1651 s->s3->alpn_selected = NULL; 1652 s->s3->alpn_selected_len = 0; 1653 1654 freezero(s->s3->peer_quic_transport_params, 1655 s->s3->peer_quic_transport_params_len); 1656 s->s3->peer_quic_transport_params = NULL; 1657 s->s3->peer_quic_transport_params_len = 0; 1658 1659 memset(s->s3, 0, sizeof(*s->s3)); 1660 1661 s->s3->rbuf.buf = rp; 1662 s->s3->wbuf.buf = wp; 1663 s->s3->rbuf.len = rlen; 1664 s->s3->wbuf.len = wlen; 1665 1666 ssl_free_wbio_buffer(s); 1667 1668 /* Not needed... */ 1669 s->s3->renegotiate = 0; 1670 s->s3->total_renegotiations = 0; 1671 s->s3->num_renegotiations = 0; 1672 s->s3->in_read_app_data = 0; 1673 1674 s->packet_length = 0; 1675 s->version = TLS1_VERSION; 1676 1677 s->s3->hs.state = SSL_ST_BEFORE|((s->server) ? SSL_ST_ACCEPT : SSL_ST_CONNECT); 1678 } 1679 1680 long 1681 _SSL_get_shared_group(SSL *s, long n) 1682 { 1683 size_t count; 1684 int nid; 1685 1686 /* OpenSSL document that they return -1 for clients. They return 0. */ 1687 if (!s->server) 1688 return 0; 1689 1690 if (n == -1) { 1691 if (!tls1_count_shared_groups(s, &count)) 1692 return 0; 1693 1694 if (count > LONG_MAX) 1695 count = LONG_MAX; 1696 1697 return count; 1698 } 1699 1700 /* Undocumented special case added for Suite B profile support. */ 1701 if (n == -2) 1702 n = 0; 1703 1704 if (n < 0) 1705 return 0; 1706 1707 if (!tls1_get_shared_group_by_index(s, n, &nid)) 1708 return NID_undef; 1709 1710 return nid; 1711 } 1712 1713 long 1714 _SSL_get_peer_tmp_key(SSL *s, EVP_PKEY **key) 1715 { 1716 EVP_PKEY *pkey = NULL; 1717 int ret = 0; 1718 1719 *key = NULL; 1720 1721 if (s->s3->hs.key_share == NULL) 1722 goto err; 1723 1724 if ((pkey = EVP_PKEY_new()) == NULL) 1725 goto err; 1726 if (!tls_key_share_peer_pkey(s->s3->hs.key_share, pkey)) 1727 goto err; 1728 1729 *key = pkey; 1730 pkey = NULL; 1731 1732 ret = 1; 1733 1734 err: 1735 EVP_PKEY_free(pkey); 1736 1737 return (ret); 1738 } 1739 1740 static int 1741 _SSL_session_reused(SSL *s) 1742 { 1743 return s->hit; 1744 } 1745 1746 static int 1747 _SSL_num_renegotiations(SSL *s) 1748 { 1749 return s->s3->num_renegotiations; 1750 } 1751 1752 static int 1753 _SSL_clear_num_renegotiations(SSL *s) 1754 { 1755 int renegs; 1756 1757 renegs = s->s3->num_renegotiations; 1758 s->s3->num_renegotiations = 0; 1759 1760 return renegs; 1761 } 1762 1763 static int 1764 _SSL_total_renegotiations(SSL *s) 1765 { 1766 return s->s3->total_renegotiations; 1767 } 1768 1769 static int 1770 _SSL_set_tmp_dh(SSL *s, DH *dh) 1771 { 1772 DH *dhe_params; 1773 1774 if (dh == NULL) { 1775 SSLerror(s, ERR_R_PASSED_NULL_PARAMETER); 1776 return 0; 1777 } 1778 1779 if (!ssl_security_dh(s, dh)) { 1780 SSLerror(s, SSL_R_DH_KEY_TOO_SMALL); 1781 return 0; 1782 } 1783 1784 if ((dhe_params = DHparams_dup(dh)) == NULL) { 1785 SSLerror(s, ERR_R_DH_LIB); 1786 return 0; 1787 } 1788 1789 DH_free(s->cert->dhe_params); 1790 s->cert->dhe_params = dhe_params; 1791 1792 return 1; 1793 } 1794 1795 static int 1796 _SSL_set_dh_auto(SSL *s, int state) 1797 { 1798 s->cert->dhe_params_auto = state; 1799 return 1; 1800 } 1801 1802 static int 1803 _SSL_set_tmp_ecdh(SSL *s, EC_KEY *ecdh) 1804 { 1805 const EC_GROUP *group; 1806 int nid; 1807 1808 if (ecdh == NULL) 1809 return 0; 1810 if ((group = EC_KEY_get0_group(ecdh)) == NULL) 1811 return 0; 1812 1813 nid = EC_GROUP_get_curve_name(group); 1814 return SSL_set1_groups(s, &nid, 1); 1815 } 1816 1817 static int 1818 _SSL_set_ecdh_auto(SSL *s, int state) 1819 { 1820 return 1; 1821 } 1822 1823 static int 1824 _SSL_set_tlsext_host_name(SSL *s, const char *name) 1825 { 1826 int is_ip; 1827 CBS