GCC Code Coverage Report
Directory: ./ Exec Total Coverage
File: lib/libssl/s3_lib.c Lines: 274 514 53.3 %
Date: 2017-11-13 Branches: 104 289 36.0 %

Line Branch Exec Source
1
/* $OpenBSD: s3_lib.c,v 1.162 2017/10/08 16:24:02 jsing Exp $ */
2
/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3
 * All rights reserved.
4
 *
5
 * This package is an SSL implementation written
6
 * by Eric Young (eay@cryptsoft.com).
7
 * The implementation was written so as to conform with Netscapes SSL.
8
 *
9
 * This library is free for commercial and non-commercial use as long as
10
 * the following conditions are aheared to.  The following conditions
11
 * apply to all code found in this distribution, be it the RC4, RSA,
12
 * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
13
 * included with this distribution is covered by the same copyright terms
14
 * except that the holder is Tim Hudson (tjh@cryptsoft.com).
15
 *
16
 * Copyright remains Eric Young's, and as such any Copyright notices in
17
 * the code are not to be removed.
18
 * If this package is used in a product, Eric Young should be given attribution
19
 * as the author of the parts of the library used.
20
 * This can be in the form of a textual message at program startup or
21
 * in documentation (online or textual) provided with the package.
22
 *
23
 * Redistribution and use in source and binary forms, with or without
24
 * modification, are permitted provided that the following conditions
25
 * are met:
26
 * 1. Redistributions of source code must retain the copyright
27
 *    notice, this list of conditions and the following disclaimer.
28
 * 2. Redistributions in binary form must reproduce the above copyright
29
 *    notice, this list of conditions and the following disclaimer in the
30
 *    documentation and/or other materials provided with the distribution.
31
 * 3. All advertising materials mentioning features or use of this software
32
 *    must display the following acknowledgement:
33
 *    "This product includes cryptographic software written by
34
 *     Eric Young (eay@cryptsoft.com)"
35
 *    The word 'cryptographic' can be left out if the rouines from the library
36
 *    being used are not cryptographic related :-).
37
 * 4. If you include any Windows specific code (or a derivative thereof) from
38
 *    the apps directory (application code) you must include an acknowledgement:
39
 *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
40
 *
41
 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
42
 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
43
 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
44
 * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
45
 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
46
 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
47
 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
48
 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
49
 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
50
 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
51
 * SUCH DAMAGE.
52
 *
53
 * The licence and distribution terms for any publically available version or
54
 * derivative of this code cannot be changed.  i.e. this code cannot simply be
55
 * copied and put under another distribution licence
56
 * [including the GNU Public Licence.]
57
 */
58
/* ====================================================================
59
 * Copyright (c) 1998-2007 The OpenSSL Project.  All rights reserved.
60
 *
61
 * Redistribution and use in source and binary forms, with or without
62
 * modification, are permitted provided that the following conditions
63
 * are met:
64
 *
65
 * 1. Redistributions of source code must retain the above copyright
66
 *    notice, this list of conditions and the following disclaimer.
67
 *
68
 * 2. Redistributions in binary form must reproduce the above copyright
69
 *    notice, this list of conditions and the following disclaimer in
70
 *    the documentation and/or other materials provided with the
71
 *    distribution.
72
 *
73
 * 3. All advertising materials mentioning features or use of this
74
 *    software must display the following acknowledgment:
75
 *    "This product includes software developed by the OpenSSL Project
76
 *    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
77
 *
78
 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
79
 *    endorse or promote products derived from this software without
80
 *    prior written permission. For written permission, please contact
81
 *    openssl-core@openssl.org.
82
 *
83
 * 5. Products derived from this software may not be called "OpenSSL"
84
 *    nor may "OpenSSL" appear in their names without prior written
85
 *    permission of the OpenSSL Project.
86
 *
87
 * 6. Redistributions of any form whatsoever must retain the following
88
 *    acknowledgment:
89
 *    "This product includes software developed by the OpenSSL Project
90
 *    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
91
 *
92
 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
93
 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
94
 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
95
 * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
96
 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
97
 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
98
 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
99
 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
100
 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
101
 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
102
 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
103
 * OF THE POSSIBILITY OF SUCH DAMAGE.
104
 * ====================================================================
105
 *
106
 * This product includes cryptographic software written by Eric Young
107
 * (eay@cryptsoft.com).  This product includes software written by Tim
108
 * Hudson (tjh@cryptsoft.com).
109
 *
110
 */
111
/* ====================================================================
112
 * Copyright 2002 Sun Microsystems, Inc. ALL RIGHTS RESERVED.
113
 *
114
 * Portions of the attached software ("Contribution") are developed by
115
 * SUN MICROSYSTEMS, INC., and are contributed to the OpenSSL project.
116
 *
117
 * The Contribution is licensed pursuant to the OpenSSL open source
118
 * license provided above.
119
 *
120
 * ECC cipher suite support in OpenSSL originally written by
121
 * Vipul Gupta and Sumit Gupta of Sun Microsystems Laboratories.
122
 *
123
 */
124
/* ====================================================================
125
 * Copyright 2005 Nokia. All rights reserved.
126
 *
127
 * The portions of the attached software ("Contribution") is developed by
128
 * Nokia Corporation and is licensed pursuant to the OpenSSL open source
129
 * license.
130
 *
131
 * The Contribution, originally written by Mika Kousa and Pasi Eronen of
132
 * Nokia Corporation, consists of the "PSK" (Pre-Shared Key) ciphersuites
133
 * support (see RFC 4279) to OpenSSL.
134
 *
135
 * No patent licenses or other rights except those expressly stated in
136
 * the OpenSSL open source license shall be deemed granted or received
137
 * expressly, by implication, estoppel, or otherwise.
138
 *
139
 * No assurances are provided by Nokia that the Contribution does not
140
 * infringe the patent or other intellectual property rights of any third
141
 * party or that the license provides you with all the necessary rights
142
 * to make use of the Contribution.
143
 *
144
 * THE SOFTWARE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. IN
145
 * ADDITION TO THE DISCLAIMERS INCLUDED IN THE LICENSE, NOKIA
146
 * SPECIFICALLY DISCLAIMS ANY LIABILITY FOR CLAIMS BROUGHT BY YOU OR ANY
147
 * OTHER ENTITY BASED ON INFRINGEMENT OF INTELLECTUAL PROPERTY RIGHTS OR
148
 * OTHERWISE.
149
 */
150
151
#include <limits.h>
152
#include <stdio.h>
153
154
#include <openssl/bn.h>
155
#include <openssl/curve25519.h>
156
#include <openssl/dh.h>
157
#include <openssl/md5.h>
158
#include <openssl/objects.h>
159
160
#include "ssl_locl.h"
161
#include "bytestring.h"
162
163
#define SSL3_NUM_CIPHERS	(sizeof(ssl3_ciphers) / sizeof(SSL_CIPHER))
164
165
/*
166
 * FIXED_NONCE_LEN is a macro that provides in the correct value to set the
167
 * fixed nonce length in algorithms2. It is the inverse of the
168
 * SSL_CIPHER_AEAD_FIXED_NONCE_LEN macro.
169
 */
170
#define FIXED_NONCE_LEN(x) (((x / 2) & 0xf) << 24)
171
172
/* list of available SSLv3 ciphers (sorted by id) */
173
SSL_CIPHER ssl3_ciphers[] = {
174
175
	/* The RSA ciphers */
176
	/* Cipher 01 */
177
	{
178
		.valid = 1,
179
		.name = SSL3_TXT_RSA_NULL_MD5,
180
		.id = SSL3_CK_RSA_NULL_MD5,
181
		.algorithm_mkey = SSL_kRSA,
182
		.algorithm_auth = SSL_aRSA,
183
		.algorithm_enc = SSL_eNULL,
184
		.algorithm_mac = SSL_MD5,
185
		.algorithm_ssl = SSL_SSLV3,
186
		.algo_strength = SSL_STRONG_NONE,
187
		.algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
188
		.strength_bits = 0,
189
		.alg_bits = 0,
190
	},
191
192
	/* Cipher 02 */
193
	{
194
		.valid = 1,
195
		.name = SSL3_TXT_RSA_NULL_SHA,
196
		.id = SSL3_CK_RSA_NULL_SHA,
197
		.algorithm_mkey = SSL_kRSA,
198
		.algorithm_auth = SSL_aRSA,
199
		.algorithm_enc = SSL_eNULL,
200
		.algorithm_mac = SSL_SHA1,
201
		.algorithm_ssl = SSL_SSLV3,
202
		.algo_strength = SSL_STRONG_NONE,
203
		.algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
204
		.strength_bits = 0,
205
		.alg_bits = 0,
206
	},
207
208
	/* Cipher 04 */
209
	{
210
		.valid = 1,
211
		.name = SSL3_TXT_RSA_RC4_128_MD5,
212
		.id = SSL3_CK_RSA_RC4_128_MD5,
213
		.algorithm_mkey = SSL_kRSA,
214
		.algorithm_auth = SSL_aRSA,
215
		.algorithm_enc = SSL_RC4,
216
		.algorithm_mac = SSL_MD5,
217
		.algorithm_ssl = SSL_SSLV3,
218
		.algo_strength = SSL_LOW,
219
		.algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
220
		.strength_bits = 128,
221
		.alg_bits = 128,
222
	},
223
224
	/* Cipher 05 */
225
	{
226
		.valid = 1,
227
		.name = SSL3_TXT_RSA_RC4_128_SHA,
228
		.id = SSL3_CK_RSA_RC4_128_SHA,
229
		.algorithm_mkey = SSL_kRSA,
230
		.algorithm_auth = SSL_aRSA,
231
		.algorithm_enc = SSL_RC4,
232
		.algorithm_mac = SSL_SHA1,
233
		.algorithm_ssl = SSL_SSLV3,
234
		.algo_strength = SSL_LOW,
235
		.algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
236
		.strength_bits = 128,
237
		.alg_bits = 128,
238
	},
239
240
	/* Cipher 09 */
241
	{
242
		.valid = 1,
243
		.name = SSL3_TXT_RSA_DES_64_CBC_SHA,
244
		.id = SSL3_CK_RSA_DES_64_CBC_SHA,
245
		.algorithm_mkey = SSL_kRSA,
246
		.algorithm_auth = SSL_aRSA,
247
		.algorithm_enc = SSL_DES,
248
		.algorithm_mac = SSL_SHA1,
249
		.algorithm_ssl = SSL_SSLV3,
250
		.algo_strength = SSL_LOW,
251
		.algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
252
		.strength_bits = 56,
253
		.alg_bits = 56,
254
	},
255
256
	/* Cipher 0A */
257
	{
258
		.valid = 1,
259
		.name = SSL3_TXT_RSA_DES_192_CBC3_SHA,
260
		.id = SSL3_CK_RSA_DES_192_CBC3_SHA,
261
		.algorithm_mkey = SSL_kRSA,
262
		.algorithm_auth = SSL_aRSA,
263
		.algorithm_enc = SSL_3DES,
264
		.algorithm_mac = SSL_SHA1,
265
		.algorithm_ssl = SSL_SSLV3,
266
		.algo_strength = SSL_MEDIUM,
267
		.algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
268
		.strength_bits = 112,
269
		.alg_bits = 168,
270
	},
271
272
	/*
273
	 * Ephemeral DH (DHE) ciphers.
274
	 */
275
276
	/* Cipher 15 */
277
	{
278
		.valid = 1,
279
		.name = SSL3_TXT_EDH_RSA_DES_64_CBC_SHA,
280
		.id = SSL3_CK_EDH_RSA_DES_64_CBC_SHA,
281
		.algorithm_mkey = SSL_kDHE,
282
		.algorithm_auth = SSL_aRSA,
283
		.algorithm_enc = SSL_DES,
284
		.algorithm_mac = SSL_SHA1,
285
		.algorithm_ssl = SSL_SSLV3,
286
		.algo_strength = SSL_LOW,
287
		.algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
288
		.strength_bits = 56,
289
		.alg_bits = 56,
290
	},
291
292
	/* Cipher 16 */
293
	{
294
		.valid = 1,
295
		.name = SSL3_TXT_EDH_RSA_DES_192_CBC3_SHA,
296
		.id = SSL3_CK_EDH_RSA_DES_192_CBC3_SHA,
297
		.algorithm_mkey = SSL_kDHE,
298
		.algorithm_auth = SSL_aRSA,
299
		.algorithm_enc = SSL_3DES,
300
		.algorithm_mac = SSL_SHA1,
301
		.algorithm_ssl = SSL_SSLV3,
302
		.algo_strength = SSL_MEDIUM,
303
		.algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
304
		.strength_bits = 112,
305
		.alg_bits = 168,
306
	},
307
308
	/* Cipher 18 */
309
	{
310
		.valid = 1,
311
		.name = SSL3_TXT_ADH_RC4_128_MD5,
312
		.id = SSL3_CK_ADH_RC4_128_MD5,
313
		.algorithm_mkey = SSL_kDHE,
314
		.algorithm_auth = SSL_aNULL,
315
		.algorithm_enc = SSL_RC4,
316
		.algorithm_mac = SSL_MD5,
317
		.algorithm_ssl = SSL_SSLV3,
318
		.algo_strength = SSL_LOW,
319
		.algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
320
		.strength_bits = 128,
321
		.alg_bits = 128,
322
	},
323
324
	/* Cipher 1A */
325
	{
326
		.valid = 1,
327
		.name = SSL3_TXT_ADH_DES_64_CBC_SHA,
328
		.id = SSL3_CK_ADH_DES_64_CBC_SHA,
329
		.algorithm_mkey = SSL_kDHE,
330
		.algorithm_auth = SSL_aNULL,
331
		.algorithm_enc = SSL_DES,
332
		.algorithm_mac = SSL_SHA1,
333
		.algorithm_ssl = SSL_SSLV3,
334
		.algo_strength = SSL_LOW,
335
		.algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
336
		.strength_bits = 56,
337
		.alg_bits = 56,
338
	},
339
340
	/* Cipher 1B */
341
	{
342
		.valid = 1,
343
		.name = SSL3_TXT_ADH_DES_192_CBC_SHA,
344
		.id = SSL3_CK_ADH_DES_192_CBC_SHA,
345
		.algorithm_mkey = SSL_kDHE,
346
		.algorithm_auth = SSL_aNULL,
347
		.algorithm_enc = SSL_3DES,
348
		.algorithm_mac = SSL_SHA1,
349
		.algorithm_ssl = SSL_SSLV3,
350
		.algo_strength = SSL_MEDIUM,
351
		.algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
352
		.strength_bits = 112,
353
		.alg_bits = 168,
354
	},
355
356
	/*
357
	 * AES ciphersuites.
