1 /* $OpenBSD: s3_lib.c,v 1.198 2020/09/17 15:42:14 jsing Exp $ */
2 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
5 * This package is an SSL implementation written
6 * by Eric Young (eay@cryptsoft.com).
7 * The implementation was written so as to conform with Netscapes SSL.
9 * This library is free for commercial and non-commercial use as long as
10 * the following conditions are aheared to. The following conditions
11 * apply to all code found in this distribution, be it the RC4, RSA,
12 * lhash, DES, etc., code; not just the SSL code. The SSL documentation
13 * included with this distribution is covered by the same copyright terms
14 * except that the holder is Tim Hudson (tjh@cryptsoft.com).
16 * Copyright remains Eric Young's, and as such any Copyright notices in
17 * the code are not to be removed.
18 * If this package is used in a product, Eric Young should be given attribution
19 * as the author of the parts of the library used.
20 * This can be in the form of a textual message at program startup or
21 * in documentation (online or textual) provided with the package.
23 * Redistribution and use in source and binary forms, with or without
24 * modification, are permitted provided that the following conditions
26 * 1. Redistributions of source code must retain the copyright
27 * notice, this list of conditions and the following disclaimer.
28 * 2. Redistributions in binary form must reproduce the above copyright
29 * notice, this list of conditions and the following disclaimer in the
30 * documentation and/or other materials provided with the distribution.
31 * 3. All advertising materials mentioning features or use of this software
32 * must display the following acknowledgement:
33 * "This product includes cryptographic software written by
34 * Eric Young (eay@cryptsoft.com)"
35 * The word 'cryptographic' can be left out if the rouines from the library
36 * being used are not cryptographic related :-).
37 * 4. If you include any Windows specific code (or a derivative thereof) from
38 * the apps directory (application code) you must include an acknowledgement:
39 * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
41 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
42 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
43 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
44 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
45 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
46 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
47 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
48 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
49 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
50 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
53 * The licence and distribution terms for any publically available version or
54 * derivative of this code cannot be changed. i.e. this code cannot simply be
55 * copied and put under another distribution licence
56 * [including the GNU Public Licence.]
58 /* ====================================================================
59 * Copyright (c) 1998-2007 The OpenSSL Project. All rights reserved.
61 * Redistribution and use in source and binary forms, with or without
62 * modification, are permitted provided that the following conditions
65 * 1. Redistributions of source code must retain the above copyright
66 * notice, this list of conditions and the following disclaimer.
68 * 2. Redistributions in binary form must reproduce the above copyright
69 * notice, this list of conditions and the following disclaimer in
70 * the documentation and/or other materials provided with the
73 * 3. All advertising materials mentioning features or use of this
74 * software must display the following acknowledgment:
75 * "This product includes software developed by the OpenSSL Project
76 * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
78 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
79 * endorse or promote products derived from this software without
80 * prior written permission. For written permission, please contact
81 * openssl-core@openssl.org.
83 * 5. Products derived from this software may not be called "OpenSSL"
84 * nor may "OpenSSL" appear in their names without prior written
85 * permission of the OpenSSL Project.
87 * 6. Redistributions of any form whatsoever must retain the following
89 * "This product includes software developed by the OpenSSL Project
90 * for use in the OpenSSL Toolkit (http://www.openssl.org/)"
92 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
93 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
94 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
95 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
96 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
97 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
98 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
99 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
100 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
101 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
102 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
103 * OF THE POSSIBILITY OF SUCH DAMAGE.
104 * ====================================================================
106 * This product includes cryptographic software written by Eric Young
107 * (eay@cryptsoft.com). This product includes software written by Tim
108 * Hudson (tjh@cryptsoft.com).
111 /* ====================================================================
112 * Copyright 2002 Sun Microsystems, Inc. ALL RIGHTS RESERVED.
114 * Portions of the attached software ("Contribution") are developed by
115 * SUN MICROSYSTEMS, INC., and are contributed to the OpenSSL project.
117 * The Contribution is licensed pursuant to the OpenSSL open source
118 * license provided above.