cbs; 1828 1829 free(s->tlsext_hostname); 1830 s->tlsext_hostname = NULL; 1831 1832 if (name == NULL) 1833 return 1; 1834 1835 CBS_init(&cbs, name, strlen(name)); 1836 1837 if (!tlsext_sni_is_valid_hostname(&cbs, &is_ip)) { 1838 SSLerror(s, SSL_R_SSL3_EXT_INVALID_SERVERNAME); 1839 return 0; 1840 } 1841 if ((s->tlsext_hostname = strdup(name)) == NULL) { 1842 SSLerror(s, ERR_R_INTERNAL_ERROR); 1843 return 0; 1844 } 1845 1846 return 1; 1847 } 1848 1849 static int 1850 _SSL_set_tlsext_debug_arg(SSL *s, void *arg) 1851 { 1852 s->tlsext_debug_arg = arg; 1853 return 1; 1854 } 1855 1856 static int 1857 _SSL_get_tlsext_status_type(SSL *s) 1858 { 1859 return s->tlsext_status_type; 1860 } 1861 1862 static int 1863 _SSL_set_tlsext_status_type(SSL *s, int type) 1864 { 1865 s->tlsext_status_type = type; 1866 return 1; 1867 } 1868 1869 static int 1870 _SSL_get_tlsext_status_exts(SSL *s, STACK_OF(X509_EXTENSION) **exts) 1871 { 1872 *exts = s->tlsext_ocsp_exts; 1873 return 1; 1874 } 1875 1876 static int 1877 _SSL_set_tlsext_status_exts(SSL *s, STACK_OF(X509_EXTENSION) *exts) 1878 { 1879 /* XXX - leak... */ 1880 s->tlsext_ocsp_exts = exts; 1881 return 1; 1882 } 1883 1884 static int 1885 _SSL_get_tlsext_status_ids(SSL *s, STACK_OF(OCSP_RESPID) **ids) 1886 { 1887 *ids = s->tlsext_ocsp_ids; 1888 return 1; 1889 } 1890 1891 static int 1892 _SSL_set_tlsext_status_ids(SSL *s, STACK_OF(OCSP_RESPID) *ids) 1893 { 1894 /* XXX - leak... */ 1895 s->tlsext_ocsp_ids = ids; 1896 return 1; 1897 } 1898 1899 static int 1900 _SSL_get_tlsext_status_ocsp_resp(SSL *s, unsigned char **resp) 1901 { 1902 if (s->tlsext_ocsp_resp != NULL && 1903 s->tlsext_ocsp_resp_len < INT_MAX) { 1904 *resp = s->tlsext_ocsp_resp; 1905 return (int)s->tlsext_ocsp_resp_len; 1906 } 1907 1908 *resp = NULL; 1909 1910 return -1; 1911 } 1912 1913 static int 1914 _SSL_set_tlsext_status_ocsp_resp(SSL *s, unsigned char *resp, int resp_len) 1915 { 1916 free(s->tlsext_ocsp_resp); 1917 s->tlsext_ocsp_resp = NULL; 1918 s->tlsext_ocsp_resp_len = 0; 1919 1920 if (resp_len < 0) 1921 return 0; 1922 1923 s->tlsext_ocsp_resp = resp; 1924 s->tlsext_ocsp_resp_len = (size_t)resp_len; 1925 1926 return 1; 1927 } 1928 1929 int 1930 SSL_set0_chain(SSL *ssl, STACK_OF(X509) *chain) 1931 { 1932 return ssl_cert_set0_chain(NULL, ssl, chain); 1933 } 1934 1935 int 1936 SSL_set1_chain(SSL *ssl, STACK_OF(X509) *chain) 1937 { 1938 return ssl_cert_set1_chain(NULL, ssl, chain); 1939 } 1940 1941 int 1942 SSL_add0_chain_cert(SSL *ssl, X509 *x509) 1943 { 1944 return ssl_cert_add0_chain_cert(NULL, ssl, x509); 1945 } 1946 1947 int 1948 SSL_add1_chain_cert(SSL *ssl, X509 *x509) 1949 { 1950 return ssl_cert_add1_chain_cert(NULL, ssl, x509); 1951 } 1952 1953 int 1954 SSL_get0_chain_certs(const SSL *ssl, STACK_OF(X509) **out_chain) 1955 { 1956 *out_chain = NULL; 1957 1958 if (ssl->cert->key != NULL) 1959 *out_chain = ssl->cert->key->chain; 1960 1961 return 1; 1962 } 1963 1964 int 1965 SSL_clear_chain_certs(SSL *ssl) 1966 { 1967 return ssl_cert_set0_chain(NULL, ssl, NULL); 1968 } 1969 1970 int 1971 SSL_set1_groups(SSL *s, const int *groups, size_t groups_len) 1972 { 1973 return tls1_set_groups(&s->tlsext_supportedgroups, 1974 &s->tlsext_supportedgroups_length, groups, groups_len); 1975 } 1976 1977 int 1978 SSL_set1_groups_list(SSL *s, const char *groups) 1979 { 1980 return tls1_set_group_list(&s->tlsext_supportedgroups, 1981 &s->tlsext_supportedgroups_length, groups); 1982 } 1983 1984 static int 1985 _SSL_get_signature_nid(SSL *s, int *nid) 1986 { 1987 const struct ssl_sigalg *sigalg; 1988 1989 if ((sigalg = s->s3->hs.our_sigalg) == NULL) 1990 return 0; 1991 1992 *nid = EVP_MD_type(sigalg->md()); 1993 1994 return 1; 1995 } 1996 1997 static int 1998 _SSL_get_peer_signature_nid(SSL *s, int *nid) 1999 { 2000 const struct ssl_sigalg *sigalg; 2001 2002 if ((sigalg = s->s3->hs.peer_sigalg) == NULL) 2003 return 0; 2004 2005 *nid = EVP_MD_type(sigalg->md()); 2006 2007 return 1; 2008 } 2009 2010 int 2011 SSL_get_signature_type_nid(const SSL *s, int *nid) 2012 { 2013 const struct ssl_sigalg *sigalg; 2014 2015 if ((sigalg = s->s3->hs.our_sigalg) == NULL) 2016 return 0; 2017 2018 *nid = sigalg->key_type; 2019 if (sigalg->key_type == EVP_PKEY_RSA && 2020 (sigalg->flags & SIGALG_FLAG_RSA_PSS)) 2021 *nid = EVP_PKEY_RSA_PSS; 2022 2023 return 1; 2024 } 2025 2026 int 2027 SSL_get_peer_signature_type_nid(const SSL *s, int *nid) 2028 { 2029 const struct ssl_sigalg *sigalg; 2030 2031 if ((sigalg = s->s3->hs.peer_sigalg) == NULL) 2032 return 0; 2033 2034 *nid = sigalg->key_type; 2035 if (sigalg->key_type == EVP_PKEY_RSA && 2036 (sigalg->flags & SIGALG_FLAG_RSA_PSS)) 2037 *nid = EVP_PKEY_RSA_PSS; 2038 2039 return 1; 2040 } 2041 2042 long 2043 ssl3_ctrl(SSL *s, int cmd, long larg, void *parg) 2044 { 2045 switch (cmd) { 2046 case SSL_CTRL_GET_SESSION_REUSED: 2047 return _SSL_session_reused(s); 2048 2049 case SSL_CTRL_GET_NUM_RENEGOTIATIONS: 2050 return _SSL_num_renegotiations(s); 2051 2052 case SSL_CTRL_CLEAR_NUM_RENEGOTIATIONS: 2053 return _SSL_clear_num_renegotiations(s); 2054 2055 case SSL_CTRL_GET_TOTAL_RENEGOTIATIONS: 2056 return _SSL_total_renegotiations(s); 2057 2058 case SSL_CTRL_SET_TMP_DH: 2059 return _SSL_set_tmp_dh(s, parg); 2060 2061 case SSL_CTRL_SET_TMP_DH_CB: 2062 SSLerror(s, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED); 2063 return 0; 2064 2065 case SSL_CTRL_SET_DH_AUTO: 2066 return _SSL_set_dh_auto(s, larg); 2067 2068 case SSL_CTRL_SET_TMP_ECDH: 2069 return _SSL_set_tmp_ecdh(s, parg); 2070 2071 case SSL_CTRL_SET_TMP_ECDH_CB: 2072 SSLerror(s, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED); 2073 return 0; 2074 2075 case SSL_CTRL_SET_ECDH_AUTO: 2076 return _SSL_set_ecdh_auto(s, larg); 2077 2078 case SSL_CTRL_SET_TLSEXT_HOSTNAME: 2079 if (larg != TLSEXT_NAMETYPE_host_name) { 2080 SSLerror(s, SSL_R_SSL3_EXT_INVALID_SERVERNAME_TYPE); 2081 return 0; 2082 } 2083 return _SSL_set_tlsext_host_name(s, parg); 2084 2085 case SSL_CTRL_SET_TLSEXT_DEBUG_ARG: 2086 return _SSL_set_tlsext_debug_arg(s, parg); 2087 2088 case SSL_CTRL_GET_TLSEXT_STATUS_REQ_TYPE: 2089 return _SSL_get_tlsext_status_type(s); 2090 2091 case SSL_CTRL_SET_TLSEXT_STATUS_REQ_TYPE: 2092 return _SSL_set_tlsext_status_type(s, larg); 2093 2094 case SSL_CTRL_GET_TLSEXT_STATUS_REQ_EXTS: 2095 return _SSL_get_tlsext_status_exts(s, parg); 2096 2097 case SSL_CTRL_SET_TLSEXT_STATUS_REQ_EXTS: 2098 return _SSL_set_tlsext_status_exts(s, parg); 2099 2100 case SSL_CTRL_GET_TLSEXT_STATUS_REQ_IDS: 2101 return _SSL_get_tlsext_status_ids(s, parg); 2102 2103 case SSL_CTRL_SET_TLSEXT_STATUS_REQ_IDS: 2104 return _SSL_set_tlsext_status_ids(s, parg); 2105 2106 case SSL_CTRL_GET_TLSEXT_STATUS_REQ_OCSP_RESP: 2107 return _SSL_get_tlsext_status_ocsp_resp(s, parg); 2108 2109 case SSL_CTRL_SET_TLSEXT_STATUS_REQ_OCSP_RESP: 2110 return _SSL_set_tlsext_status_ocsp_resp(s, parg, larg); 2111 2112 case SSL_CTRL_CHAIN: 2113 if (larg == 0) 2114 return SSL_set0_chain(s, (STACK_OF(X509) *)parg); 2115 else 2116 return SSL_set1_chain(s, (STACK_OF(X509) *)parg); 2117 2118 case SSL_CTRL_CHAIN_CERT: 2119 if (larg == 0) 2120 return SSL_add0_chain_cert(s, (X509 *)parg); 2121 else 2122 return