358
	 */
359
360
	/* Cipher 2F */
361
	{
362
		.valid = 1,
363
		.name = TLS1_TXT_RSA_WITH_AES_128_SHA,
364
		.id = TLS1_CK_RSA_WITH_AES_128_SHA,
365
		.algorithm_mkey = SSL_kRSA,
366
		.algorithm_auth = SSL_aRSA,
367
		.algorithm_enc = SSL_AES128,
368
		.algorithm_mac = SSL_SHA1,
369
		.algorithm_ssl = SSL_TLSV1,
370
		.algo_strength = SSL_HIGH,
371
		.algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
372
		.strength_bits = 128,
373
		.alg_bits = 128,
374
	},
375
376
	/* Cipher 33 */
377
	{
378
		.valid = 1,
379
		.name = TLS1_TXT_DHE_RSA_WITH_AES_128_SHA,
380
		.id = TLS1_CK_DHE_RSA_WITH_AES_128_SHA,
381
		.algorithm_mkey = SSL_kDHE,
382
		.algorithm_auth = SSL_aRSA,
383
		.algorithm_enc = SSL_AES128,
384
		.algorithm_mac = SSL_SHA1,
385
		.algorithm_ssl = SSL_TLSV1,
386
		.algo_strength = SSL_HIGH,
387
		.algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
388
		.strength_bits = 128,
389
		.alg_bits = 128,
390
	},
391
392
	/* Cipher 34 */
393
	{
394
		.valid = 1,
395
		.name = TLS1_TXT_ADH_WITH_AES_128_SHA,
396
		.id = TLS1_CK_ADH_WITH_AES_128_SHA,
397
		.algorithm_mkey = SSL_kDHE,
398
		.algorithm_auth = SSL_aNULL,
399
		.algorithm_enc = SSL_AES128,
400
		.algorithm_mac = SSL_SHA1,
401
		.algorithm_ssl = SSL_TLSV1,
402
		.algo_strength = SSL_HIGH,
403
		.algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
404
		.strength_bits = 128,
405
		.alg_bits = 128,
406
	},
407
408
	/* Cipher 35 */
409
	{
410
		.valid = 1,
411
		.name = TLS1_TXT_RSA_WITH_AES_256_SHA,
412
		.id = TLS1_CK_RSA_WITH_AES_256_SHA,
413
		.algorithm_mkey = SSL_kRSA,
414
		.algorithm_auth = SSL_aRSA,
415
		.algorithm_enc = SSL_AES256,
416
		.algorithm_mac = SSL_SHA1,
417
		.algorithm_ssl = SSL_TLSV1,
418
		.algo_strength = SSL_HIGH,
419
		.algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
420
		.strength_bits = 256,
421
		.alg_bits = 256,
422
	},
423
424
	/* Cipher 39 */
425
	{
426
		.valid = 1,
427
		.name = TLS1_TXT_DHE_RSA_WITH_AES_256_SHA,
428
		.id = TLS1_CK_DHE_RSA_WITH_AES_256_SHA,
429
		.algorithm_mkey = SSL_kDHE,
430
		.algorithm_auth = SSL_aRSA,
431
		.algorithm_enc = SSL_AES256,
432
		.algorithm_mac = SSL_SHA1,
433
		.algorithm_ssl = SSL_TLSV1,
434
		.algo_strength = SSL_HIGH,
435
		.algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
436
		.strength_bits = 256,
437
		.alg_bits = 256,
438
	},
439
440
	/* Cipher 3A */
441
	{
442
		.valid = 1,
443
		.name = TLS1_TXT_ADH_WITH_AES_256_SHA,
444
		.id = TLS1_CK_ADH_WITH_AES_256_SHA,
445
		.algorithm_mkey = SSL_kDHE,
446
		.algorithm_auth = SSL_aNULL,
447
		.algorithm_enc = SSL_AES256,
448
		.algorithm_mac = SSL_SHA1,
449
		.algorithm_ssl = SSL_TLSV1,
450
		.algo_strength = SSL_HIGH,
451
		.algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
452
		.strength_bits = 256,
453
		.alg_bits = 256,
454
	},
455
456
	/* TLS v1.2 ciphersuites */
457
	/* Cipher 3B */
458
	{
459
		.valid = 1,
460
		.name = TLS1_TXT_RSA_WITH_NULL_SHA256,
461
		.id = TLS1_CK_RSA_WITH_NULL_SHA256,
462
		.algorithm_mkey = SSL_kRSA,
463
		.algorithm_auth = SSL_aRSA,
464
		.algorithm_enc = SSL_eNULL,
465
		.algorithm_mac = SSL_SHA256,
466
		.algorithm_ssl = SSL_TLSV1_2,
467
		.algo_strength = SSL_STRONG_NONE,
468
		.algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
469
		.strength_bits = 0,
470
		.alg_bits = 0,
471
	},
472
473
	/* Cipher 3C */
474
	{
475
		.valid = 1,
476
		.name = TLS1_TXT_RSA_WITH_AES_128_SHA256,
477
		.id = TLS1_CK_RSA_WITH_AES_128_SHA256,
478
		.algorithm_mkey = SSL_kRSA,
479
		.algorithm_auth = SSL_aRSA,
480
		.algorithm_enc = SSL_AES128,
481
		.algorithm_mac = SSL_SHA256,
482
		.algorithm_ssl = SSL_TLSV1_2,
483
		.algo_strength = SSL_HIGH,
484
		.algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
485
		.strength_bits = 128,
486
		.alg_bits = 128,
487
	},
488
489
	/* Cipher 3D */
490
	{
491
		.valid = 1,
492
		.name = TLS1_TXT_RSA_WITH_AES_256_SHA256,
493
		.id = TLS1_CK_RSA_WITH_AES_256_SHA256,
494
		.algorithm_mkey = SSL_kRSA,
495
		.algorithm_auth = SSL_aRSA,
496
		.algorithm_enc = SSL_AES256,
497
		.algorithm_mac = SSL_SHA256,
498
		.algorithm_ssl = SSL_TLSV1_2,
499
		.algo_strength = SSL_HIGH,
500
		.algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
501
		.strength_bits = 256,
502
		.alg_bits = 256,
503
	},
504
505
#ifndef OPENSSL_NO_CAMELLIA
506
	/* Camellia ciphersuites from RFC4132 (128-bit portion) */
507
508
	/* Cipher 41 */
509
	{
510
		.valid = 1,
511
		.name = TLS1_TXT_RSA_WITH_CAMELLIA_128_CBC_SHA,
512
		.id = TLS1_CK_RSA_WITH_CAMELLIA_128_CBC_SHA,
513
		.algorithm_mkey = SSL_kRSA,
514
		.algorithm_auth = SSL_aRSA,
515
		.algorithm_enc = SSL_CAMELLIA128,
516
		.algorithm_mac = SSL_SHA1,
517
		.algorithm_ssl = SSL_TLSV1,
518
		.algo_strength = SSL_HIGH,
519
		.algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
520
		.strength_bits = 128,
521
		.alg_bits = 128,
522
	},
523
524
	/* Cipher 45 */
525
	{
526
		.valid = 1,
527
		.name = TLS1_TXT_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA,
528
		.id = TLS1_CK_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA,
529
		.algorithm_mkey = SSL_kDHE,
530
		.algorithm_auth = SSL_aRSA,
531
		.algorithm_enc = SSL_CAMELLIA128,
532
		.algorithm_mac = SSL_SHA1,
533
		.algorithm_ssl = SSL_TLSV1,
534
		.algo_strength = SSL_HIGH,
535
		.algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
536
		.strength_bits = 128,
537
		.alg_bits = 128,
538
	},
539
540
	/* Cipher 46 */
541
	{
542
		.valid = 1,
543
		.name = TLS1_TXT_ADH_WITH_CAMELLIA_128_CBC_SHA,
544
		.id = TLS1_CK_ADH_WITH_CAMELLIA_128_CBC_SHA,
545
		.algorithm_mkey = SSL_kDHE,
546
		.algorithm_auth = SSL_aNULL,
547
		.algorithm_enc = SSL_CAMELLIA128,
548
		.algorithm_mac = SSL_SHA1,
549
		.algorithm_ssl = SSL_TLSV1,
550
		.algo_strength = SSL_HIGH,
551
		.algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
552
		.strength_bits = 128,
553
		.alg_bits = 128,
554
	},
555
#endif /* OPENSSL_NO_CAMELLIA */
556
557
	/* TLS v1.2 ciphersuites */
558
	/* Cipher 67 */
559
	{
560
		.valid = 1,
561
		.name = TLS1_TXT_DHE_RSA_WITH_AES_128_SHA256,
562
		.id = TLS1_CK_DHE_RSA_WITH_AES_128_SHA256,
563
		.algorithm_mkey = SSL_kDHE,
564
		.algorithm_auth = SSL_aRSA,
565
		.algorithm_enc = SSL_AES128,
566
		.algorithm_mac = SSL_SHA256,
567
		.algorithm_ssl = SSL_TLSV1_2,
568
		.algo_strength = SSL_HIGH,
569
		.algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
570
		.strength_bits = 128,
571
		.alg_bits = 128,
572
	},
573
574
	/* Cipher 6B */
575
	{
576
		.valid = 1,
577
		.name = TLS1_TXT_DHE_RSA_WITH_AES_256_SHA256,
578
		.id = TLS1_CK_DHE_RSA_WITH_AES_256_SHA256,
579
		.algorithm_mkey = SSL_kDHE,
580
		.algorithm_auth = SSL_aRSA,
581
		.algorithm_enc = SSL_AES256,
582
		.algorithm_mac = SSL_SHA256,
583
		.algorithm_ssl = SSL_TLSV1_2,
584
		.algo_strength = SSL_HIGH,
585
		.algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
586
		.strength_bits = 256,
587
		.alg_bits = 256,
588
	},
589
590
	/* Cipher 6C */
591
	{
592
		.valid = 1,
593
		.name = TLS1_TXT_ADH_WITH_AES_128_SHA256,
594
		.id = TLS1_CK_ADH_WITH_AES_128_SHA256,
595
		.algorithm_mkey = SSL_kDHE,
596
		.algorithm_auth = SSL_aNULL,
597
		.algorithm_enc = SSL_AES128,
598
		.algorithm_mac = SSL_SHA256,
599
		.algorithm_ssl = SSL_TLSV1_2,
600
		.algo_strength = SSL_HIGH,
601
		.algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
602
		.strength_bits = 128,
603
		.alg_bits = 128,
604
	},
605
606
	/* Cipher 6D */
607
	{
608
		.valid = 1,
609
		.name = TLS1_TXT_ADH_WITH_AES_256_SHA256,
610
		.id = TLS1_CK_ADH_WITH_AES_256_SHA256,
611
		.algorithm_mkey = SSL_kDHE,
612
		.algorithm_auth = SSL_aNULL,
613
		.algorithm_enc = SSL_AES256,
614
		.algorithm_mac = SSL_SHA256,
615
		.algorithm_ssl = SSL_TLSV1_2,
616
		.algo_strength = SSL_HIGH,
617
		.algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
618
		.strength_bits = 256,
619
		.alg_bits = 256,
620
	},
621
622
	/* GOST Ciphersuites */
623
624
	/* Cipher 81 */
625
	{
626
		.valid = 1,
627
		.name = "GOST2001-GOST89-GOST89",
628
		.id = 0x3000081,
629
		.algorithm_mkey = SSL_kGOST,
630
		.algorithm_auth = SSL_aGOST01,
631
		.algorithm_enc = SSL_eGOST2814789CNT,
632
		.algorithm_mac = SSL_GOST89MAC,
633
		.algorithm_ssl = SSL_TLSV1,
634
		.algo_strength = SSL_HIGH,
635
		.algorithm2 = SSL_HANDSHAKE_MAC_GOST94|TLS1_PRF_GOST94|
636
		    TLS1_STREAM_MAC,
637
		.strength_bits = 256,
638
		.alg_bits = 256
639
	},
640
641
	/* Cipher 83 */
642
	{
643
		.valid = 1,
644
		.name = "GOST2001-NULL-GOST94",
645
		.id = 0x3000083,
646
		.algorithm_mkey = SSL_kGOST,
647
		.algorithm_auth = SSL_aGOST01,
648
		.algorithm_enc = SSL_eNULL,
649
		.algorithm_mac = SSL_GOST94,
650
		.algorithm_ssl = SSL_TLSV1,
651
		.algo_strength = SSL_STRONG_NONE,
652
		.algorithm2 = SSL_HANDSHAKE_MAC_GOST94|TLS1_PRF_GOST94,
653
		.strength_bits = 0,
654
		.alg_bits = 0
655
	},
656
657
#ifndef OPENSSL_NO_CAMELLIA
658
	/* Camellia ciphersuites from RFC4132 (256-bit portion) */
659
660
	/* Cipher 84 */
661
	{
662
		.valid = 1,
663
		.name = TLS1_TXT_RSA_WITH_CAMELLIA_256_CBC_SHA,
664
		.id = TLS1_CK_RSA_WITH_CAMELLIA_256_CBC_SHA,
665
		.algorithm_mkey = SSL_kRSA,
666
		.algorithm_auth = SSL_aRSA,
667
		.algorithm_enc = SSL_CAMELLIA256,
668
		.algorithm_mac = SSL_SHA1,
669
		.algorithm_ssl = SSL_TLSV1,
670
		.algo_strength = SSL_HIGH,
671
		.algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
672
		.strength_bits = 256,
673
		.alg_bits = 256,
674
	},
675
676
	/* Cipher 88 */
677
	{
678
		.valid = 1,
679
		.name = TLS1_TXT_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA,
680
		.id = TLS1_CK_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA,
681
		.algorithm_mkey = SSL_kDHE,
682
		.algorithm_auth = SSL_aRSA,
683
		.algorithm_enc = SSL_CAMELLIA256,
684
		.algorithm_mac = SSL_SHA1,
685
		.algorithm_ssl = SSL_TLSV1,
686
		.algo_strength = SSL_HIGH,
687
		.algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
688
		.strength_bits = 256,
689
		.alg_bits = 256,
690
	},
691
692
	/* Cipher 89 */
693
	{
694
		.valid = 1,
695
		.name = TLS1_TXT_ADH_WITH_CAMELLIA_256_CBC_SHA,
696
		.id = TLS1_CK_ADH_WITH_CAMELLIA_256_CBC_SHA,
697
		.algorithm_mkey = SSL_kDHE,
698
		.algorithm_auth = SSL_aNULL,
699
		.algorithm_enc = SSL_CAMELLIA256,
700
		.algorithm_mac = SSL_SHA1,
701
		.algorithm_ssl = SSL_TLSV1,
702
		.algo_strength = SSL_HIGH,
703
		.algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
704
		.strength_bits = 256,
705
		.alg_bits = 256,
706
	},
707
#endif /* OPENSSL_NO_CAMELLIA */
708
709
	/*
710
	 * GCM ciphersuites from RFC5288.