120 * ECC cipher suite support in OpenSSL originally written by
121 * Vipul Gupta and Sumit Gupta of Sun Microsystems Laboratories.
124 /* ====================================================================
125 * Copyright 2005 Nokia. All rights reserved.
127 * The portions of the attached software ("Contribution") is developed by
128 * Nokia Corporation and is licensed pursuant to the OpenSSL open source
131 * The Contribution, originally written by Mika Kousa and Pasi Eronen of
132 * Nokia Corporation, consists of the "PSK" (Pre-Shared Key) ciphersuites
133 * support (see RFC 4279) to OpenSSL.
135 * No patent licenses or other rights except those expressly stated in
136 * the OpenSSL open source license shall be deemed granted or received
137 * expressly, by implication, estoppel, or otherwise.
139 * No assurances are provided by Nokia that the Contribution does not
140 * infringe the patent or other intellectual property rights of any third
141 * party or that the license provides you with all the necessary rights
142 * to make use of the Contribution.
144 * THE SOFTWARE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. IN
145 * ADDITION TO THE DISCLAIMERS INCLUDED IN THE LICENSE, NOKIA
146 * SPECIFICALLY DISCLAIMS ANY LIABILITY FOR CLAIMS BROUGHT BY YOU OR ANY
147 * OTHER ENTITY BASED ON INFRINGEMENT OF INTELLECTUAL PROPERTY RIGHTS OR
154 #include <openssl/bn.h>
155 #include <openssl/curve25519.h>
156 #include <openssl/dh.h>
157 #include <openssl/md5.h>
158 #include <openssl/objects.h>
160 #include "ssl_locl.h"
161 #include "bytestring.h"
163 #define SSL3_NUM_CIPHERS (sizeof(ssl3_ciphers) / sizeof(SSL_CIPHER))
166 * FIXED_NONCE_LEN is a macro that provides in the correct value to set the
167 * fixed nonce length in algorithms2. It is the inverse of the
168 * SSL_CIPHER_AEAD_FIXED_NONCE_LEN macro.
170 #define FIXED_NONCE_LEN(x) (((x / 2) & 0xf) << 24)
172 /* list of available SSLv3 ciphers (sorted by id) */
173 SSL_CIPHER ssl3_ciphers[] = {
175 /* The RSA ciphers */
179 .name = SSL3_TXT_RSA_NULL_MD5,
180 .id = SSL3_CK_RSA_NULL_MD5,
181 .algorithm_mkey = SSL_kRSA,
182 .algorithm_auth = SSL_aRSA,
183 .algorithm_enc = SSL_eNULL,
184 .algorithm_mac = SSL_MD5,
185 .algorithm_ssl = SSL_SSLV3,
186 .algo_strength = SSL_STRONG_NONE,
187 .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
195 .name = SSL3_TXT_RSA_NULL_SHA,
196 .id = SSL3_CK_RSA_NULL_SHA,
197 .algorithm_mkey = SSL_kRSA,
198 .algorithm_auth = SSL_aRSA,
199 .algorithm_enc = SSL_eNULL,
200 .algorithm_mac = SSL_SHA1,
201 .algorithm_ssl = SSL_SSLV3,
202 .algo_strength = SSL_STRONG_NONE,
203 .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
211 .name = SSL3_TXT_RSA_RC4_128_MD5,
212 .id = SSL3_CK_RSA_RC4_128_MD5,
213 .algorithm_mkey = SSL_kRSA,
214 .algorithm_auth = SSL_aRSA,
215 .algorithm_enc = SSL_RC4,
216 .algorithm_mac = SSL_MD5,
217 .algorithm_ssl = SSL_SSLV3,
218 .algo_strength = SSL_LOW,
219 .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
220 .strength_bits = 128,
227 .name = SSL3_TXT_RSA_RC4_128_SHA,
228 .id = SSL3_CK_RSA_RC4_128_SHA,
229 .algorithm_mkey = SSL_kRSA,
230 .algorithm_auth = SSL_aRSA,
231 .algorithm_enc = SSL_RC4,
232 .algorithm_mac = SSL_SHA1,
233 .algorithm_ssl = SSL_SSLV3,
234 .algo_strength = SSL_LOW,
235 .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
236 .strength_bits = 128,
243 .name = SSL3_TXT_RSA_DES_192_CBC3_SHA,
244 .id = SSL3_CK_RSA_DES_192_CBC3_SHA,
245 .algorithm_mkey = SSL_kRSA,
246 .algorithm_auth = SSL_aRSA,
247 .algorithm_enc = SSL_3DES,
248 .algorithm_mac = SSL_SHA1,
249 .algorithm_ssl = SSL_SSLV3,
250 .algo_strength = SSL_MEDIUM,
251 .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
252 .strength_bits = 112,
257 * Ephemeral DH (DHE) ciphers.