SSL_add1_chain_cert(s, (X509 *)parg); 2123 2124 case SSL_CTRL_GET_CHAIN_CERTS: 2125 return SSL_get0_chain_certs(s, (STACK_OF(X509) **)parg); 2126 2127 case SSL_CTRL_SET_GROUPS: 2128 return SSL_set1_groups(s, parg, larg); 2129 2130 case SSL_CTRL_SET_GROUPS_LIST: 2131 return SSL_set1_groups_list(s, parg); 2132 2133 case SSL_CTRL_GET_SHARED_GROUP: 2134 return _SSL_get_shared_group(s, larg); 2135 2136 /* XXX - rename to SSL_CTRL_GET_PEER_TMP_KEY and remove server check. */ 2137 case SSL_CTRL_GET_SERVER_TMP_KEY: 2138 if (s->server != 0) 2139 return 0; 2140 return _SSL_get_peer_tmp_key(s, parg); 2141 2142 case SSL_CTRL_GET_MIN_PROTO_VERSION: 2143 return SSL_get_min_proto_version(s); 2144 2145 case SSL_CTRL_GET_MAX_PROTO_VERSION: 2146 return SSL_get_max_proto_version(s); 2147 2148 case SSL_CTRL_SET_MIN_PROTO_VERSION: 2149 if (larg < 0 || larg > UINT16_MAX) 2150 return 0; 2151 return SSL_set_min_proto_version(s, larg); 2152 2153 case SSL_CTRL_SET_MAX_PROTO_VERSION: 2154 if (larg < 0 || larg > UINT16_MAX) 2155 return 0; 2156 return SSL_set_max_proto_version(s, larg); 2157 2158 case SSL_CTRL_GET_SIGNATURE_NID: 2159 return _SSL_get_signature_nid(s, parg); 2160 2161 case SSL_CTRL_GET_PEER_SIGNATURE_NID: 2162 return _SSL_get_peer_signature_nid(s, parg); 2163 2164 /* 2165 * Legacy controls that should eventually be removed. 2166 */ 2167 case SSL_CTRL_GET_CLIENT_CERT_REQUEST: 2168 return 0; 2169 2170 case SSL_CTRL_GET_FLAGS: 2171 return (int)(s->s3->flags); 2172 2173 case SSL_CTRL_NEED_TMP_RSA: 2174 return 0; 2175 2176 case SSL_CTRL_SET_TMP_RSA: 2177 case SSL_CTRL_SET_TMP_RSA_CB: 2178 SSLerror(s, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED); 2179 return 0; 2180 } 2181 2182 return 0; 2183 } 2184 2185 long 2186 ssl3_callback_ctrl(SSL *s, int cmd, void (*fp)(void)) 2187 { 2188 switch (cmd) { 2189 case SSL_CTRL_SET_TMP_RSA_CB: 2190 SSLerror(s, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED); 2191 return 0; 2192 2193 case SSL_CTRL_SET_TMP_DH_CB: 2194 s->cert->dhe_params_cb = (DH *(*)(SSL *, int, int))fp; 2195 return 1; 2196 2197 case SSL_CTRL_SET_TMP_ECDH_CB: 2198 return 1; 2199 2200 case SSL_CTRL_SET_TLSEXT_DEBUG_CB: 2201 s->tlsext_debug_cb = (void (*)(SSL *, int , int, 2202 unsigned char *, int, void *))fp; 2203 return 1; 2204 } 2205 2206 return 0; 2207 } 2208 2209 static int 2210 _SSL_CTX_set_tmp_dh(SSL_CTX *ctx, DH *dh) 2211 { 2212 DH *dhe_params; 2213 2214 if (dh == NULL) { 2215 SSLerrorx(ERR_R_PASSED_NULL_PARAMETER); 2216 return 0; 2217 } 2218 2219 if (!ssl_ctx_security_dh(ctx, dh)) { 2220 SSLerrorx(SSL_R_DH_KEY_TOO_SMALL); 2221 return 0; 2222 } 2223 2224 if ((dhe_params = DHparams_dup(dh)) == NULL) { 2225 SSLerrorx(ERR_R_DH_LIB); 2226 return 0; 2227 } 2228 2229 DH_free(ctx->cert->dhe_params); 2230 ctx->cert->dhe_params = dhe_params; 2231 2232 return 1; 2233 } 2234 2235 static int 2236 _SSL_CTX_set_dh_auto(SSL_CTX *ctx, int state) 2237 { 2238 ctx->cert->dhe_params_auto = state; 2239 return 1; 2240 } 2241 2242 static int 2243 _SSL_CTX_set_tmp_ecdh(SSL_CTX *ctx, EC_KEY *ecdh) 2244 { 2245 const EC_GROUP *group; 2246 int nid; 2247 2248 if (ecdh == NULL) 2249 return 0; 2250 if ((group = EC_KEY_get0_group(ecdh)) == NULL) 2251 return 0; 2252 2253 nid = EC_GROUP_get_curve_name(group); 2254 return SSL_CTX_set1_groups(ctx, &nid, 1); 2255 } 2256 2257 static int 2258 _SSL_CTX_set_ecdh_auto(SSL_CTX *ctx, int state) 2259 { 2260 return 1; 2261 } 2262 2263 static int 2264 _SSL_CTX_set_tlsext_servername_arg(SSL_CTX *ctx, void *arg) 2265 { 2266 ctx->tlsext_servername_arg = arg; 2267 return 1; 2268 } 2269 2270 static int 2271 _SSL_CTX_get_tlsext_ticket_keys(SSL_CTX *ctx, unsigned char *keys, int keys_len) 2272 { 2273 if (keys == NULL) 2274 return 48; 2275 2276 if (keys_len != 48) { 2277 SSLerrorx(SSL_R_INVALID_TICKET_KEYS_LENGTH); 2278 return 0; 2279 } 2280 2281 memcpy(keys, ctx->tlsext_tick_key_name, 16); 2282 memcpy(keys + 16, ctx->tlsext_tick_hmac_key, 16); 2283 memcpy(keys + 32, ctx->tlsext_tick_aes_key, 16); 2284 2285 return 1; 2286 } 2287 2288 static int 2289 _SSL_CTX_set_tlsext_ticket_keys(SSL_CTX *ctx, unsigned char *keys, int keys_len) 2290 { 2291 if (keys == NULL) 2292 return 48; 2293 2294 if (keys_len != 48) { 2295 SSLerrorx(SSL_R_INVALID_TICKET_KEYS_LENGTH); 2296 return 0; 2297 } 2298 2299 memcpy(ctx->tlsext_tick_key_name, keys, 16); 2300 memcpy(ctx->tlsext_tick_hmac_key, keys + 16, 16); 2301 memcpy(ctx->tlsext_tick_aes_key, keys + 32, 16); 2302 2303 return 1; 2304 } 2305 2306 static int 2307 _SSL_CTX_get_tlsext_status_arg(SSL_CTX *ctx, void **arg) 2308 { 2309 *arg = ctx->tlsext_status_arg; 2310 return 1; 2311 } 2312 2313 static int 2314 _SSL_CTX_set_tlsext_status_arg(SSL_CTX *ctx, void *arg) 2315 { 2316 ctx->tlsext_status_arg = arg; 2317 return 1; 2318 } 2319 2320 int 2321 SSL_CTX_set0_chain(SSL_CTX *ctx, STACK_OF(X509) *chain) 2322 { 2323 return ssl_cert_set0_chain(ctx, NULL, chain); 2324 } 2325 2326 int 2327 SSL_CTX_set1_chain(SSL_CTX *ctx, STACK_OF(X509) *chain) 2328 { 2329 return ssl_cert_set1_chain(ctx, NULL, chain); 2330 } 2331 2332 int 2333 SSL_CTX_add0_chain_cert(SSL_CTX *ctx, X509 *x509) 2334 { 2335 return ssl_cert_add0_chain_cert(ctx, NULL, x509); 2336 } 2337 2338 int 2339 SSL_CTX_add1_chain_cert(SSL_CTX *ctx, X509 *x509) 2340 { 2341 return ssl_cert_add1_chain_cert(ctx, NULL, x509); 2342 } 2343 2344 int 2345 SSL_CTX_get0_chain_certs(const SSL_CTX *ctx, STACK_OF(X509) **out_chain) 2346 { 2347 *out_chain = NULL; 2348 2349 if (ctx->cert->key != NULL) 2350 *out_chain = ctx->cert->key->chain; 2351 2352 return 1; 2353 } 2354 2355 int 2356 SSL_CTX_clear_chain_certs(SSL_CTX *ctx) 2357 { 2358 return ssl_cert_set0_chain(ctx, NULL, NULL); 2359 } 2360 2361 static int 2362 _SSL_CTX_add_extra_chain_cert(SSL_CTX *ctx, X509 *cert) 2363 { 2364 if (ctx->extra_certs == NULL) { 2365 if ((ctx->extra_certs = sk_X509_new_null()) == NULL) 2366 return 0; 2367 } 2368 if (sk_X509_push(ctx->extra_certs, cert) == 0) 2369 return 0; 2370 2371 return 1; 2372 } 2373 2374 static int 2375 _SSL_CTX_get_extra_chain_certs(SSL_CTX *ctx, STACK_OF(X509) **certs) 2376 { 2377 *certs = ctx->extra_certs; 2378 if (*certs == NULL) 2379 *certs = ctx->cert->key->chain; 2380 2381 return 1; 2382 } 2383 2384 static int 2385 _SSL_CTX_get_extra_chain_certs_only(SSL_CTX *ctx, STACK_OF(X509) **certs) 2386 { 2387 *certs = ctx->extra_certs; 2388 return 1; 2389 } 2390 2391 static int 2392 _SSL_CTX_clear_extra_chain_certs(SSL_CTX *ctx) 2393 { 2394 sk_X509_pop_free(ctx->extra_certs, X509_free); 2395 ctx->extra_certs = NULL; 2396 return 1; 2397 } 2398 2399 int 2400 SSL_CTX_set1_groups(SSL_CTX *ctx, const int *groups, size_t groups_len) 2401 { 2402 return tls1_set_groups(&ctx->tlsext_supportedgroups, 2403 &ctx->tlsext_supportedgroups_length, groups, groups_len); 2404 } 2405 2406 int 2407 SSL_CTX_set1_groups_list(SSL_CTX *ctx, const char *groups) 2408 { 2409 return tls1_set_group_list(&ctx->tlsext_supportedgroups, 2410 &ctx->tlsext_supportedgroups_length, groups); 2411 } 2412 2413 long 2414 ssl3_ctx_ctrl(SSL_CTX *ctx, int cmd, long larg, void *parg) 2415 { 2416 switch (cmd) { 2417 case SSL_CTRL_SET_TMP_DH: 2418 return _SSL_CTX_set_tmp_dh(ctx, parg); 2419 2420 case SSL_CTRL_SET_TMP_DH_CB: 