711
	 */
712
713
	/* Cipher 9C */
714
	{
715
		.valid = 1,
716
		.name = TLS1_TXT_RSA_WITH_AES_128_GCM_SHA256,
717
		.id = TLS1_CK_RSA_WITH_AES_128_GCM_SHA256,
718
		.algorithm_mkey = SSL_kRSA,
719
		.algorithm_auth = SSL_aRSA,
720
		.algorithm_enc = SSL_AES128GCM,
721
		.algorithm_mac = SSL_AEAD,
722
		.algorithm_ssl = SSL_TLSV1_2,
723
		.algo_strength = SSL_HIGH,
724
		.algorithm2 = SSL_HANDSHAKE_MAC_SHA256|TLS1_PRF_SHA256|
725
		    SSL_CIPHER_ALGORITHM2_AEAD|FIXED_NONCE_LEN(4)|
726
		    SSL_CIPHER_ALGORITHM2_VARIABLE_NONCE_IN_RECORD,
727
		.strength_bits = 128,
728
		.alg_bits = 128,
729
	},
730
731
	/* Cipher 9D */
732
	{
733
		.valid = 1,
734
		.name = TLS1_TXT_RSA_WITH_AES_256_GCM_SHA384,
735
		.id = TLS1_CK_RSA_WITH_AES_256_GCM_SHA384,
736
		.algorithm_mkey = SSL_kRSA,
737
		.algorithm_auth = SSL_aRSA,
738
		.algorithm_enc = SSL_AES256GCM,
739
		.algorithm_mac = SSL_AEAD,
740
		.algorithm_ssl = SSL_TLSV1_2,
741
		.algo_strength = SSL_HIGH,
742
		.algorithm2 = SSL_HANDSHAKE_MAC_SHA384|TLS1_PRF_SHA384|
743
		    SSL_CIPHER_ALGORITHM2_AEAD|FIXED_NONCE_LEN(4)|
744
		    SSL_CIPHER_ALGORITHM2_VARIABLE_NONCE_IN_RECORD,
745
		.strength_bits = 256,
746
		.alg_bits = 256,
747
	},
748
749
	/* Cipher 9E */
750
	{
751
		.valid = 1,
752
		.name = TLS1_TXT_DHE_RSA_WITH_AES_128_GCM_SHA256,
753
		.id = TLS1_CK_DHE_RSA_WITH_AES_128_GCM_SHA256,
754
		.algorithm_mkey = SSL_kDHE,
755
		.algorithm_auth = SSL_aRSA,
756
		.algorithm_enc = SSL_AES128GCM,
757
		.algorithm_mac = SSL_AEAD,
758
		.algorithm_ssl = SSL_TLSV1_2,
759
		.algo_strength = SSL_HIGH,
760
		.algorithm2 = SSL_HANDSHAKE_MAC_SHA256|TLS1_PRF_SHA256|
761
		    SSL_CIPHER_ALGORITHM2_AEAD|FIXED_NONCE_LEN(4)|
762
		    SSL_CIPHER_ALGORITHM2_VARIABLE_NONCE_IN_RECORD,
763
		.strength_bits = 128,
764
		.alg_bits = 128,
765
	},
766
767
	/* Cipher 9F */
768
	{
769
		.valid = 1,
770
		.name = TLS1_TXT_DHE_RSA_WITH_AES_256_GCM_SHA384,
771
		.id = TLS1_CK_DHE_RSA_WITH_AES_256_GCM_SHA384,
772
		.algorithm_mkey = SSL_kDHE,
773
		.algorithm_auth = SSL_aRSA,
774
		.algorithm_enc = SSL_AES256GCM,
775
		.algorithm_mac = SSL_AEAD,
776
		.algorithm_ssl = SSL_TLSV1_2,
777
		.algo_strength = SSL_HIGH,
778
		.algorithm2 = SSL_HANDSHAKE_MAC_SHA384|TLS1_PRF_SHA384|
779
		    SSL_CIPHER_ALGORITHM2_AEAD|FIXED_NONCE_LEN(4)|
780
		    SSL_CIPHER_ALGORITHM2_VARIABLE_NONCE_IN_RECORD,
781
		.strength_bits = 256,
782
		.alg_bits = 256,
783
	},
784
785
	/* Cipher A6 */
786
	{
787
		.valid = 1,
788
		.name = TLS1_TXT_ADH_WITH_AES_128_GCM_SHA256,
789
		.id = TLS1_CK_ADH_WITH_AES_128_GCM_SHA256,
790
		.algorithm_mkey = SSL_kDHE,
791
		.algorithm_auth = SSL_aNULL,
792
		.algorithm_enc = SSL_AES128GCM,
793
		.algorithm_mac = SSL_AEAD,
794
		.algorithm_ssl = SSL_TLSV1_2,
795
		.algo_strength = SSL_HIGH,
796
		.algorithm2 = SSL_HANDSHAKE_MAC_SHA256|TLS1_PRF_SHA256|
797
		    SSL_CIPHER_ALGORITHM2_AEAD|FIXED_NONCE_LEN(4)|
798
		    SSL_CIPHER_ALGORITHM2_VARIABLE_NONCE_IN_RECORD,
799
		.strength_bits = 128,
800
		.alg_bits = 128,
801
	},
802
803
	/* Cipher A7 */
804
	{
805
		.valid = 1,
806
		.name = TLS1_TXT_ADH_WITH_AES_256_GCM_SHA384,
807
		.id = TLS1_CK_ADH_WITH_AES_256_GCM_SHA384,
808
		.algorithm_mkey = SSL_kDHE,
809
		.algorithm_auth = SSL_aNULL,
810
		.algorithm_enc = SSL_AES256GCM,
811
		.algorithm_mac = SSL_AEAD,
812
		.algorithm_ssl = SSL_TLSV1_2,
813
		.algo_strength = SSL_HIGH,
814
		.algorithm2 = SSL_HANDSHAKE_MAC_SHA384|TLS1_PRF_SHA384|
815
		    SSL_CIPHER_ALGORITHM2_AEAD|FIXED_NONCE_LEN(4)|
816
		    SSL_CIPHER_ALGORITHM2_VARIABLE_NONCE_IN_RECORD,
817
		.strength_bits = 256,
818
		.alg_bits = 256,
819
	},
820
821
#ifndef OPENSSL_NO_CAMELLIA
822
	/* TLS 1.2 Camellia SHA-256 ciphersuites from RFC5932 */
823
824
	/* Cipher BA */
825
	{
826
		.valid = 1,
827
		.name = TLS1_TXT_RSA_WITH_CAMELLIA_128_CBC_SHA256,
828
		.id = TLS1_CK_RSA_WITH_CAMELLIA_128_CBC_SHA256,
829
		.algorithm_mkey = SSL_kRSA,
830
		.algorithm_auth = SSL_aRSA,
831
		.algorithm_enc = SSL_CAMELLIA128,
832
		.algorithm_mac = SSL_SHA256,
833
		.algorithm_ssl = SSL_TLSV1_2,
834
		.algo_strength = SSL_HIGH,
835
		.algorithm2 = SSL_HANDSHAKE_MAC_SHA256|TLS1_PRF_SHA256,
836
		.strength_bits = 128,
837
		.alg_bits = 128,
838
	},
839
840
	/* Cipher BE */
841
	{
842
		.valid = 1,
843
		.name = TLS1_TXT_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA256,
844
		.id = TLS1_CK_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA256,
845
		.algorithm_mkey = SSL_kDHE,
846
		.algorithm_auth = SSL_aRSA,
847
		.algorithm_enc = SSL_CAMELLIA128,
848
		.algorithm_mac = SSL_SHA256,
849
		.algorithm_ssl = SSL_TLSV1_2,
850
		.algo_strength = SSL_HIGH,
851
		.algorithm2 = SSL_HANDSHAKE_MAC_SHA256|TLS1_PRF_SHA256,
852
		.strength_bits = 128,
853
		.alg_bits = 128,
854
	},
855
856
	/* Cipher BF */
857
	{
858
		.valid = 1,
859
		.name = TLS1_TXT_ADH_WITH_CAMELLIA_128_CBC_SHA256,
860
		.id = TLS1_CK_ADH_WITH_CAMELLIA_128_CBC_SHA256,
861
		.algorithm_mkey = SSL_kDHE,
862
		.algorithm_auth = SSL_aNULL,
863
		.algorithm_enc = SSL_CAMELLIA128,
864
		.algorithm_mac = SSL_SHA256,
865
		.algorithm_ssl = SSL_TLSV1_2,
866
		.algo_strength = SSL_HIGH,
867
		.algorithm2 = SSL_HANDSHAKE_MAC_SHA256|TLS1_PRF_SHA256,
868
		.strength_bits = 128,
869
		.alg_bits = 128,
870
	},
871
872
	/* Cipher C0 */
873
	{
874
		.valid = 1,
875
		.name = TLS1_TXT_RSA_WITH_CAMELLIA_256_CBC_SHA256,
876
		.id = TLS1_CK_RSA_WITH_CAMELLIA_256_CBC_SHA256,
877
		.algorithm_mkey = SSL_kRSA,
878
		.algorithm_auth = SSL_aRSA,
879
		.algorithm_enc = SSL_CAMELLIA256,
880
		.algorithm_mac = SSL_SHA256,
881
		.algorithm_ssl = SSL_TLSV1_2,
882
		.algo_strength = SSL_HIGH,
883
		.algorithm2 = SSL_HANDSHAKE_MAC_SHA256|TLS1_PRF_SHA256,
884
		.strength_bits = 256,
885
		.alg_bits = 256,
886
	},
887
888
	/* Cipher C4 */
889
	{
890
		.valid = 1,
891
		.name = TLS1_TXT_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA256,
892
		.id = TLS1_CK_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA256,
893
		.algorithm_mkey = SSL_kDHE,
894
		.algorithm_auth = SSL_aRSA,
895
		.algorithm_enc = SSL_CAMELLIA256,
896
		.algorithm_mac = SSL_SHA256,
897
		.algorithm_ssl = SSL_TLSV1_2,
898
		.algo_strength = SSL_HIGH,
899
		.algorithm2 = SSL_HANDSHAKE_MAC_SHA256|TLS1_PRF_SHA256,
900
		.strength_bits = 256,
901
		.alg_bits = 256,
902
	},
903
904
	/* Cipher C5 */
905
	{
906
		.valid = 1,
907
		.name = TLS1_TXT_ADH_WITH_CAMELLIA_256_CBC_SHA256,
908
		.id = TLS1_CK_ADH_WITH_CAMELLIA_256_CBC_SHA256,
909
		.algorithm_mkey = SSL_kDHE,
910
		.algorithm_auth = SSL_aNULL,
911
		.algorithm_enc = SSL_CAMELLIA256,
912
		.algorithm_mac = SSL_SHA256,
913
		.algorithm_ssl = SSL_TLSV1_2,
914
		.algo_strength = SSL_HIGH,
915
		.algorithm2 = SSL_HANDSHAKE_MAC_SHA256|TLS1_PRF_SHA256,
916
		.strength_bits = 256,
917
		.alg_bits = 256,
918
	},
919
#endif /* OPENSSL_NO_CAMELLIA */
920
921
	/* Cipher C006 */
922
	{
923
		.valid = 1,
924
		.name = TLS1_TXT_ECDHE_ECDSA_WITH_NULL_SHA,
925
		.id = TLS1_CK_ECDHE_ECDSA_WITH_NULL_SHA,
926
		.algorithm_mkey = SSL_kECDHE,
927
		.algorithm_auth = SSL_aECDSA,
928
		.algorithm_enc = SSL_eNULL,
929
		.algorithm_mac = SSL_SHA1,
930
		.algorithm_ssl = SSL_TLSV1,
931
		.algo_strength = SSL_STRONG_NONE,
932
		.algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
933
		.strength_bits = 0,
934
		.alg_bits = 0,
935
	},
936
937
	/* Cipher C007 */
938
	{
939
		.valid = 1,
940
		.name = TLS1_TXT_ECDHE_ECDSA_WITH_RC4_128_SHA,
941
		.id = TLS1_CK_ECDHE_ECDSA_WITH_RC4_128_SHA,
942
		.algorithm_mkey = SSL_kECDHE,
943
		.algorithm_auth = SSL_aECDSA,
944
		.algorithm_enc = SSL_RC4,
945
		.algorithm_mac = SSL_SHA1,
946
		.algorithm_ssl = SSL_TLSV1,
947
		.algo_strength = SSL_LOW,
948
		.algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
949
		.strength_bits = 128,
950
		.alg_bits = 128,
951
	},
952
953
	/* Cipher C008 */
954
	{
955
		.valid = 1,
956
		.name = TLS1_TXT_ECDHE_ECDSA_WITH_DES_192_CBC3_SHA,
957
		.id = TLS1_CK_ECDHE_ECDSA_WITH_DES_192_CBC3_SHA,
958
		.algorithm_mkey = SSL_kECDHE,
959
		.algorithm_auth = SSL_aECDSA,
960
		.algorithm_enc = SSL_3DES,
961
		.algorithm_mac = SSL_SHA1,
962
		.algorithm_ssl = SSL_TLSV1,
963
		.algo_strength = SSL_MEDIUM,
964
		.algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
965
		.strength_bits = 112,
966
		.alg_bits = 168,
967
	},
968
969
	/* Cipher C009 */
970
	{
971
		.valid = 1,
972
		.name = TLS1_TXT_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,
973
		.id = TLS1_CK_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,
974
		.algorithm_mkey = SSL_kECDHE,
975
		.algorithm_auth = SSL_aECDSA,
976
		.algorithm_enc = SSL_AES128,
977
		.algorithm_mac = SSL_SHA1,
978
		.algorithm_ssl = SSL_TLSV1,
979
		.algo_strength = SSL_HIGH,
980
		.algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
981
		.strength_bits = 128,
982
		.alg_bits = 128,
983
	},
984
985
	/* Cipher C00A */
986
	{
987
		.valid = 1,
988
		.name = TLS1_TXT_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,
989
		.id = TLS1_CK_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,
990
		.algorithm_mkey = SSL_kECDHE,
991
		.algorithm_auth = SSL_aECDSA,
992
		.algorithm_enc = SSL_AES256,
993
		.algorithm_mac = SSL_SHA1,
994
		.algorithm_ssl = SSL_TLSV1,
995
		.algo_strength = SSL_HIGH,
996
		.algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
997
		.strength_bits = 256,
998
		.alg_bits = 256,
999
	},
1000
1001
	/* Cipher C010 */
1002
	{
1003
		.valid = 1,
1004