263 .name = SSL3_TXT_EDH_RSA_DES_192_CBC3_SHA,
264 .id = SSL3_CK_EDH_RSA_DES_192_CBC3_SHA,
265 .algorithm_mkey = SSL_kDHE,
266 .algorithm_auth = SSL_aRSA,
267 .algorithm_enc = SSL_3DES,
268 .algorithm_mac = SSL_SHA1,
269 .algorithm_ssl = SSL_SSLV3,
270 .algo_strength = SSL_MEDIUM,
271 .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
272 .strength_bits = 112,
279 .name = SSL3_TXT_ADH_RC4_128_MD5,
280 .id = SSL3_CK_ADH_RC4_128_MD5,
281 .algorithm_mkey = SSL_kDHE,
282 .algorithm_auth = SSL_aNULL,
283 .algorithm_enc = SSL_RC4,
284 .algorithm_mac = SSL_MD5,
285 .algorithm_ssl = SSL_SSLV3,
286 .algo_strength = SSL_LOW,
287 .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
288 .strength_bits = 128,
295 .name = SSL3_TXT_ADH_DES_192_CBC_SHA,
296 .id = SSL3_CK_ADH_DES_192_CBC_SHA,
297 .algorithm_mkey = SSL_kDHE,
298 .algorithm_auth = SSL_aNULL,
299 .algorithm_enc = SSL_3DES,
300 .algorithm_mac = SSL_SHA1,
301 .algorithm_ssl = SSL_SSLV3,
302 .algo_strength = SSL_MEDIUM,
303 .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
304 .strength_bits = 112,
315 .name = TLS1_TXT_RSA_WITH_AES_128_SHA,
316 .id = TLS1_CK_RSA_WITH_AES_128_SHA,
317 .algorithm_mkey = SSL_kRSA,
318 .algorithm_auth = SSL_aRSA,
319 .algorithm_enc = SSL_AES128,
320 .algorithm_mac = SSL_SHA1,
321 .algorithm_ssl = SSL_TLSV1,
322 .algo_strength = SSL_HIGH,
323 .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
324 .strength_bits = 128,
331 .name = TLS1_TXT_DHE_RSA_WITH_AES_128_SHA,
332 .id = TLS1_CK_DHE_RSA_WITH_AES_128_SHA,
333 .algorithm_mkey = SSL_kDHE,
334 .algorithm_auth = SSL_aRSA,
335 .algorithm_enc = SSL_AES128,
336 .algorithm_mac = SSL_SHA1,
337 .algorithm_ssl = SSL_TLSV1,
338 .algo_strength = SSL_HIGH,
339 .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
340 .strength_bits = 128,
347 .name = TLS1_TXT_ADH_WITH_AES_128_SHA,
348 .id = TLS1_CK_ADH_WITH_AES_128_SHA,
349 .algorithm_mkey = SSL_kDHE,
350 .algorithm_auth = SSL_aNULL,
351 .algorithm_enc = SSL_AES128,
352 .algorithm_mac = SSL_SHA1,
353 .algorithm_ssl = SSL_TLSV1,
354 .algo_strength = SSL_HIGH,
355 .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
356 .strength_bits = 128,
363 .name = TLS1_TXT_RSA_WITH_AES_256_SHA,
364 .id = TLS1_CK_RSA_WITH_AES_256_SHA,
365 .algorithm_mkey = SSL_kRSA,
366 .algorithm_auth = SSL_aRSA,
367 .algorithm_enc = SSL_AES256,
368 .algorithm_mac = SSL_SHA1,
369 .algorithm_ssl = SSL_TLSV1,
370 .algo_strength = SSL_HIGH,
371 .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
372 .strength_bits = 256,