2421 SSLerrorx(ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED); 2422 return 0; 2423 2424 case SSL_CTRL_SET_DH_AUTO: 2425 return _SSL_CTX_set_dh_auto(ctx, larg); 2426 2427 case SSL_CTRL_SET_TMP_ECDH: 2428 return _SSL_CTX_set_tmp_ecdh(ctx, parg); 2429 2430 case SSL_CTRL_SET_TMP_ECDH_CB: 2431 SSLerrorx(ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED); 2432 return 0; 2433 2434 case SSL_CTRL_SET_ECDH_AUTO: 2435 return _SSL_CTX_set_ecdh_auto(ctx, larg); 2436 2437 case SSL_CTRL_SET_TLSEXT_SERVERNAME_ARG: 2438 return _SSL_CTX_set_tlsext_servername_arg(ctx, parg); 2439 2440 case SSL_CTRL_GET_TLSEXT_TICKET_KEYS: 2441 return _SSL_CTX_get_tlsext_ticket_keys(ctx, parg, larg); 2442 2443 case SSL_CTRL_SET_TLSEXT_TICKET_KEYS: 2444 return _SSL_CTX_set_tlsext_ticket_keys(ctx, parg, larg); 2445 2446 case SSL_CTRL_GET_TLSEXT_STATUS_REQ_CB_ARG: 2447 return _SSL_CTX_get_tlsext_status_arg(ctx, parg); 2448 2449 case SSL_CTRL_SET_TLSEXT_STATUS_REQ_CB_ARG: 2450 return _SSL_CTX_set_tlsext_status_arg(ctx, parg); 2451 2452 case SSL_CTRL_CHAIN: 2453 if (larg == 0) 2454 return SSL_CTX_set0_chain(ctx, (STACK_OF(X509) *)parg); 2455 else 2456 return SSL_CTX_set1_chain(ctx, (STACK_OF(X509) *)parg); 2457 2458 case SSL_CTRL_CHAIN_CERT: 2459 if (larg == 0) 2460 return SSL_CTX_add0_chain_cert(ctx, (X509 *)parg); 2461 else 2462 return SSL_CTX_add1_chain_cert(ctx, (X509 *)parg); 2463 2464 case SSL_CTRL_GET_CHAIN_CERTS: 2465 return SSL_CTX_get0_chain_certs(ctx, (STACK_OF(X509) **)parg); 2466 2467 case SSL_CTRL_EXTRA_CHAIN_CERT: 2468 return _SSL_CTX_add_extra_chain_cert(ctx, parg); 2469 2470 case SSL_CTRL_GET_EXTRA_CHAIN_CERTS: 2471 if (larg == 0) 2472 return _SSL_CTX_get_extra_chain_certs(ctx, parg); 2473 else 2474 return _SSL_CTX_get_extra_chain_certs_only(ctx, parg); 2475 2476 case SSL_CTRL_CLEAR_EXTRA_CHAIN_CERTS: 2477 return _SSL_CTX_clear_extra_chain_certs(ctx); 2478 2479 case SSL_CTRL_SET_GROUPS: 2480 return SSL_CTX_set1_groups(ctx, parg, larg); 2481 2482 case SSL_CTRL_SET_GROUPS_LIST: 2483 return SSL_CTX_set1_groups_list(ctx, parg); 2484 2485 case SSL_CTRL_GET_MIN_PROTO_VERSION: 2486 return SSL_CTX_get_min_proto_version(ctx); 2487 2488 case SSL_CTRL_GET_MAX_PROTO_VERSION: 2489 return SSL_CTX_get_max_proto_version(ctx); 2490 2491 case SSL_CTRL_SET_MIN_PROTO_VERSION: 2492 if (larg < 0 || larg > UINT16_MAX) 2493 return 0; 2494 return SSL_CTX_set_min_proto_version(ctx, larg); 2495 2496 case SSL_CTRL_SET_MAX_PROTO_VERSION: 2497 if (larg < 0 || larg > UINT16_MAX) 2498 return 0; 2499 return SSL_CTX_set_max_proto_version(ctx, larg); 2500 2501 /* 2502 * Legacy controls that should eventually be removed. 2503 */ 2504 case SSL_CTRL_NEED_TMP_RSA: 2505 return 0; 2506 2507 case SSL_CTRL_SET_TMP_RSA: 2508 case SSL_CTRL_SET_TMP_RSA_CB: 2509 SSLerrorx(ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED); 2510 return 0; 2511 } 2512 2513 return 0; 2514 } 2515 2516 long 2517 ssl3_ctx_callback_ctrl(SSL_CTX *ctx, int cmd, void (*fp)(void)) 2518 { 2519 switch (cmd) { 2520 case SSL_CTRL_SET_TMP_RSA_CB: 2521 SSLerrorx(ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED); 2522 return 0; 2523 2524 case SSL_CTRL_SET_TMP_DH_CB: 2525 ctx->cert->dhe_params_cb = 2526 (DH *(*)(SSL *, int, int))fp; 2527 return 1; 2528 2529 case SSL_CTRL_SET_TMP_ECDH_CB: 2530 return 1; 2531 2532 case SSL_CTRL_SET_TLSEXT_SERVERNAME_CB: 2533 ctx->tlsext_servername_callback = 2534 (int (*)(SSL *, int *, void *))fp; 2535 return 1; 2536 2537 case SSL_CTRL_GET_TLSEXT_STATUS_REQ_CB: 2538 *(int (**)(SSL *, void *))fp = ctx->tlsext_status_cb; 2539 return 1; 2540 2541 case