		.name = TLS1_TXT_ECDHE_RSA_WITH_NULL_SHA,
1005
		.id = TLS1_CK_ECDHE_RSA_WITH_NULL_SHA,
1006
		.algorithm_mkey = SSL_kECDHE,
1007
		.algorithm_auth = SSL_aRSA,
1008
		.algorithm_enc = SSL_eNULL,
1009
		.algorithm_mac = SSL_SHA1,
1010
		.algorithm_ssl = SSL_TLSV1,
1011
		.algo_strength = SSL_STRONG_NONE,
1012
		.algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
1013
		.strength_bits = 0,
1014
		.alg_bits = 0,
1015
	},
1016
1017
	/* Cipher C011 */
1018
	{
1019
		.valid = 1,
1020
		.name = TLS1_TXT_ECDHE_RSA_WITH_RC4_128_SHA,
1021
		.id = TLS1_CK_ECDHE_RSA_WITH_RC4_128_SHA,
1022
		.algorithm_mkey = SSL_kECDHE,
1023
		.algorithm_auth = SSL_aRSA,
1024
		.algorithm_enc = SSL_RC4,
1025
		.algorithm_mac = SSL_SHA1,
1026
		.algorithm_ssl = SSL_TLSV1,
1027
		.algo_strength = SSL_LOW,
1028
		.algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
1029
		.strength_bits = 128,
1030
		.alg_bits = 128,
1031
	},
1032
1033
	/* Cipher C012 */
1034
	{
1035
		.valid = 1,
1036
		.name = TLS1_TXT_ECDHE_RSA_WITH_DES_192_CBC3_SHA,
1037
		.id = TLS1_CK_ECDHE_RSA_WITH_DES_192_CBC3_SHA,
1038
		.algorithm_mkey = SSL_kECDHE,
1039
		.algorithm_auth = SSL_aRSA,
1040
		.algorithm_enc = SSL_3DES,
1041
		.algorithm_mac = SSL_SHA1,
1042
		.algorithm_ssl = SSL_TLSV1,
1043
		.algo_strength = SSL_MEDIUM,
1044
		.algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
1045
		.strength_bits = 112,
1046
		.alg_bits = 168,
1047
	},
1048
1049
	/* Cipher C013 */
1050
	{
1051
		.valid = 1,
1052
		.name = TLS1_TXT_ECDHE_RSA_WITH_AES_128_CBC_SHA,
1053
		.id = TLS1_CK_ECDHE_RSA_WITH_AES_128_CBC_SHA,
1054
		.algorithm_mkey = SSL_kECDHE,
1055
		.algorithm_auth = SSL_aRSA,
1056
		.algorithm_enc = SSL_AES128,
1057
		.algorithm_mac = SSL_SHA1,
1058
		.algorithm_ssl = SSL_TLSV1,
1059
		.algo_strength = SSL_HIGH,
1060
		.algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
1061
		.strength_bits = 128,
1062
		.alg_bits = 128,
1063
	},
1064
1065
	/* Cipher C014 */
1066
	{
1067
		.valid = 1,
1068
		.name = TLS1_TXT_ECDHE_RSA_WITH_AES_256_CBC_SHA,
1069
		.id = TLS1_CK_ECDHE_RSA_WITH_AES_256_CBC_SHA,
1070
		.algorithm_mkey = SSL_kECDHE,
1071
		.algorithm_auth = SSL_aRSA,
1072
		.algorithm_enc = SSL_AES256,
1073
		.algorithm_mac = SSL_SHA1,
1074
		.algorithm_ssl = SSL_TLSV1,
1075
		.algo_strength = SSL_HIGH,
1076
		.algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
1077
		.strength_bits = 256,
1078
		.alg_bits = 256,
1079
	},
1080
1081
	/* Cipher C015 */
1082
	{
1083
		.valid = 1,
1084
		.name = TLS1_TXT_ECDH_anon_WITH_NULL_SHA,
1085
		.id = TLS1_CK_ECDH_anon_WITH_NULL_SHA,
1086
		.algorithm_mkey = SSL_kECDHE,
1087
		.algorithm_auth = SSL_aNULL,
1088
		.algorithm_enc = SSL_eNULL,
1089
		.algorithm_mac = SSL_SHA1,
1090
		.algorithm_ssl = SSL_TLSV1,
1091
		.algo_strength = SSL_STRONG_NONE,
1092
		.algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
1093
		.strength_bits = 0,
1094
		.alg_bits = 0,
1095
	},
1096
1097
	/* Cipher C016 */
1098
	{
1099
		.valid = 1,
1100
		.name = TLS1_TXT_ECDH_anon_WITH_RC4_128_SHA,
1101
		.id = TLS1_CK_ECDH_anon_WITH_RC4_128_SHA,
1102
		.algorithm_mkey = SSL_kECDHE,
1103
		.algorithm_auth = SSL_aNULL,
1104
		.algorithm_enc = SSL_RC4,
1105
		.algorithm_mac = SSL_SHA1,
1106
		.algorithm_ssl = SSL_TLSV1,
1107
		.algo_strength = SSL_LOW,
1108
		.algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
1109
		.strength_bits = 128,
1110
		.alg_bits = 128,
1111
	},
1112
1113
	/* Cipher C017 */
1114
	{
1115
		.valid = 1,
1116
		.name = TLS1_TXT_ECDH_anon_WITH_DES_192_CBC3_SHA,
1117
		.id = TLS1_CK_ECDH_anon_WITH_DES_192_CBC3_SHA,
1118
		.algorithm_mkey = SSL_kECDHE,
1119
		.algorithm_auth = SSL_aNULL,
1120
		.algorithm_enc = SSL_3DES,
1121
		.algorithm_mac = SSL_SHA1,
1122
		.algorithm_ssl = SSL_TLSV1,
1123
		.algo_strength = SSL_MEDIUM,
1124
		.algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
1125
		.strength_bits = 112,
1126
		.alg_bits = 168,
1127
	},
1128
1129
	/* Cipher C018 */
1130
	{
1131
		.valid = 1,
1132
		.name = TLS1_TXT_ECDH_anon_WITH_AES_128_CBC_SHA,
1133
		.id = TLS1_CK_ECDH_anon_WITH_AES_128_CBC_SHA,
1134
		.algorithm_mkey = SSL_kECDHE,
1135
		.algorithm_auth = SSL_aNULL,
1136
		.algorithm_enc = SSL_AES128,
1137
		.algorithm_mac = SSL_SHA1,
1138
		.algorithm_ssl = SSL_TLSV1,
1139
		.algo_strength = SSL_HIGH,
1140
		.algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
1141
		.strength_bits = 128,
1142
		.alg_bits = 128,
1143
	},
1144
1145
	/* Cipher C019 */
1146
	{
1147
		.valid = 1,
1148
		.name = TLS1_TXT_ECDH_anon_WITH_AES_256_CBC_SHA,
1149
		.id = TLS1_CK_ECDH_anon_WITH_AES_256_CBC_SHA,
1150
		.algorithm_mkey = SSL_kECDHE,
1151
		.algorithm_auth = SSL_aNULL,
1152
		.algorithm_enc = SSL_AES256,
1153
		.algorithm_mac = SSL_SHA1,
1154
		.algorithm_ssl = SSL_TLSV1,
1155
		.algo_strength = SSL_HIGH,
1156
		.algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
1157
		.strength_bits = 256,
1158
		.alg_bits = 256,
1159
	},
1160
1161
1162
	/* HMAC based TLS v1.2 ciphersuites from RFC5289 */
1163
1164
	/* Cipher C023 */
1165
	{
1166
		.valid = 1,
1167
		.name = TLS1_TXT_ECDHE_ECDSA_WITH_AES_128_SHA256,
1168
		.id = TLS1_CK_ECDHE_ECDSA_WITH_AES_128_SHA256,
1169
		.algorithm_mkey = SSL_kECDHE,
1170
		.algorithm_auth = SSL_aECDSA,
1171
		.algorithm_enc = SSL_AES128,
1172
		.algorithm_mac = SSL_SHA256,
1173
		.algorithm_ssl = SSL_TLSV1_2,
1174
		.algo_strength = SSL_HIGH,
1175
		.algorithm2 = SSL_HANDSHAKE_MAC_SHA256|TLS1_PRF_SHA256,
1176
		.strength_bits = 128,
1177
		.alg_bits = 128,
1178
	},
1179
1180
	/* Cipher C024 */
1181
	{
1182
		.valid = 1,
1183
		.name = TLS1_TXT_ECDHE_ECDSA_WITH_AES_256_SHA384,
1184
		.id = TLS1_CK_ECDHE_ECDSA_WITH_AES_256_SHA384,
1185
		.algorithm_mkey = SSL_kECDHE,
1186
		.algorithm_auth = SSL_aECDSA,
1187
		.algorithm_enc = SSL_AES256,
1188
		.algorithm_mac = SSL_SHA384,
1189
		.algorithm_ssl = SSL_TLSV1_2,
1190
		.algo_strength = SSL_HIGH,
1191
		.algorithm2 = SSL_HANDSHAKE_MAC_SHA384|TLS1_PRF_SHA384,
1192
		.strength_bits = 256,
1193
		.alg_bits = 256,
1194
	},
1195
1196
	/* Cipher C027 */
1197
	{
1198
		.valid = 1,
1199
		.name = TLS1_TXT_ECDHE_RSA_WITH_AES_128_SHA256,
1200
		.id = TLS1_CK_ECDHE_RSA_WITH_AES_128_SHA256,
1201
		.algorithm_mkey = SSL_kECDHE,
1202
		.algorithm_auth = SSL_aRSA,
1203
		.algorithm_enc = SSL_AES128,
1204
		.algorithm_mac = SSL_SHA256,
1205
		.algorithm_ssl = SSL_TLSV1_2,
1206
		.algo_strength = SSL_HIGH,
1207
		.algorithm2 = SSL_HANDSHAKE_MAC_SHA256|TLS1_PRF_SHA256,
1208
		.strength_bits = 128,
1209
		.alg_bits = 128,
1210
	},
1211
1212
	/* Cipher C028 */
1213
	{
1214
		.valid = 1,
1215
		.name = TLS1_TXT_ECDHE_RSA_WITH_AES_256_SHA384,
1216
		.id = TLS1_CK_ECDHE_RSA_WITH_AES_256_SHA384,
1217
		.algorithm_mkey = SSL_kECDHE,
1218
		.algorithm_auth = SSL_aRSA,
1219
		.algorithm_enc = SSL_AES256,
1220
		.algorithm_mac = SSL_SHA384,
1221
		.algorithm_ssl = SSL_TLSV1_2,
1222
		.algo_strength = SSL_HIGH,
1223
		.algorithm2 = SSL_HANDSHAKE_MAC_SHA384|TLS1_PRF_SHA384,
1224
		.strength_bits = 256,
1225
		.alg_bits = 256,
1226
	},
1227
1228
	/* GCM based TLS v1.2 ciphersuites from RFC5289 */
1229
1230
	/* Cipher C02B */
1231
	{
1232
		.valid = 1,
1233
		.name = TLS1_TXT_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
1234
		.id = TLS1_CK_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
1235
		.algorithm_mkey = SSL_kECDHE,
1236
		.algorithm_auth = SSL_aECDSA,
1237
		.algorithm_enc = SSL_AES128GCM,
1238
		.algorithm_mac = SSL_AEAD,
1239
		.algorithm_ssl = SSL_TLSV1_2,
1240
		.algo_strength = SSL_HIGH,
1241
		.algorithm2 = SSL_HANDSHAKE_MAC_SHA256|TLS1_PRF_SHA256|
1242
		    SSL_CIPHER_ALGORITHM2_AEAD|FIXED_NONCE_LEN(4)|
1243
		    SSL_CIPHER_ALGORITHM2_VARIABLE_NONCE_IN_RECORD,
1244
		.strength_bits = 128,
1245
		.alg_bits = 128,
1246
	},
1247
1248
	/* Cipher C02C */
1249
	{
1250
		.valid = 1,
1251
		.name = TLS1_TXT_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
1252
		.id = TLS1_CK_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
1253
		.algorithm_mkey = SSL_kECDHE,
1254
		.algorithm_auth = SSL_aECDSA,
1255
		.algorithm_enc = SSL_AES256GCM,
1256
		.algorithm_mac = SSL_AEAD,
1257
		.algorithm_ssl = SSL_TLSV1_2,
1258
		.algo_strength = SSL_HIGH,
1259
		.algorithm2 = SSL_HANDSHAKE_MAC_SHA384|TLS1_PRF_SHA384|
1260
		    SSL_CIPHER_ALGORITHM2_AEAD|FIXED_NONCE_LEN(4)|
1261
		    SSL_CIPHER_ALGORITHM2_VARIABLE_NONCE_IN_RECORD,
1262
		.strength_bits = 256,
1263
		.alg_bits = 256,
1264
	},
1265
1266
	/* Cipher C02F */
1267
	{
1268
		.valid = 1,
1269
		.name = TLS1_TXT_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
1270
		.id = TLS1_CK_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
1271
		.algorithm_mkey = SSL_kECDHE,
1272
		.algorithm_auth = SSL_aRSA,
1273
		.algorithm_enc = SSL_AES128GCM,
1274
		.algorithm_mac = SSL_AEAD,
1275
		.algorithm_ssl = SSL_TLSV1_2,
1276
		.algo_strength = SSL_HIGH,
1277
		.algorithm2 = SSL_HANDSHAKE_MAC_SHA256|TLS1_PRF_SHA256|
1278
		    SSL_CIPHER_ALGORITHM2_AEAD|FIXED_NONCE_LEN(4)|
1279
		    SSL_CIPHER_ALGORITHM2_VARIABLE_NONCE_IN_RECORD,
1280
		.strength_bits = 128,
1281
		.alg_bits = 128,
1282
	},
1283
1284
	/* Cipher C030 */
1285
	{
1286
		.valid = 1,
1287
		.name = TLS1_TXT_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
1288
		.id = TLS1_CK_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
1289
		.algorithm_mkey = SSL_kECDHE,
1290
		.algorithm_auth = SSL_aRSA,
1291
		.algorithm_enc = SSL_AES256GCM,