379 .name = TLS1_TXT_DHE_RSA_WITH_AES_256_SHA,
380 .id = TLS1_CK_DHE_RSA_WITH_AES_256_SHA,
381 .algorithm_mkey = SSL_kDHE,
382 .algorithm_auth = SSL_aRSA,
383 .algorithm_enc = SSL_AES256,
384 .algorithm_mac = SSL_SHA1,
385 .algorithm_ssl = SSL_TLSV1,
386 .algo_strength = SSL_HIGH,
387 .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
388 .strength_bits = 256,
395 .name = TLS1_TXT_ADH_WITH_AES_256_SHA,
396 .id = TLS1_CK_ADH_WITH_AES_256_SHA,
397 .algorithm_mkey = SSL_kDHE,
398 .algorithm_auth = SSL_aNULL,
399 .algorithm_enc = SSL_AES256,
400 .algorithm_mac = SSL_SHA1,
401 .algorithm_ssl = SSL_TLSV1,
402 .algo_strength = SSL_HIGH,
403 .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
404 .strength_bits = 256,
408 /* TLS v1.2 ciphersuites */
412 .name = TLS1_TXT_RSA_WITH_NULL_SHA256,
413 .id = TLS1_CK_RSA_WITH_NULL_SHA256,
414 .algorithm_mkey = SSL_kRSA,
415 .algorithm_auth = SSL_aRSA,
416 .algorithm_enc = SSL_eNULL,
417 .algorithm_mac = SSL_SHA256,
418 .algorithm_ssl = SSL_TLSV1_2,
419 .algo_strength = SSL_STRONG_NONE,
420 .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
428 .name = TLS1_TXT_RSA_WITH_AES_128_SHA256,
429 .id = TLS1_CK_RSA_WITH_AES_128_SHA256,
430 .algorithm_mkey = SSL_kRSA,
431 .algorithm_auth = SSL_aRSA,
432 .algorithm_enc = SSL_AES128,
433 .algorithm_mac = SSL_SHA256,
434 .algorithm_ssl = SSL_TLSV1_2,
435 .algo_strength = SSL_HIGH,
436 .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
437 .strength_bits = 128,
444 .name = TLS1_TXT_RSA_WITH_AES_256_SHA256,
445 .id = TLS1_CK_RSA_WITH_AES_256_SHA256,
446 .algorithm_mkey = SSL_kRSA,
447 .algorithm_auth = SSL_aRSA,
448 .algorithm_enc = SSL_AES256,
449 .algorithm_mac = SSL_SHA256,
450 .algorithm_ssl = SSL_TLSV1_2,
451 .algo_strength = SSL_HIGH,
452 .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
453 .strength_bits = 256,
457 #ifndef OPENSSL_NO_CAMELLIA
458 /* Camellia ciphersuites from RFC4132 (128-bit portion) */
463 .name = TLS1_TXT_RSA_WITH_CAMELLIA_128_CBC_SHA,
464 .id = TLS1_CK_RSA_WITH_CAMELLIA_128_CBC_SHA,
465 .algorithm_mkey = SSL_kRSA,
466 .algorithm_auth = SSL_aRSA,
467 .algorithm_enc = SSL_CAMELLIA128,
468 .algorithm_mac = SSL_SHA1,
469 .algorithm_ssl = SSL_TLSV1,
470 .algo_strength = SSL_HIGH,
471 .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
472 .strength_bits = 128,
479 .name = TLS1_TXT_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA,
480 .id = TLS1_CK_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA,
481 .algorithm_mkey = SSL_kDHE,