SSL_CTRL_SET_TLSEXT_STATUS_REQ_CB: 2542 ctx->tlsext_status_cb = (int (*)(SSL *, void *))fp; 2543 return 1; 2544 2545 case SSL_CTRL_SET_TLSEXT_TICKET_KEY_CB: 2546 ctx->tlsext_ticket_key_cb = (int (*)(SSL *, unsigned char *, 2547 unsigned char *, EVP_CIPHER_CTX *, HMAC_CTX *, int))fp; 2548 return 1; 2549 } 2550 2551 return 0; 2552 } 2553 2554 SSL_CIPHER * 2555 ssl3_choose_cipher(SSL *s, STACK_OF(SSL_CIPHER) *clnt, 2556 STACK_OF(SSL_CIPHER) *srvr) 2557 { 2558 unsigned long alg_k, alg_a, mask_k, mask_a; 2559 STACK_OF(SSL_CIPHER) *prio, *allow; 2560 SSL_CIPHER *c, *ret = NULL; 2561 int can_use_ecc; 2562 int i, ii, nid, ok; 2563 SSL_CERT *cert; 2564 2565 /* Let's see which ciphers we can support */ 2566 cert = s->cert; 2567 2568 can_use_ecc = tls1_get_supported_group(s, &nid); 2569 2570 /* 2571 * Do not set the compare functions, because this may lead to a 2572 * reordering by "id". We want to keep the original ordering. 2573 * We may pay a price in performance during sk_SSL_CIPHER_find(), 2574 * but would have to pay with the price of sk_SSL_CIPHER_dup(). 2575 */ 2576 2577 if (s->options & SSL_OP_CIPHER_SERVER_PREFERENCE) { 2578 prio = srvr; 2579 allow = clnt; 2580 } else { 2581 prio = clnt; 2582 allow = srvr; 2583 } 2584 2585 for (i = 0; i < sk_SSL_CIPHER_num(prio); i++) { 2586 c = sk_SSL_CIPHER_value(prio, i); 2587 2588 /* Skip TLS v1.2 only ciphersuites if not supported. */ 2589 if ((c->algorithm_ssl & SSL_TLSV1_2) && 2590 !SSL_USE_TLS1_2_CIPHERS(s)) 2591 continue; 2592 2593 /* Skip TLS v1.3 only ciphersuites if not supported. */ 2594 if ((c->algorithm_ssl & SSL_TLSV1_3) && 2595 !SSL_USE_TLS1_3_CIPHERS(s)) 2596 continue; 2597 2598 /* If TLS v1.3, only allow TLS v1.3 ciphersuites. */ 2599 if (SSL_USE_TLS1_3_CIPHERS(s) && 2600 !(c->algorithm_ssl & SSL_TLSV1_3)) 2601 continue; 2602 2603 if (!ssl_security_shared_cipher(s, c)) 2604 continue; 2605 2606 ssl_set_cert_masks(cert, c); 2607 mask_k = cert->mask_k; 2608 mask_a = cert->mask_a; 2609 2610 alg_k = c->algorithm_mkey; 2611 alg_a = c->algorithm_auth; 2612 2613 ok = (alg_k & mask_k) && (alg_a & mask_a); 2614 2615 /* 2616 * If we are considering an ECC cipher suite that uses our 2617 * certificate check it. 2618 */ 2619 if (alg_a & SSL_aECDSA) 2620 ok = ok && tls1_check_ec_server_key(s); 2621 /* 2622 * If we are considering an ECC cipher suite that uses 2623 * an ephemeral EC key check it. 2624 */ 2625 if (alg_k & SSL_kECDHE) 2626 ok = ok && can_use_ecc; 2627 2628 if (!ok) 2629 continue; 2630 ii = sk_SSL_CIPHER_find(allow, c); 2631 if (ii >= 0) { 2632 ret = sk_SSL_CIPHER_value(allow, ii); 2633 break; 2634 } 2635 } 2636 return (ret); 2637 } 2638 2639 int 2640 ssl3_get_req_cert_types(SSL *s, CBB *cbb) 2641 { 2642 unsigned long alg_k; 2643 2644 alg_k = s->s3->hs.cipher->algorithm_mkey; 2645 2646 #ifndef OPENSSL_NO_GOST 2647 if ((alg_k & SSL_kGOST) != 0) { 2648 if (!CBB_add_u8(cbb, TLS_CT_GOST01_SIGN)) 2649 return 0; 2650 if (!CBB_add_u8(cbb, TLS_CT_GOST12_256_SIGN)) 2651 return 0; 2652 if (!CBB_add_u8(cbb, TLS_CT_GOST12_512_SIGN)) 2653 return 0; 2654 if (!CBB_add_u8(cbb, TLS_CT_GOST12_256_SIGN_COMPAT)) 2655 return 0; 2656 if (!CBB_add_u8(cbb, TLS_CT_GOST12_512_SIGN_COMPAT)) 2657 return 0; 2658 } 2659 #endif 2660 2661 if ((alg_k & SSL_kDHE) != 0) { 2662 if (!CBB_add_u8(cbb, SSL3_CT_RSA_FIXED_DH)) 2663 return 0; 2664 } 2665 2666 if (!CBB_add_u8(cbb, SSL3_CT_RSA_SIGN)) 2667 return 0; 2668 2669 /* 2670 * ECDSA certs can be used with RSA cipher suites as well 2671 * so we don't need to check for SSL_kECDH or SSL_kECDHE. 