1292
		.algorithm_mac = SSL_AEAD,
1293
		.algorithm_ssl = SSL_TLSV1_2,
1294
		.algo_strength = SSL_HIGH,
1295
		.algorithm2 = SSL_HANDSHAKE_MAC_SHA384|TLS1_PRF_SHA384|
1296
		    SSL_CIPHER_ALGORITHM2_AEAD|FIXED_NONCE_LEN(4)|
1297
		    SSL_CIPHER_ALGORITHM2_VARIABLE_NONCE_IN_RECORD,
1298
		.strength_bits = 256,
1299
		.alg_bits = 256,
1300
	},
1301
1302
	/* Cipher CCA8 */
1303
	{
1304
		.valid = 1,
1305
		.name = TLS1_TXT_ECDHE_RSA_WITH_CHACHA20_POLY1305,
1306
		.id = TLS1_CK_ECDHE_RSA_CHACHA20_POLY1305,
1307
		.algorithm_mkey = SSL_kECDHE,
1308
		.algorithm_auth = SSL_aRSA,
1309
		.algorithm_enc = SSL_CHACHA20POLY1305,
1310
		.algorithm_mac = SSL_AEAD,
1311
		.algorithm_ssl = SSL_TLSV1_2,
1312
		.algo_strength = SSL_HIGH,
1313
		.algorithm2 = SSL_HANDSHAKE_MAC_SHA256|TLS1_PRF_SHA256|
1314
		    SSL_CIPHER_ALGORITHM2_AEAD|FIXED_NONCE_LEN(12),
1315
		.strength_bits = 256,
1316
		.alg_bits = 256,
1317
	},
1318
1319
	/* Cipher CCA9 */
1320
	{
1321
		.valid = 1,
1322
		.name = TLS1_TXT_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,
1323
		.id = TLS1_CK_ECDHE_ECDSA_CHACHA20_POLY1305,
1324
		.algorithm_mkey = SSL_kECDHE,
1325
		.algorithm_auth = SSL_aECDSA,
1326
		.algorithm_enc = SSL_CHACHA20POLY1305,
1327
		.algorithm_mac = SSL_AEAD,
1328
		.algorithm_ssl = SSL_TLSV1_2,
1329
		.algo_strength = SSL_HIGH,
1330
		.algorithm2 = SSL_HANDSHAKE_MAC_SHA256|TLS1_PRF_SHA256|
1331
		    SSL_CIPHER_ALGORITHM2_AEAD|FIXED_NONCE_LEN(12),
1332
		.strength_bits = 256,
1333
		.alg_bits = 256,
1334
	},
1335
1336
	/* Cipher CCAA */
1337
	{
1338
		.valid = 1,
1339
		.name = TLS1_TXT_DHE_RSA_WITH_CHACHA20_POLY1305,
1340
		.id = TLS1_CK_DHE_RSA_CHACHA20_POLY1305,
1341
		.algorithm_mkey = SSL_kDHE,
1342
		.algorithm_auth = SSL_aRSA,
1343
		.algorithm_enc = SSL_CHACHA20POLY1305,
1344
		.algorithm_mac = SSL_AEAD,
1345
		.algorithm_ssl = SSL_TLSV1_2,
1346
		.algo_strength = SSL_HIGH,
1347
		.algorithm2 = SSL_HANDSHAKE_MAC_SHA256|TLS1_PRF_SHA256|
1348
		    SSL_CIPHER_ALGORITHM2_AEAD|FIXED_NONCE_LEN(12),
1349
		.strength_bits = 256,
1350
		.alg_bits = 256,
1351
	},
1352
1353
	/* Cipher FF85 FIXME IANA */
1354
	{
1355
		.valid = 1,
1356
		.name = "GOST2012256-GOST89-GOST89",
1357
		.id = 0x300ff85, /* FIXME IANA */
1358
		.algorithm_mkey = SSL_kGOST,
1359
		.algorithm_auth = SSL_aGOST01,
1360
		.algorithm_enc = SSL_eGOST2814789CNT,
1361
		.algorithm_mac = SSL_GOST89MAC,
1362
		.algorithm_ssl = SSL_TLSV1,
1363
		.algo_strength = SSL_HIGH,
1364
		.algorithm2 = SSL_HANDSHAKE_MAC_STREEBOG256|TLS1_PRF_STREEBOG256|
1365
		    TLS1_STREAM_MAC,
1366
		.strength_bits = 256,
1367
		.alg_bits = 256
1368
	},
1369
1370
	/* Cipher FF87 FIXME IANA */
1371
	{
1372
		.valid = 1,
1373
		.name = "GOST2012256-NULL-STREEBOG256",
1374
		.id = 0x300ff87, /* FIXME IANA */
1375
		.algorithm_mkey = SSL_kGOST,
1376
		.algorithm_auth = SSL_aGOST01,
1377
		.algorithm_enc = SSL_eNULL,
1378
		.algorithm_mac = SSL_STREEBOG256,
1379
		.algorithm_ssl = SSL_TLSV1,
1380
		.algo_strength = SSL_STRONG_NONE,
1381
		.algorithm2 = SSL_HANDSHAKE_MAC_STREEBOG256|TLS1_PRF_STREEBOG256,
1382
		.strength_bits = 0,
1383
		.alg_bits = 0
1384
	},
1385
1386
1387
	/* end of list */
1388
};
1389
1390
int
1391
ssl3_num_ciphers(void)
1392
{
1393
2218
	return (SSL3_NUM_CIPHERS);
1394
}
1395
1396
const SSL_CIPHER *
1397
ssl3_get_cipher(unsigned int u)
1398
{
1399
159696
	if (u < SSL3_NUM_CIPHERS)
1400
79848
		return (&(ssl3_ciphers[SSL3_NUM_CIPHERS - 1 - u]));
1401
	else
1402
		return (NULL);
1403
79848
}
1404
1405
const SSL_CIPHER *
1406
ssl3_get_cipher_by_id(unsigned int id)
1407
{
1408
	const SSL_CIPHER *cp;
1409
42578
	SSL_CIPHER c;
1410
1411
21289
	c.id = id;
1412
21289
	cp = OBJ_bsearch_ssl_cipher_id(&c, ssl3_ciphers, SSL3_NUM_CIPHERS);
1413

42428
	if (cp != NULL && cp->valid == 1)
1414
21139
		return (cp);
1415
1416
150
	return (NULL);
1417
21289
}
1418
1419
const SSL_CIPHER *
1420
ssl3_get_cipher_by_value(uint16_t value)
1421
{
1422
42290
	return ssl3_get_cipher_by_id(SSL3_CK_ID | value);
1423
}
1424
1425
uint16_t
1426
ssl3_cipher_get_value(const SSL_CIPHER *c)
1427
{
1428
1491488
	return (c->id & SSL3_CK_VALUE_MASK);
1429
}
1430
1431
int
1432
ssl3_pending(const SSL *s)
1433
{
1434
3464
	if (s->internal->rstate == SSL_ST_READ_BODY)
1435
		return 0;
1436
1437
3680
	return (S3I(s)->rrec.type == SSL3_RT_APPLICATION_DATA) ?
1438
216
	    S3I(s)->rrec.length : 0;
1439
1732
}
1440
1441
int
1442
ssl3_handshake_msg_hdr_len(SSL *s)
1443
{
1444
2616
	return (SSL_IS_DTLS(s) ? DTLS1_HM_HEADER_LENGTH :
1445
            SSL3_HM_HEADER_LENGTH);
1446
}
1447
1448
unsigned char *
1449
ssl3_handshake_msg_start(SSL *s, uint8_t msg_type)
1450
{
1451
	unsigned char *d, *p;
1452
1453
708
	d = p = (unsigned char *)s->internal->init_buf->data;
1454
1455
	/* Handshake message type and length. */
1456
354
	*(p++) = msg_type;
1457
354
	l2n3(0, p);
1458
1459
354
	return (d + ssl3_handshake_msg_hdr_len(s));
1460
}
1461
1462
void
1463
ssl3_handshake_msg_finish(SSL *s, unsigned int len)
1464
{
1465
	unsigned char *p;
1466
	uint8_t msg_type;
1467
1468
708
	p = (unsigned char *)s->internal->init_buf->data;
1469
1470
	/* Handshake message length. */
1471
354
	msg_type = *(p++);
1472
354
	l2n3(len, p);
1473
1474
354
	s->internal->init_num = ssl3_handshake_msg_hdr_len(s) + (int)len;
1475
354
	s->internal->init_off = 0;
1476
1477
354
	if (SSL_IS_DTLS(s)) {
1478
54
		dtls1_set_message_header(s, msg_type, len, 0, len);
1479
54
		dtls1_buffer_message(s, 0);
1480
54
	}
1481
354
}
1482
1483
int
1484
ssl3_handshake_msg_start_cbb(SSL *s, CBB *handshake, CBB *body,
1485
    uint8_t msg_type)
1486
{
1487
	int ret = 0;
1488
1489
67746
	if (!CBB_init(handshake, SSL3_RT_MAX_PLAIN_LENGTH))
1490
		goto err;
1491
33873
	if (!CBB_add_u8(handshake, msg_type))
1492
		goto err;
1493
33873
	if (SSL_IS_DTLS(s)) {
1494
267
		unsigned char *data;
1495
1496
267
		if (!CBB_add_space(handshake, &data, DTLS1_HM_HEADER_LENGTH -
1497
		    SSL3_HM_HEADER_LENGTH))
1498
			goto err;
1499
1158
	}
1500
33873
	if (!CBB_add_u24_length_prefixed(handshake, body))
1501
		goto err;
1502
1503
33873
	ret = 1;
1504
1505
 err:
1506
33873
	return (ret);
1507
33873
}
1508
1509
int
1510
ssl3_handshake_msg_finish_cbb(SSL *s, CBB *handshake)
1511
{
1512
67746
	unsigned char *data = NULL;
1513
33873
	size_t outlen;
1514
	int ret = 0;
1515
1516
67746
	if (!CBB_finish(handshake, &data, &outlen))
1517
		goto err;
1518
1519
33873
	if (outlen > INT_MAX)
1520
		goto err;
1521
1522
33873
	if (!BUF_MEM_grow_clean(s->internal->init_buf, outlen))
1523
		goto err;
1524
1525
33873
	memcpy(s->internal->init_buf->data, data, outlen);
1526
1527
33873
	s->internal->init_num = (int)outlen;
1528
33873
	s->internal->init_off = 0;
1529
1530
33873
	if (SSL_IS_DTLS(s)) {
1531
		unsigned long len;
1532
267
		uint8_t msg_type;
1533
267
		CBS cbs;
1534
1535
267
		CBS_init(&cbs, data, outlen);
1536
267
		if (!CBS_get_u8(&cbs, &msg_type))
1537
			goto err;
1538
1539
267
		len = outlen - ssl3_handshake_msg_hdr_len(s);
1540
1541
267
		dtls1_set_message_header(s, msg_type, len, 0, len);
1542
267
		dtls1_buffer_message(s, 0);
1543
1158
	}
1544
1545
33873
	ret = 1;
1546
1547
 err:
1548
33873
	free(data);
1549
1550
33873
	return (ret);
1551
33873
}
1552
1553
int
1554
ssl3_handshake_write(SSL *s)
1555
{
1556
68454
	return ssl3_record_write(s, SSL3_RT_HANDSHAKE);
1557
}
1558
1559
int
1560
ssl3_record_write(SSL *s, int type)
1561
{
1562
100580
	if (SSL_IS_DTLS(s))
1563
393
		return dtls1_do_write(s, type);
1564
1565
49897
	return ssl3_do_write(s, type);
1566
50290
}
1567
1568
int
1569
ssl3_new(SSL *s)
1570
{
1571
3432
	if ((s->s3 = calloc(1, sizeof(*s->s3))) == NULL)
1572
		return (0);
1573
1716
	if ((S3I(s) = calloc(1, sizeof(*S3I(s)))) == NULL) {
1574
		free(s->s3);
1575
		return (0);
1576
	}
1577
1578
1716
	s->method->internal->ssl_clear(s);
1579
1580
1716
	return (1);
1581
1716
}
1582
1583
void
1584
ssl3_free(SSL *s)
1585
{
1586
3390
	if (s == NULL)
1587
		return;
1588
1589
1695
	tls1_cleanup_key_block(s);
1590
1695
	ssl3_release_read_buffer(s);
1591
1695
	ssl3_release_write_buffer(s);
1592
1593
1695
	DH_free(S3I(s)->tmp.dh);
1594
1695
	EC_KEY_free(S3I(s)->tmp.ecdh);
1595
1596
1695
	freezero(S3I(s)->tmp.x25519, X25519_KEY_LENGTH);
1597
1598
1695
	sk_X509_NAME_pop_free(S3I(s)->tmp.ca_names, X509_NAME_free);
1599
1600
1695
	BIO_free(S3I(s)->handshake_buffer);
1601
1602
1695
	tls1_handshake_hash_free(s);
1603
1604
1695
	free(S3I(s)->alpn_selected);
1605
1606
1695
	freezero(S3I(s), sizeof(*S3I(s)));
1607
1695
	freezero(s->s3, sizeof(*s->s3));
1608
1609
1695
	s->s3 = NULL;
1610
3390
}
1611
1612
void
1613
ssl3_clear(SSL *s)
1614
{
1615
	struct ssl3_state_internal_st *internal;
1616
	unsigned char	*rp, *wp;
1617
	size_t		 rlen, wlen;
1618
1619
42500
	tls1_cleanup_key_block(s);
1620
21250
	sk_X509_NAME_pop_free(S3I(s)->tmp.ca_names, X509_NAME_free);
1621
1622
21250
	DH_free(S3I(s)->tmp.dh);
1623
21250
	S3I(s)->tmp.dh = NULL;
1624
21250
	EC_KEY_free(S3I(s)->tmp.ecdh);
1625
21250
	S3I(s)->tmp.ecdh = NULL;
1626
1627
21250
	freezero(S3I(s)->tmp.x25519, X25519_KEY_LENGTH);
1628
21250
	S3I(s)->tmp.x25519 = NULL;
1629
1630
21250
	rp = s->s3->rbuf.buf;
1631
21250
	wp = s->s3->wbuf.buf;
1632
21250
	rlen = s->s3->rbuf.len;
1633
21250
	wlen = s->s3->wbuf.len;
1634
1635
21250
	BIO_free(S3I(s)->handshake_buffer);
1636
21250
	S3I(s)->handshake_buffer = NULL;
1637
1638
21250
	tls1_handshake_hash_free(s);
1639
1640
21250