482 .algorithm_auth = SSL_aRSA,
483 .algorithm_enc = SSL_CAMELLIA128,
484 .algorithm_mac = SSL_SHA1,
485 .algorithm_ssl = SSL_TLSV1,
486 .algo_strength = SSL_HIGH,
487 .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
488 .strength_bits = 128,
495 .name = TLS1_TXT_ADH_WITH_CAMELLIA_128_CBC_SHA,
496 .id = TLS1_CK_ADH_WITH_CAMELLIA_128_CBC_SHA,
497 .algorithm_mkey = SSL_kDHE,
498 .algorithm_auth = SSL_aNULL,
499 .algorithm_enc = SSL_CAMELLIA128,
500 .algorithm_mac = SSL_SHA1,
501 .algorithm_ssl = SSL_TLSV1,
502 .algo_strength = SSL_HIGH,
503 .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
504 .strength_bits = 128,
507 #endif /* OPENSSL_NO_CAMELLIA */
509 /* TLS v1.2 ciphersuites */
513 .name = TLS1_TXT_DHE_RSA_WITH_AES_128_SHA256,
514 .id = TLS1_CK_DHE_RSA_WITH_AES_128_SHA256,
515 .algorithm_mkey = SSL_kDHE,
516 .algorithm_auth = SSL_aRSA,
517 .algorithm_enc = SSL_AES128,
518 .algorithm_mac = SSL_SHA256,
519 .algorithm_ssl = SSL_TLSV1_2,
520 .algo_strength = SSL_HIGH,
521 .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
522 .strength_bits = 128,
529 .name = TLS1_TXT_DHE_RSA_WITH_AES_256_SHA256,
530 .id = TLS1_CK_DHE_RSA_WITH_AES_256_SHA256,
531 .algorithm_mkey = SSL_kDHE,
532 .algorithm_auth = SSL_aRSA,
533 .algorithm_enc = SSL_AES256,
534 .algorithm_mac = SSL_SHA256,
535 .algorithm_ssl = SSL_TLSV1_2,
536 .algo_strength = SSL_HIGH,
537 .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
538 .strength_bits = 256,
545 .name = TLS1_TXT_ADH_WITH_AES_128_SHA256,
546 .id = TLS1_CK_ADH_WITH_AES_128_SHA256,
547 .algorithm_mkey = SSL_kDHE,
548 .algorithm_auth = SSL_aNULL,
549 .algorithm_enc = SSL_AES128,
550 .algorithm_mac = SSL_SHA256,
551 .algorithm_ssl = SSL_TLSV1_2,
552 .algo_strength = SSL_HIGH,
553 .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
554 .strength_bits = 128,
561 .name = TLS1_TXT_ADH_WITH_AES_256_SHA256,
562 .id = TLS1_CK_ADH_WITH_AES_256_SHA256,
563 .algorithm_mkey = SSL_kDHE,
564 .algorithm_auth = SSL_aNULL,
565 .algorithm_enc = SSL_AES256,
566 .algorithm_mac = SSL_SHA256,
567 .algorithm_ssl = SSL_TLSV1_2,
568 .algo_strength = SSL_HIGH,
569 .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
570 .strength_bits = 256,
574 /* GOST Ciphersuites */
579 .name = "GOST2001-GOST89-GOST89",
581 .algorithm_mkey = SSL_kGOST,
582 .algorithm_auth = SSL_aGOST01,
583 .algorithm_enc = SSL_eGOST2814789CNT,
584 .algorithm_mac = SSL_GOST89MAC,
585 .algorithm_ssl = SSL_TLSV1,
586 .algo_strength = SSL_HIGH,
587 .algorithm2 = SSL_HANDSHAKE_MAC_GOST94|TLS1_PRF_GOST94|