2672 */ 2673 if (!CBB_add_u8(cbb, TLS_CT_ECDSA_SIGN)) 2674 return 0; 2675 2676 return 1; 2677 } 2678 2679 int 2680 ssl3_shutdown(SSL *s) 2681 { 2682 int ret; 2683 2684 /* 2685 * Don't do anything much if we have not done the handshake or 2686 * we don't want to send messages :-) 2687 */ 2688 if ((s->quiet_shutdown) || (s->s3->hs.state == SSL_ST_BEFORE)) { 2689 s->shutdown = (SSL_SENT_SHUTDOWN|SSL_RECEIVED_SHUTDOWN); 2690 return (1); 2691 } 2692 2693 if (!(s->shutdown & SSL_SENT_SHUTDOWN)) { 2694 s->shutdown|=SSL_SENT_SHUTDOWN; 2695 ssl3_send_alert(s, SSL3_AL_WARNING, SSL_AD_CLOSE_NOTIFY); 2696 /* 2697 * Our shutdown alert has been sent now, and if it still needs 2698 * to be written, s->s3->alert_dispatch will be true 2699 */ 2700 if (s->s3->alert_dispatch) 2701 return (-1); /* return WANT_WRITE */ 2702 } else if (s->s3->alert_dispatch) { 2703 /* resend it if not sent */ 2704 ret = ssl3_dispatch_alert(s); 2705 if (ret == -1) { 2706 /* 2707 * We only get to return -1 here the 2nd/Nth 2708 * invocation, we must have already signalled 2709 * return 0 upon a previous invoation, 2710 * return WANT_WRITE 2711 */ 2712 return (ret); 2713 } 2714 } else if (!(s->shutdown & SSL_RECEIVED_SHUTDOWN)) { 2715 /* If we are waiting for a close from our peer, we are closed */ 2716 s->method->ssl_read_bytes(s, 0, NULL, 0, 0); 2717 if (!(s->shutdown & SSL_RECEIVED_SHUTDOWN)) { 2718 return (-1); /* return WANT_READ */ 2719 } 2720 } 2721 2722 if ((s->shutdown == (SSL_SENT_SHUTDOWN|SSL_RECEIVED_SHUTDOWN)) && 2723 !s->s3->alert_dispatch) 2724 return (1); 2725 else 2726 return (0); 2727 } 2728 2729 int 2730 ssl3_write(SSL *s, const void *buf, int len) 2731 { 2732 errno = 0; 2733 2734 if (s->s3->renegotiate) 2735 ssl3_renegotiate_check(s); 2736 2737 return s->method->ssl_write_bytes(s, SSL3_RT_APPLICATION_DATA, 2738 buf, len); 2739 } 2740 2741 static int 2742 ssl3_read_internal(SSL *s, void *buf, int len, int peek) 2743 { 2744 int ret; 2745 2746 errno = 0; 2747 if (s->s3->renegotiate) 2748 ssl3_renegotiate_check(s); 2749 s->s3->in_read_app_data = 1; 2750 2751 ret = s->method->ssl_read_bytes(s, SSL3_RT_APPLICATION_DATA, buf, len, 2752 peek); 2753 if ((ret == -1) && (s->s3->in_read_app_data == 2)) { 2754 /* 2755 * ssl3_read_bytes decided to call s->handshake_func, 2756 * which called ssl3_read_bytes to read handshake data. 2757 * However, ssl3_read_bytes actually found application data 2758 * and thinks that application data makes sense here; so disable 2759 * handshake processing and try to read application data again. 2760 */ 2761 s->in_handshake++; 2762 ret = s->method->ssl_read_bytes(s, SSL3_RT_APPLICATION_DATA, 2763 buf, len, peek); 2764 s->in_handshake--; 2765 } else 2766 s->s3->in_read_app_data = 0; 2767 2768 return (ret); 2769 } 2770 2771 int 2772 ssl3_read(SSL *s, void *buf, int len) 2773 { 2774 return ssl3_read_internal(s, buf, len, 0); 2775 } 2776 2777 int 2778 ssl3_peek(SSL *s, void *buf, int len) 2779 { 2780 return ssl3_read_internal(s, buf, len, 1); 2781 } 2782 2783 int 2784 ssl3_renegotiate(SSL *s) 2785 { 2786 if (s->handshake_func == NULL) 2787 return 1; 2788 2789 if (s->s3->flags & SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS) 2790 return 0; 2791 2792 s->s3->renegotiate = 1; 2793 2794 return 1; 2795 } 2796 2797 int 2798 ssl3_renegotiate_check(SSL *s) 2799 { 2800 if (!s->s3->renegotiate) 2801 return 0; 2802 if (SSL_in_init(s) || s->s3->rbuf.left != 0 || s->s3->wbuf.left != 0) 2803 return 0; 2804 2805 s->s3->hs.state = SSL_ST_RENEGOTIATE; 2806 s->s3->renegotiate = 0; 2807 s->s3->num_renegotiations++; 2808 s->s3->total_renegotiations++; 2809 2810 return 1; 2811 } 2812