	free(S3I(s)->alpn_selected);
1641
21250
	S3I(s)->alpn_selected = NULL;
1642
1643
21250
	memset(S3I(s), 0, sizeof(*S3I(s)));
1644
21250
	internal = S3I(s);
1645
21250
	memset(s->s3, 0, sizeof(*s->s3));
1646
21250
	S3I(s) = internal;
1647
1648
21250
	s->s3->rbuf.buf = rp;
1649
21250
	s->s3->wbuf.buf = wp;
1650
21250
	s->s3->rbuf.len = rlen;
1651
21250
	s->s3->wbuf.len = wlen;
1652
1653
21250
	ssl_free_wbio_buffer(s);
1654
1655
	/* Not needed... */
1656
21250
	S3I(s)->renegotiate = 0;
1657
21250
	S3I(s)->total_renegotiations = 0;
1658
21250
	S3I(s)->num_renegotiations = 0;
1659
21250
	S3I(s)->in_read_app_data = 0;
1660
1661
21250
	s->internal->packet_length = 0;
1662
21250
	s->version = TLS1_VERSION;
1663
21250
}
1664
1665
static long
1666
ssl_ctrl_get_server_tmp_key(SSL *s, EVP_PKEY **pkey_tmp)
1667
{
1668
	EVP_PKEY *pkey = NULL;
1669
	EC_GROUP *group = NULL;
1670
	EC_POINT *point = NULL;
1671
	EC_KEY *ec_key = NULL;
1672
	BIGNUM *order = NULL;
1673
	SESS_CERT *sc;
1674
	int ret = 0;
1675
1676
8
	*pkey_tmp = NULL;
1677
1678
4
	if (s->server != 0)
1679
		return 0;
1680

8
	if (s->session == NULL || SSI(s)->sess_cert == NULL)
1681
		return 0;
1682
1683
	sc = SSI(s)->sess_cert;
1684
1685
4
	if ((pkey = EVP_PKEY_new()) == NULL)
1686
		return 0;
1687
1688
4
	if (sc->peer_dh_tmp != NULL) {
1689
		ret = EVP_PKEY_set1_DH(pkey, sc->peer_dh_tmp);
1690
4
	} else if (sc->peer_ecdh_tmp) {
1691
4
		ret = EVP_PKEY_set1_EC_KEY(pkey, sc->peer_ecdh_tmp);
1692
4
	} else if (sc->peer_x25519_tmp != NULL) {
1693
		/* Fudge up an EC_KEY that looks like X25519... */
1694
		if ((group = EC_GROUP_new(EC_GFp_mont_method())) == NULL)
1695
			goto err;
1696
		if ((point = EC_POINT_new(group)) == NULL)
1697
			goto err;
1698
		if ((order = BN_new()) == NULL)
1699
			goto err;
1700
		if (!BN_set_bit(order, 252))
1701
			goto err;
1702
		if (!EC_GROUP_set_generator(group, point, order, NULL))
1703
			goto err;
1704
		EC_GROUP_set_curve_name(group, NID_X25519);
1705
		if ((ec_key = EC_KEY_new()) == NULL)
1706
			goto err;
1707
		if (!EC_KEY_set_group(ec_key, group))
1708
			goto err;
1709
		ret = EVP_PKEY_set1_EC_KEY(pkey, ec_key);
1710
	}
1711
1712
4
	if (ret == 1) {
1713
4
		*pkey_tmp = pkey;
1714
		pkey = NULL;
1715
4
	}
1716
1717
  err:
1718
4
	EVP_PKEY_free(pkey);
1719
4
	EC_GROUP_free(group);
1720
4
	EC_POINT_free(point);
1721
4
	EC_KEY_free(ec_key);
1722
4
	BN_free(order);
1723
1724
4
	return (ret);
1725
4
}
1726
1727
static int
1728
_SSL_session_reused(SSL *s)
1729
{
1730
31350
	return s->internal->hit;
1731
}
1732
1733
static int
1734
_SSL_num_renegotiations(SSL *s)
1735
{
1736
	return S3I(s)->num_renegotiations;
1737
}
1738
1739
static int
1740
_SSL_clear_num_renegotiations(SSL *s)
1741
{
1742
	int renegs;
1743
1744
	renegs = S3I(s)->num_renegotiations;
1745
	S3I(s)->num_renegotiations = 0;
1746
1747
	return renegs;
1748
}
1749
1750
static int
1751
_SSL_total_renegotiations(SSL *s)
1752
{
1753
4
	return S3I(s)->total_renegotiations;
1754
}
1755
1756
static int
1757
_SSL_set_tmp_dh(SSL *s, DH *dh)
1758
{
1759
	DH *dh_tmp;
1760
1761
	if (!ssl_cert_inst(&s->cert)) {
1762
		SSLerror(s, ERR_R_MALLOC_FAILURE);
1763
		return 0;
1764
	}
1765
1766
	if (dh == NULL) {
1767
		SSLerror(s, ERR_R_PASSED_NULL_PARAMETER);
1768
		return 0;
1769
	}
1770
1771
	if ((dh_tmp = DHparams_dup(dh)) == NULL) {
1772
		SSLerror(s, ERR_R_DH_LIB);
1773
		return 0;
1774
	}
1775
1776
	DH_free(s->cert->dh_tmp);
1777
	s->cert->dh_tmp = dh_tmp;
1778
1779
	return 1;
1780
}
1781
1782
static int
1783
_SSL_set_dh_auto(SSL *s, int state)
1784
{
1785
	s->cert->dh_tmp_auto = state;
1786
	return 1;
1787
}
1788
1789
static int
1790
_SSL_set_tmp_ecdh(SSL *s, EC_KEY *ecdh)
1791
{
1792
	const EC_GROUP *group;
1793
	int nid;
1794
1795
	if (!ssl_cert_inst(&s->cert)) {
1796
		SSLerror(s, ERR_R_MALLOC_FAILURE);
1797
		return 0;
1798
	}
1799
1800
	if (ecdh == NULL)
1801
		return 0;
1802
	if ((group = EC_KEY_get0_group(ecdh)) == NULL)
1803
		return 0;
1804
1805
	nid = EC_GROUP_get_curve_name(group);
1806
	return SSL_set1_groups(s, &nid, 1);
1807
}
1808
1809
static int
1810
_SSL_set_ecdh_auto(SSL *s, int state)
1811
{
1812
	return 1;
1813
}
1814
1815
static int
1816
_SSL_set_tlsext_host_name(SSL *s, const char *name)
1817
{
1818
36
	free(s->tlsext_hostname);
1819
18
	s->tlsext_hostname = NULL;
1820
1821
18
	if (name == NULL)
1822
		return 1;
1823
1824
18
	if (strlen(name) > TLSEXT_MAXLEN_host_name) {
1825
		SSLerror(s, SSL_R_SSL3_EXT_INVALID_SERVERNAME);
1826
		return 0;
1827
	}
1828
1829
18
	if ((s->tlsext_hostname = strdup(name)) == NULL) {
1830
		SSLerror(s, ERR_R_INTERNAL_ERROR);
1831
		return 0;
1832
	}
1833
1834
18
	return 1;
1835
18
}
1836
1837
static int
1838
_SSL_set_tlsext_debug_arg(SSL *s, void *arg)
1839
{
1840
	s->internal->tlsext_debug_arg = arg;
1841
	return 1;
1842
}
1843
1844
static int
1845
_SSL_set_tlsext_status_type(SSL *s, int type)
1846
{
1847
30
	s->tlsext_status_type = type;
1848
15
	return 1;
1849
}
1850
1851
static int
1852
_SSL_get_tlsext_status_exts(SSL *s, STACK_OF(X509_EXTENSION) **exts)
1853
{
1854
	*exts = s->internal->tlsext_ocsp_exts;
1855
	return 1;
1856
}
1857
1858
static int
1859
_SSL_set_tlsext_status_exts(SSL *s, STACK_OF(X509_EXTENSION) *exts)
1860
{
1861
	/* XXX - leak... */
1862
	s->internal->tlsext_ocsp_exts = exts;
1863
	return 1;
1864
}
1865
1866
static int
1867
_SSL_get_tlsext_status_ids(SSL *s, STACK_OF(OCSP_RESPID) **ids)
1868
{
1869
	*ids = s->internal->tlsext_ocsp_ids;
1870
	return 1;
1871
}
1872
1873
static int
1874
_SSL_set_tlsext_status_ids(SSL *s, STACK_OF(OCSP_RESPID) *ids)
1875
{
1876
	/* XXX - leak... */
1877
	s->internal->tlsext_ocsp_ids = ids;
1878
	return 1;
1879
}
1880
1881
static int
1882
_SSL_get_tlsext_status_ocsp_resp(SSL *s, unsigned char **resp)
1883
{
1884
24
	*resp = s->internal->tlsext_ocsp_resp;
1885
12
	return s->internal->tlsext_ocsp_resplen;
1886
}
1887
1888
static int
1889
_SSL_set_tlsext_status_ocsp_resp(SSL *s, unsigned char *resp, int resp_len)
1890
{
1891
	free(s->internal->tlsext_ocsp_resp);
1892
	s->internal->tlsext_ocsp_resp = resp;
1893
	s->internal->tlsext_ocsp_resplen = resp_len;
1894
	return 1;
1895
}
1896
1897
int
1898
SSL_set1_groups(SSL *s, const int *groups, size_t groups_len)
1899
{
1900
	return tls1_set_groups(&s->internal->tlsext_supportedgroups,
1901
	    &s->internal->tlsext_supportedgroups_length, groups, groups_len);
1902
}
1903
1904
int
1905
SSL_set1_groups_list(SSL *s, const char *groups)
1906
{
1907
	return tls1_set_groups_list(&s->internal->tlsext_supportedgroups,
1908
	    &s->internal->tlsext_supportedgroups_length, groups);
1909
}
1910
1911
long
1912
ssl3_ctrl(SSL *s, int cmd, long larg, void *parg)
1913
{
1914







31452
	switch (cmd) {
1915
	case SSL_CTRL_GET_SESSION_REUSED:
1916
15675
		return _SSL_session_reused(s);
1917
1918
	case SSL_CTRL_GET_NUM_RENEGOTIATIONS:
1919
		return _SSL_num_renegotiations(s);
1920
1921
	case SSL_CTRL_CLEAR_NUM_RENEGOTIATIONS:
1922
		return _SSL_clear_num_renegotiations(s);
1923
1924
	case SSL_CTRL_GET_TOTAL_RENEGOTIATIONS:
1925
2
		return _SSL_total_renegotiations(s);
1926
1927
	case SSL_CTRL_SET_TMP_DH:
1928
		return _SSL_set_tmp_dh(s, parg);
1929
1930
	case SSL_CTRL_SET_TMP_DH_CB:
1931
		SSLerror(s, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
1932
		return 0;
1933
1934
	case SSL_CTRL_SET_DH_AUTO:
1935
		return _SSL_set_dh_auto(s, larg);
1936
1937
	case SSL_CTRL_SET_TMP_ECDH:
1938
		return _SSL_set_tmp_ecdh(s, parg);
1939
1940
	case SSL_CTRL_SET_TMP_ECDH_CB:
1941
		SSLerror(s, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
1942
		return 0;
1943
1944
	case SSL_CTRL_SET_ECDH_AUTO:
1945
		return _SSL_set_ecdh_auto(s, larg);
1946
1947
	case SSL_CTRL_SET_TLSEXT_HOSTNAME:
1948
18
		if (larg != TLSEXT_NAMETYPE_host_name) {
1949
			SSLerror(s, SSL_R_SSL3_EXT_INVALID_SERVERNAME_TYPE);
1950
			return 0;
1951
		}
1952
18
		return _SSL_set_tlsext_host_name(s, parg);
1953
1954
	case SSL_CTRL_SET_TLSEXT_DEBUG_ARG:
1955
		return _SSL_set_tlsext_debug_arg(s, parg);
1956
1957
	case SSL_CTRL_SET_TLSEXT_STATUS_REQ_TYPE:
1958
15
		return _SSL_set_tlsext_status_type(s, larg);
1959
1960
	case SSL_CTRL_GET_TLSEXT_STATUS_REQ_EXTS:
1961
		return _SSL_get_tlsext_status_exts(s, parg);
1962
1963
	case SSL_CTRL_SET_TLSEXT_STATUS_REQ_EXTS:
1964
		return _SSL_set_tlsext_status_exts(s, parg);
1965
1966
	case SSL_CTRL_GET_TLSEXT_STATUS_REQ_IDS:
1967
		return _SSL_get_tlsext_status_ids(s, parg);
1968
1969
	case SSL_CTRL_SET_TLSEXT_STATUS_REQ_IDS:
1970
		return _SSL_set_tlsext_status_ids(s, parg);
1971
1972
	case SSL_CTRL_GET_TLSEXT_STATUS_REQ_OCSP_RESP:
1973
12
		return _SSL_get_tlsext_status_ocsp_resp(s, parg);
1974
1975
	case SSL_CTRL_SET_TLSEXT_STATUS_REQ_OCSP_RESP:
1976
		return _SSL_set_tlsext_status_ocsp_resp(s, parg, larg);
1977
1978
	case SSL_CTRL_SET_GROUPS:
1979
		return SSL_set1_groups(s, parg, larg);
1980
1981
	case SSL_CTRL_SET_GROUPS_LIST:
1982
		return SSL_set1_groups_list(s, parg);
1983
1984
	case SSL_CTRL_GET_SERVER_TMP_KEY:
1985
4
		return ssl_ctrl_get_server_tmp_key(s, parg);
1986
1987
	case SSL_CTRL_SET_MIN_PROTO_VERSION:
1988
		if (larg < 0 || larg > UINT16_MAX)
1989
			return 0;
1990
		return SSL_set_min_proto_version(s, larg);
1991
1992
	case SSL_CTRL_SET_MAX_PROTO_VERSION:
1993
		if (larg < 0 || larg > UINT16_MAX)
1994
			return 0;
1995
		return SSL_set_max_proto_version(s, larg);
1996
1997
	/*
1998
	 * Legacy controls that should eventually be removed.