589 .strength_bits = 256,
596 .name = "GOST2001-NULL-GOST94",
598 .algorithm_mkey = SSL_kGOST,
599 .algorithm_auth = SSL_aGOST01,
600 .algorithm_enc = SSL_eNULL,
601 .algorithm_mac = SSL_GOST94,
602 .algorithm_ssl = SSL_TLSV1,
603 .algo_strength = SSL_STRONG_NONE,
604 .algorithm2 = SSL_HANDSHAKE_MAC_GOST94|TLS1_PRF_GOST94,
609 #ifndef OPENSSL_NO_CAMELLIA
610 /* Camellia ciphersuites from RFC4132 (256-bit portion) */
615 .name = TLS1_TXT_RSA_WITH_CAMELLIA_256_CBC_SHA,
616 .id = TLS1_CK_RSA_WITH_CAMELLIA_256_CBC_SHA,
617 .algorithm_mkey = SSL_kRSA,
618 .algorithm_auth = SSL_aRSA,
619 .algorithm_enc = SSL_CAMELLIA256,
620 .algorithm_mac = SSL_SHA1,
621 .algorithm_ssl = SSL_TLSV1,
622 .algo_strength = SSL_HIGH,
623 .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
624 .strength_bits = 256,
631 .name = TLS1_TXT_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA,
632 .id = TLS1_CK_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA,
633 .algorithm_mkey = SSL_kDHE,
634 .algorithm_auth = SSL_aRSA,
635 .algorithm_enc = SSL_CAMELLIA256,
636 .algorithm_mac = SSL_SHA1,
637 .algorithm_ssl = SSL_TLSV1,
638 .algo_strength = SSL_HIGH,
639 .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
640 .strength_bits = 256,
647 .name = TLS1_TXT_ADH_WITH_CAMELLIA_256_CBC_SHA,
648 .id = TLS1_CK_ADH_WITH_CAMELLIA_256_CBC_SHA,
649 .algorithm_mkey = SSL_kDHE,
650 .algorithm_auth = SSL_aNULL,
651 .algorithm_enc = SSL_CAMELLIA256,
652 .algorithm_mac = SSL_SHA1,
653 .algorithm_ssl = SSL_TLSV1,
654 .algo_strength = SSL_HIGH,
655 .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
656 .strength_bits = 256,
659 #endif /* OPENSSL_NO_CAMELLIA */
662 * GCM ciphersuites from RFC5288.
668 .name = TLS1_TXT_RSA_WITH_AES_128_GCM_SHA256,
669 .id = TLS1_CK_RSA_WITH_AES_128_GCM_SHA256,
670 .algorithm_mkey = SSL_kRSA,
671 .algorithm_auth = SSL_aRSA,
672 .algorithm_enc = SSL_AES128GCM,
673 .algorithm_mac = SSL_AEAD,
674 .algorithm_ssl = SSL_TLSV1_2,
675 .algo_strength = SSL_HIGH,
676 .algorithm2 = SSL_HANDSHAKE_MAC_SHA256|TLS1_PRF_SHA256|
678 SSL_CIPHER_ALGORITHM2_VARIABLE_NONCE_IN_RECORD,
679 .strength_bits = 128,
686 .name = TLS1_TXT_RSA_WITH_AES_256_GCM_SHA384,
687 .id = TLS1_CK_RSA_WITH_AES_256_GCM_SHA384,
688 .algorithm_mkey = SSL_kRSA,
689 .algorithm_auth = SSL_aRSA,
690 .algorithm_enc = SSL_AES256GCM,
691 .algorithm_mac = SSL_AEAD,
692 .algorithm_ssl = SSL_TLSV1_2,
693 .algo_strength = SSL_HIGH,
694 .algorithm2 = SSL_HANDSHAKE_MAC_SHA384|TLS1_PRF_SHA384|