1999
	 */
2000
	case SSL_CTRL_GET_CLIENT_CERT_REQUEST:
2001
		return 0;
2002
2003
	case SSL_CTRL_GET_FLAGS:
2004
		return (int)(s->s3->flags);
2005
2006
	case SSL_CTRL_NEED_TMP_RSA:
2007
		return 0;
2008
2009
	case SSL_CTRL_SET_TMP_RSA:
2010
	case SSL_CTRL_SET_TMP_RSA_CB:
2011
		SSLerror(s, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
2012
		return 0;
2013
	}
2014
2015
	return 0;
2016
15726
}
2017
2018
long
2019
ssl3_callback_ctrl(SSL *s, int cmd, void (*fp)(void))
2020
{
2021
	if (cmd == SSL_CTRL_SET_TMP_DH_CB || cmd == SSL_CTRL_SET_TMP_ECDH_CB) {
2022
		if (!ssl_cert_inst(&s->cert)) {
2023
			SSLerror(s, ERR_R_MALLOC_FAILURE);
2024
			return 0;
2025
		}
2026
	}
2027
2028
	switch (cmd) {
2029
	case SSL_CTRL_SET_TMP_RSA_CB:
2030
		SSLerror(s, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
2031
		return 0;
2032
2033
	case SSL_CTRL_SET_TMP_DH_CB:
2034
		s->cert->dh_tmp_cb = (DH *(*)(SSL *, int, int))fp;
2035
		return 1;
2036
2037
	case SSL_CTRL_SET_TMP_ECDH_CB:
2038
		return 1;
2039
2040
	case SSL_CTRL_SET_TLSEXT_DEBUG_CB:
2041
		s->internal->tlsext_debug_cb = (void (*)(SSL *, int , int,
2042
		    unsigned char *, int, void *))fp;
2043
		return 1;
2044
	}
2045
2046
	return 0;
2047
}
2048
2049
static int
2050
_SSL_CTX_set_tmp_dh(SSL_CTX *ctx, DH *dh)
2051
{
2052
	DH *dh_tmp;
2053
2054
504
	if ((dh_tmp = DHparams_dup(dh)) == NULL) {
2055
		SSLerrorx(ERR_R_DH_LIB);
2056
		return 0;
2057
	}
2058
2059
252
	DH_free(ctx->internal->cert->dh_tmp);
2060
252
	ctx->internal->cert->dh_tmp = dh_tmp;
2061
2062
252
	return 1;
2063
252
}
2064
2065
static int
2066
_SSL_CTX_set_dh_auto(SSL_CTX *ctx, int state)
2067
{
2068
12
	ctx->internal->cert->dh_tmp_auto = state;
2069
6
	return 1;
2070
}
2071
2072
static int
2073
_SSL_CTX_set_tmp_ecdh(SSL_CTX *ctx, EC_KEY *ecdh)
2074
{
2075
	const EC_GROUP *group;
2076
504
	int nid;
2077
2078
252
	if (ecdh == NULL)
2079
		return 0;
2080
252
	if ((group = EC_KEY_get0_group(ecdh)) == NULL)
2081
		return 0;
2082
2083
252
	nid = EC_GROUP_get_curve_name(group);
2084
252
	return SSL_CTX_set1_groups(ctx, &nid, 1);
2085
252
}
2086
2087
static int
2088
_SSL_CTX_set_ecdh_auto(SSL_CTX *ctx, int state)
2089
{
2090
36
	return 1;
2091
}
2092
2093
static int
2094
_SSL_CTX_set_tlsext_servername_arg(SSL_CTX *ctx, void *arg)
2095
{
2096
24
	ctx->internal->tlsext_servername_arg = arg;
2097
12
	return 1;
2098
}
2099
2100
static int
2101
_SSL_CTX_get_tlsext_ticket_keys(SSL_CTX *ctx, unsigned char *keys, int keys_len)
2102
{
2103
	if (keys == NULL)
2104
		return 48;
2105
2106
	if (keys_len != 48) {
2107
		SSLerrorx(SSL_R_INVALID_TICKET_KEYS_LENGTH);
2108
		return 0;
2109
	}
2110
2111
	memcpy(keys, ctx->internal->tlsext_tick_key_name, 16);
2112
	memcpy(keys + 16, ctx->internal->tlsext_tick_hmac_key, 16);
2113
	memcpy(keys + 32, ctx->internal->tlsext_tick_aes_key, 16);
2114
2115
	return 1;
2116
}
2117
2118
static int
2119
_SSL_CTX_set_tlsext_ticket_keys(SSL_CTX *ctx, unsigned char *keys, int keys_len)
2120
{
2121
	if (keys == NULL)
2122
		return 48;
2123
2124
	if (keys_len != 48) {
2125
		SSLerrorx(SSL_R_INVALID_TICKET_KEYS_LENGTH);
2126
		return 0;
2127
	}
2128
2129
	memcpy(ctx->internal->tlsext_tick_key_name, keys, 16);
2130
	memcpy(ctx->internal->tlsext_tick_hmac_key, keys + 16, 16);
2131
	memcpy(ctx->internal->tlsext_tick_aes_key, keys + 32, 16);
2132
2133
	return 1;
2134
}
2135
2136
static int
2137
_SSL_CTX_set_tlsext_status_arg(SSL_CTX *ctx, void *arg)
2138
{
2139
	ctx->internal->tlsext_status_arg = arg;
2140
	return 1;
2141
}
2142
2143
static int
2144
_SSL_CTX_add_extra_chain_cert(SSL_CTX *ctx, X509 *cert)
2145
{
2146
	if (ctx->extra_certs == NULL) {
2147
		if ((ctx->extra_certs = sk_X509_new_null()) == NULL)
2148
			return 0;
2149
	}
2150
	if (sk_X509_push(ctx->extra_certs, cert) == 0)
2151
		return 0;
2152
2153
	return 1;
2154
}
2155
2156
int
2157
_SSL_CTX_get_extra_chain_certs(SSL_CTX *ctx, STACK_OF(X509) **certs)
2158
{
2159
	*certs = ctx->extra_certs;
2160
	return 1;
2161
}
2162
2163
int
2164
_SSL_CTX_clear_extra_chain_certs(SSL_CTX *ctx)
2165
{
2166
	sk_X509_pop_free(ctx->extra_certs, X509_free);
2167
	ctx->extra_certs = NULL;
2168
	return 1;
2169
}
2170
2171
int
2172
SSL_CTX_set1_groups(SSL_CTX *ctx, const int *groups, size_t groups_len)
2173
{
2174
828
	return tls1_set_groups(&ctx->internal->tlsext_supportedgroups,
2175
276
	    &ctx->internal->tlsext_supportedgroups_length, groups, groups_len);
2176
}
2177
2178
int
2179
SSL_CTX_set1_groups_list(SSL_CTX *ctx, const char *groups)
2180
{
2181
	return tls1_set_groups_list(&ctx->internal->tlsext_supportedgroups,
2182
	    &ctx->internal->tlsext_supportedgroups_length, groups);
2183
}
2184
2185
long
2186
ssl3_ctx_ctrl(SSL_CTX *ctx, int cmd, long larg, void *parg)
2187
{
2188





1080
	switch (cmd) {
2189
	case SSL_CTRL_SET_TMP_DH:
2190
252
		return _SSL_CTX_set_tmp_dh(ctx, parg);
2191
2192
	case SSL_CTRL_SET_TMP_DH_CB:
2193
		SSLerrorx(ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
2194
		return 0;
2195
2196
	case SSL_CTRL_SET_DH_AUTO:
2197
6
		return _SSL_CTX_set_dh_auto(ctx, larg);
2198
2199
	case SSL_CTRL_SET_TMP_ECDH:
2200
252
		return _SSL_CTX_set_tmp_ecdh(ctx, parg);
2201
2202
	case SSL_CTRL_SET_TMP_ECDH_CB:
2203
		SSLerrorx(ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
2204
		return 0;
2205
2206
	case SSL_CTRL_SET_ECDH_AUTO:
2207
18
		return _SSL_CTX_set_ecdh_auto(ctx, larg);
2208
2209
	case SSL_CTRL_SET_TLSEXT_SERVERNAME_ARG:
2210
12
		return _SSL_CTX_set_tlsext_servername_arg(ctx, parg);
2211
2212
	case SSL_CTRL_GET_TLSEXT_TICKET_KEYS:
2213
		return _SSL_CTX_get_tlsext_ticket_keys(ctx, parg, larg);
2214
2215
	case SSL_CTRL_SET_TLSEXT_TICKET_KEYS:
2216
		return _SSL_CTX_set_tlsext_ticket_keys(ctx, parg, larg);
2217
2218
	case SSL_CTRL_SET_TLSEXT_STATUS_REQ_CB_ARG:
2219
		return _SSL_CTX_set_tlsext_status_arg(ctx, parg);
2220
2221
	case SSL_CTRL_EXTRA_CHAIN_CERT:
2222
		return _SSL_CTX_add_extra_chain_cert(ctx, parg);
2223
2224
	case SSL_CTRL_GET_EXTRA_CHAIN_CERTS:
2225
		return _SSL_CTX_get_extra_chain_certs(ctx, parg);
2226
2227
	case SSL_CTRL_CLEAR_EXTRA_CHAIN_CERTS:
2228
		return _SSL_CTX_clear_extra_chain_certs(ctx);
2229
2230
	case SSL_CTRL_SET_GROUPS:
2231
		return SSL_CTX_set1_groups(ctx, parg, larg);
2232
2233
	case SSL_CTRL_SET_GROUPS_LIST:
2234
		return SSL_CTX_set1_groups_list(ctx, parg);
2235
2236
	case SSL_CTRL_SET_MIN_PROTO_VERSION:
2237
		if (larg < 0 || larg > UINT16_MAX)
2238
			return 0;
2239
		return SSL_CTX_set_min_proto_version(ctx, larg);
2240
2241
	case SSL_CTRL_SET_MAX_PROTO_VERSION:
2242
		if (larg < 0 || larg > UINT16_MAX)
2243
			return 0;
2244
		return SSL_CTX_set_max_proto_version(ctx, larg);
2245
2246
	/*
2247
	 * Legacy controls that should eventually be removed.
2248
	 */
2249
	case SSL_CTRL_NEED_TMP_RSA:
2250
		return 0;
2251
2252
	case SSL_CTRL_SET_TMP_RSA:
2253
	case SSL_CTRL_SET_TMP_RSA_CB:
2254
		SSLerrorx(ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
2255
		return 0;
2256
	}
2257
2258
	return 0;
2259
540
}
2260
2261
long
2262
ssl3_ctx_callback_ctrl(SSL_CTX *ctx, int cmd, void (*fp)(void))
2263
{
2264

378
	switch (cmd) {
2265
	case SSL_CTRL_SET_TMP_RSA_CB:
2266
153
		SSLerrorx(ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
2267
153
		return 0;
2268
2269
	case SSL_CTRL_SET_TMP_DH_CB:
2270
		ctx->internal->cert->dh_tmp_cb =
2271
		    (DH *(*)(SSL *, int, int))fp;
2272
		return 1;
2273
2274
	case SSL_CTRL_SET_TMP_ECDH_CB:
2275
		return 1;
2276
2277
	case SSL_CTRL_SET_TLSEXT_SERVERNAME_CB:
2278
12
		ctx->internal->tlsext_servername_callback =
2279
12
		    (int (*)(SSL *, int *, void *))fp;
2280
12
		return 1;
2281
2282
	case SSL_CTRL_SET_TLSEXT_STATUS_REQ_CB:
2283
24
		ctx->internal->tlsext_status_cb = (int (*)(SSL *, void *))fp;
2284
24
		return 1;
2285
2286
	case SSL_CTRL_SET_TLSEXT_TICKET_KEY_CB:
2287
		ctx->internal->tlsext_ticket_key_cb = (int (*)(SSL *, unsigned char  *,
2288
		    unsigned char *, EVP_CIPHER_CTX *, HMAC_CTX *, int))fp;
2289
		return 1;
2290
	}
2291
2292
	return 0;
2293
189
}
2294
2295
/*
2296
 * This function needs to check if the ciphers required are actually available.
2297
 */
2298
const SSL_CIPHER *
2299
ssl3_get_cipher_by_char(const unsigned char *p)
2300
{
2301
4158
	CBS cipher;
2302
2079
	uint16_t cipher_value;
2303
2304
	/* We have to assume it is at least 2 bytes due to existing API. */
2305
2079
	CBS_init(&cipher, p, 2);
2306
2079
	if (!CBS_get_u16(&cipher, &cipher_value))
2307
		return NULL;
2308
2309
2079
	return ssl3_get_cipher_by_value(cipher_value);
2310
2079
}
2311
2312
int
2313
ssl3_put_cipher_by_char(const SSL_CIPHER *c, unsigned char *p)
2314
{
2315
4248
	if (p != NULL) {
2316
2079
		if ((c->id & ~SSL3_CK_VALUE_MASK) != SSL3_CK_ID)
2317
			return (0);
2318
2079
		s2n(ssl3_cipher_get_value(c), p);
2319
2079
	}
2320
2124
	return (2);
2321
2124
}
2322
2323
SSL_CIPHER *
2324
ssl3_choose_cipher(SSL *s, STACK_OF(SSL_CIPHER) *clnt,
2325
    STACK_OF(SSL_CIPHER) *srvr)
2326
{
2327
	unsigned long alg_k, alg_a, mask_k, mask_a;
2328
	STACK_OF(SSL_CIPHER) *prio, *allow;
2329
	SSL_CIPHER *c, *ret = NULL;
2330
	int i, ii, ok;
2331
	CERT *cert;
2332
2333
	/* Let's see which ciphers we can support */
2334
396
	cert = s->cert;
2335
2336
	/*
2337
	 * Do not set the compare functions, because this may lead to a
2338
	 * reordering by "id". We want to keep the original ordering.
2339
	 * We may pay a price in performance during sk_SSL_CIPHER_find(),
2340
	 * but would have to pay with the price of sk_SSL_CIPHER_dup().
2341
	 */
2342
2343
198
	if (s->internal->options & SSL_OP_CIPHER_SERVER_PREFERENCE) {
2344
		prio = srvr;
2345
		allow = clnt;
2346
12
	} else {
2347
		prio = clnt;
2348
		allow = srvr;
2349
	}
2350
2351
444
	for (i = 0; i < sk_SSL_CIPHER_num(prio); i++) {
2352
222
		c = sk_SSL_CIPHER_value(prio, i);
2353
2354
		/* Skip TLS v1.2 only ciphersuites if not supported. */
2355

327
		if ((c->algorithm_ssl & SSL_TLSV1_2) &&
2356
105
		    !SSL_USE_TLS1_2_CIPHERS(s))
2357
			continue;
2358
2359
222
		ssl_set_cert_masks(cert, c);
2360
222
		mask_k = cert->mask_k;
2361
222
		mask_a = cert->mask_a;
2362
2363
222
		alg_k = c->algorithm_mkey;
2364
222
		alg_a = c->algorithm_auth;
2365
2366
2367
666
		ok = (alg_k & mask_k) && (alg_a & mask_a);
2368
2369
		/*
2370
		 * If we are considering an ECC cipher suite that uses our
2371
		 * certificate check it.
2372
		 */
2373
222
		if (alg_a & SSL_aECDSA)
2374
24
			ok = ok && tls1_check_ec_server_key(s);
2375
		/*
2376
		 * If we are considering an ECC cipher suite that uses
2377
		 * an ephemeral EC key check it.
2378
		 */
2379
222
		if (alg_k & SSL_kECDHE)
2380
312
			ok = ok && tls1_check_ec_tmp_key(s);
2381
2382
222
		if (!ok)
2383
			continue;
2384
198
		ii = sk_SSL_CIPHER_find(allow, c);
2385
198
		if (ii >= 0) {
2386
198
			ret = sk_SSL_CIPHER_value(allow, ii);
2387
198
			break;
2388
		}
2389
	}
2390
198
	return (ret);
2391
}
2392
2393
int
2394
ssl3_get_req_cert_types(SSL *s, CBB *cbb)
2395
{
2396
	unsigned long alg_k;
2397
2398
42
	alg_k = S3I(s)->hs.new_cipher->algorithm_mkey;
2399
2400
#ifndef OPENSSL_NO_GOST
2401
21
	if ((alg_k & SSL_kGOST) != 0) {
2402
		if (!CBB_add_u8(cbb, TLS_CT_GOST94_SIGN))
2403
			return 0;
2404
		if (!CBB_add_u8(cbb, TLS_CT_GOST01_SIGN))
2405
			return 0;
2406
		if (!CBB_add_u8(cbb, TLS_CT_GOST12_256_SIGN))
2407
			return 0;
2408
		if (!CBB_add_u8(cbb, TLS_CT_GOST12_512_SIGN))
2409
			return 0;
2410
	}
2411
#endif
2412
2413
21
	if ((alg_k & SSL_kDHE) != 0) {
2414
6
		if (!CBB_add_u8(cbb, SSL3_CT_RSA_FIXED_DH))
2415
			return 0;
2416
	}
2417
2418
21
	if (!CBB_add_u8(cbb, SSL3_CT_RSA_SIGN))
2419
		return 0;
2420
2421
	/*
2422
	 * ECDSA certs can be used with RSA cipher suites as well
2423
	 * so we don't need to check for SSL_kECDH or SSL_kECDHE.
2424
	 */
2425
21
	if (!CBB_add_u8(cbb, TLS_CT_ECDSA_SIGN))
2426
		return 0;
2427
2428
21
	return 1;
2429
21
}
2430
2431
int
2432
ssl3_shutdown(SSL *s)
2433
{
2434
	int	ret;
2435
2436
	/*
2437
	 * Don't do anything much if we have not done the handshake or
2438
	 * we don't want to send messages :-)
2439
	 */
2440

32512
	if ((s->internal->quiet_shutdown) || (S3I(s)->hs.state == SSL_ST_BEFORE)) {
2441
15677
		s->internal->shutdown = (SSL_SENT_SHUTDOWN|SSL_RECEIVED_SHUTDOWN);
2442
15677
		return (1);
2443
	}
2444
2445
386
	if (!(s->internal->shutdown & SSL_SENT_SHUTDOWN)) {
2446
386
		s->internal->shutdown|=SSL_SENT_SHUTDOWN;
2447
386
		ssl3_send_alert(s, SSL3_AL_WARNING, SSL_AD_CLOSE_NOTIFY);
2448
		/*
2449
		 * Our shutdown alert has been sent now, and if it still needs
2450
	 	 * to be written, s->s3->alert_dispatch will be true
2451
		 */
2452
386
		if (s->s3->alert_dispatch)
2453
360
			return(-1);	/* return WANT_WRITE */
2454
	} else if (s->s3->alert_dispatch) {
2455
		/* resend it if not sent */
2456
		ret = s->method->ssl_dispatch_alert(s);
2457
		if (ret == -1) {
2458
			/*
2459
			 * We only get to return -1 here the 2nd/Nth
2460
			 * invocation, we must  have already signalled
2461
			 * return 0 upon a previous invoation,
2462
			 * return WANT_WRITE
2463
			 */
2464
			return (ret);
2465
		}
2466
	} else if (!(s->internal->shutdown & SSL_RECEIVED_SHUTDOWN)) {
2467
		/* If we are waiting for a close from our peer, we are closed */
2468
		s->method->internal->ssl_read_bytes(s, 0, NULL, 0, 0);
2469
		if (!(s->internal->shutdown & SSL_RECEIVED_SHUTDOWN)) {
2470
			return(-1);	/* return WANT_READ */
2471
		}
2472
	}
2473
2474

26
	if ((s->internal->shutdown == (SSL_SENT_SHUTDOWN|SSL_RECEIVED_SHUTDOWN)) &&
2475
	    !s->s3->alert_dispatch)
2476
		return (1);
2477
	else
2478
26
		return (0);
2479
16063
}
2480
2481
int
2482
ssl3_write(SSL *s, const void *buf, int len)
2483
{
2484
	int	ret, n;
2485
2486
#if 0
2487
	if (s->internal->shutdown & SSL_SEND_SHUTDOWN) {
2488
		s->internal->rwstate = SSL_NOTHING;
2489
		return (0);
2490
	}
2491
#endif
2492
9184
	errno = 0;
2493
4592
	if (S3I(s)->renegotiate)
2494
		ssl3_renegotiate_check(s);
2495
2496
	/*
2497
	 * This is an experimental flag that sends the
2498
	 * last handshake message in the same packet as the first
2499
	 * use data - used to see if it helps the TCP protocol during
2500
	 * session-id reuse
2501
	 */
2502
	/* The second test is because the buffer may have been removed */
2503

4592
	if ((s->s3->flags & SSL3_FLAGS_POP_BUFFER) && (s->wbio == s->bbio)) {
2504
		/* First time through, we write into the buffer */
2505
		if (S3I(s)->delay_buf_pop_ret == 0) {
2506
			ret = ssl3_write_bytes(s, SSL3_RT_APPLICATION_DATA,
2507
			    buf, len);
2508
			if (ret <= 0)
2509
				return (ret);
2510
2511
			S3I(s)->delay_buf_pop_ret = ret;
2512
		}
2513
2514
		s->internal->rwstate = SSL_WRITING;
2515
		n = BIO_flush(s->wbio);
2516
		if (n <= 0)
2517
			return (n);
2518
		s->internal->rwstate = SSL_NOTHING;
2519
2520
		/* We have flushed the buffer, so remove it */
2521
		ssl_free_wbio_buffer(s);
2522
		s->s3->flags&= ~SSL3_FLAGS_POP_BUFFER;
2523
2524
		ret = S3I(s)->delay_buf_pop_ret;
2525
		S3I(s)->delay_buf_pop_ret = 0;
2526
	} else {
2527
4592
		ret = s->method->internal->ssl_write_bytes(s,
2528
		    SSL3_RT_APPLICATION_DATA, buf, len);
2529
4592
		if (ret <= 0)
2530
4232
			return (ret);
2531
	}
2532
2533
360
	return (ret);
2534
4592
}
2535
2536
static int
2537
ssl3_read_internal(SSL *s, void *buf, int len, int peek)
2538
{
2539
	int	ret;
2540
2541
9612
	errno = 0;
2542
4806
	if (S3I(s)->renegotiate)
2543
		ssl3_renegotiate_check(s);
2544
4806
	S3I(s)->in_read_app_data = 1;
2545
4806
	ret = s->method->internal->ssl_read_bytes(s,
2546
	    SSL3_RT_APPLICATION_DATA, buf, len, peek);
2547

9252
	if ((ret == -1) && (S3I(s)->in_read_app_data == 2)) {
2548
		/*
2549
		 * ssl3_read_bytes decided to call s->internal->handshake_func, which
2550
		 * called ssl3_read_bytes to read handshake data.
2551
		 * However, ssl3_read_bytes actually found application data
2552
		 * and thinks that application data makes sense here; so disable
2553
		 * handshake processing and try to read application data again.
2554
		 */
2555
		s->internal->in_handshake++;
2556
		ret = s->method->internal->ssl_read_bytes(s,
2557
		    SSL3_RT_APPLICATION_DATA, buf, len, peek);
2558
		s->internal->in_handshake--;
2559
	} else
2560
4806
		S3I(s)->in_read_app_data = 0;
2561
2562
4806
	return (ret);
2563
}
2564
2565
int
2566
ssl3_read(SSL *s, void *buf, int len)
2567
{
2568
9612
	return ssl3_read_internal(s, buf, len, 0);
2569
}
2570
2571
int
2572
ssl3_peek(SSL *s, void *buf, int len)
2573
{
2574
	return ssl3_read_internal(s, buf, len, 1);
2575
}
2576
2577
int
2578
ssl3_renegotiate(SSL *s)
2579
{
2580
6
	if (s->internal->handshake_func == NULL)
2581
3
		return (1);
2582
2583
	if (s->s3->flags & SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS)
2584
		return (0);
2585
2586
	S3I(s)->renegotiate = 1;
2587
	return (1);
2588
3
}
2589
2590
int
2591
ssl3_renegotiate_check(SSL *s)
2592
{
2593
	int	ret = 0;
2594
2595
	if (S3I(s)->renegotiate) {
2596
		if ((s->s3->rbuf.left == 0) && (s->s3->wbuf.left == 0) &&
2597
		    !SSL_in_init(s)) {
2598
			/*
2599
			 * If we are the server, and we have sent
2600
			 * a 'RENEGOTIATE' message, we need to go
2601
			 * to SSL_ST_ACCEPT.
2602
			 */
2603
			/* SSL_ST_ACCEPT */
2604
			S3I(s)->hs.state = SSL_ST_RENEGOTIATE;
2605
			S3I(s)->renegotiate = 0;
2606
			S3I(s)->num_renegotiations++;
2607
			S3I(s)->total_renegotiations++;
2608
			ret = 1;
2609
		}
2610
	}
2611
	return (ret);
2612
}
2613
/*
2614
 * If we are using default SHA1+MD5 algorithms switch to new SHA256 PRF
2615
 * and handshake macs if required.
2616
 */
2617
long
2618
ssl_get_algorithm2(SSL *s)
2619
{
2620
167322
	long	alg2 = S3I(s)->hs.new_cipher->algorithm2;
2621
2622
167322
	if (s->method->internal->ssl3_enc->enc_flags & SSL_ENC_FLAG_SHA256_PRF &&
2623
83661
	    alg2 == (SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF))
2624
564
		return SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256;
2625
83097
	return alg2;
2626
83661
}