696 SSL_CIPHER_ALGORITHM2_VARIABLE_NONCE_IN_RECORD,
697 .strength_bits = 256,
704 .name = TLS1_TXT_DHE_RSA_WITH_AES_128_GCM_SHA256,
705 .id = TLS1_CK_DHE_RSA_WITH_AES_128_GCM_SHA256,
706 .algorithm_mkey = SSL_kDHE,
707 .algorithm_auth = SSL_aRSA,
708 .algorithm_enc = SSL_AES128GCM,
709 .algorithm_mac = SSL_AEAD,
710 .algorithm_ssl = SSL_TLSV1_2,
711 .algo_strength = SSL_HIGH,
712 .algorithm2 = SSL_HANDSHAKE_MAC_SHA256|TLS1_PRF_SHA256|
714 SSL_CIPHER_ALGORITHM2_VARIABLE_NONCE_IN_RECORD,
715 .strength_bits = 128,
722 .name = TLS1_TXT_DHE_RSA_WITH_AES_256_GCM_SHA384,
723 .id = TLS1_CK_DHE_RSA_WITH_AES_256_GCM_SHA384,
724 .algorithm_mkey = SSL_kDHE,
725 .algorithm_auth = SSL_aRSA,
726 .algorithm_enc = SSL_AES256GCM,
727 .algorithm_mac = SSL_AEAD,
728 .algorithm_ssl = SSL_TLSV1_2,
729 .algo_strength = SSL_HIGH,
730 .algorithm2 = SSL_HANDSHAKE_MAC_SHA384|TLS1_PRF_SHA384|
732 SSL_CIPHER_ALGORITHM2_VARIABLE_NONCE_IN_RECORD,
733 .strength_bits = 256,
740 .name = TLS1_TXT_ADH_WITH_AES_128_GCM_SHA256,
741 .id = TLS1_CK_ADH_WITH_AES_128_GCM_SHA256,
742 .algorithm_mkey = SSL_kDHE,
743 .algorithm_auth = SSL_aNULL,
744 .algorithm_enc = SSL_AES128GCM,
745 .algorithm_mac = SSL_AEAD,
746 .algorithm_ssl = SSL_TLSV1_2,
747 .algo_strength = SSL_HIGH,
748 .algorithm2 = SSL_HANDSHAKE_MAC_SHA256|TLS1_PRF_SHA256|
750 SSL_CIPHER_ALGORITHM2_VARIABLE_NONCE_IN_RECORD,
751 .strength_bits = 128,
758 .name = TLS1_TXT_ADH_WITH_AES_256_GCM_SHA384,
759 .id = TLS1_CK_ADH_WITH_AES_256_GCM_SHA384,
760 .algorithm_mkey = SSL_kDHE,
761 .algorithm_auth = SSL_aNULL,
762 .algorithm_enc = SSL_AES256GCM,
763 .algorithm_mac = SSL_AEAD,
764 .algorithm_ssl = SSL_TLSV1_2,
765 .algo_strength = SSL_HIGH,
766 .algorithm2 = SSL_HANDSHAKE_MAC_SHA384|TLS1_PRF_SHA384|
768 SSL_CIPHER_ALGORITHM2_VARIABLE_NONCE_IN_RECORD,
769 .strength_bits = 256,
773 #ifndef OPENSSL_NO_CAMELLIA
774 /* TLS 1.2 Camellia SHA-256 ciphersuites from RFC5932 */
779 .name = TLS1_TXT_RSA_WITH_CAMELLIA_128_CBC_SHA256,
780 .id = TLS1_CK_RSA_WITH_CAMELLIA_128_CBC_SHA256,
781 .algorithm_mkey = SSL_kRSA,
782 .algorithm_auth = SSL_aRSA,
783 .algorithm_enc = SSL_CAMELLIA128,
784 .algorithm_mac = SSL_SHA256,
785 .algorithm_ssl = SSL_TLSV1_2,
786 .algo_strength = SSL_HIGH,
787 .algorithm2 = SSL_HANDSHAKE_MAC_SHA256|TLS1_PRF_SHA256,
788 .strength_bits = 128,
795 .name = TLS1_TXT_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA256,
796 .id = TLS1_CK_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA256,
797 .algorithm_mkey = SSL_kDHE,
798 .algorithm_auth = SSL_aRSA,
799 .algorithm_enc = SSL_CAMELLIA128,
800 .algorithm_mac = SSL_SHA256,
801 .algorithm_ssl = SSL_TLSV1_2,
802 .algo_strength = SSL_HIGH,
803 .algorithm2 = SSL_HANDSHAKE_MAC_SHA256|TLS1_PRF_SHA256,
804 .strength_bits = 128,
811 .name = TLS1_TXT_ADH_WITH_CAMELLIA_128_CBC_SHA256,
812 .id = TLS1_CK_ADH_WITH_CAMELLIA_128_CBC_SHA256,
813 .algorithm_mkey = SSL_kDHE,
814 .algorithm_auth = SSL_aNULL,
815 .algorithm_enc = SSL_CAMELLIA128,
816 .algorithm_mac = SSL_SHA256,
817 .algorithm_ssl = SSL_TLSV1_2,
818 .algo_strength = SSL_HIGH,
819 .algorithm2 = SSL_HANDSHAKE_MAC_SHA256|TLS1_PRF_SHA256,
820 .strength_bits = 128,
827 .name = TLS1_TXT_RSA_WITH_CAMELLIA_256_CBC_SHA256,
828 .id = TLS1_CK_RSA_WITH_CAMELLIA_256_CBC_SHA256,
829 .algorithm_mkey = SSL_kRSA,
830 .algorithm_auth = SSL_aRSA,
831 .algorithm_enc = SSL_CAMELLIA256,
832 .algorithm_mac = SSL_SHA256,
833 .algorithm_ssl = SSL_TLSV1_2,
834 .algo_strength = SSL_HIGH,
835 .algorithm2 = SSL_HANDSHAKE_MAC_SHA256|TLS1_PRF_SHA256,
836 .strength_bits = 256,
843 .name = TLS1_TXT_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA256,
844 .id = TLS1_CK_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA256,
845 .algorithm_mkey = SSL_kDHE,
846 .algorithm_auth = SSL_aRSA,
847 .algorithm_enc = SSL_CAMELLIA256,
848 .algorithm_mac = SSL_SHA256,
849 .algorithm_ssl = SSL_TLSV1_2,
850 .algo_strength = SSL_HIGH,
851 .algorithm2 = SSL_HANDSHAKE_MAC_SHA256|TLS1_PRF_SHA256,
852 .strength_bits = 256,
859 .name = TLS1_TXT_ADH_WITH_CAMELLIA_256_CBC_SHA256,
860 .id = TLS1_CK_ADH_WITH_CAMELLIA_256_CBC_SHA256,
861 .algorithm_mkey = SSL_kDHE,
862 .algorithm_auth = SSL_aNULL,
863 .algorithm_enc = SSL_CAMELLIA256,
864 .algorithm_mac = SSL_SHA256,
865 .algorithm_ssl = SSL_TLSV1_2,
866 .algo_strength = SSL_HIGH,
867 .algorithm2 = SSL_HANDSHAKE_MAC_SHA256|TLS1_PRF_SHA256,
868 .strength_bits = 256,
871 #endif /* OPENSSL_NO_CAMELLIA */
874 * TLSv1.3 cipher suites.
877 #ifdef LIBRESSL_HAS_TLS1_3
881 .name = TLS1_3_TXT_AES_128_GCM_SHA256,
882 .id = TLS1_3_CK_AES_128_GCM_SHA256,
883 .algorithm_mkey = SSL_kTLS1_3,
884 .algorithm_auth = SSL_aTLS1_3,
885 .algorithm_enc = SSL_AES128GCM,
886 .algorithm_mac = SSL_AEAD,
887 .algorithm_ssl = SSL_TLSV1_3,
888 .algo_strength = SSL_HIGH,
889 .algorithm2 = SSL_HANDSHAKE_MAC_SHA256, /* XXX */
890 .strength_bits = 128,
897 .name = TLS1_3_TXT_AES_256_GCM_SHA384,
898 .id = TLS1_3_CK_AES_256_GCM_SHA384,
899 .algorithm_mkey = SSL_kTLS1_3,
900 .algorithm_auth = SSL_aTLS1_3,
901 .algorithm_enc = SSL_AES256GCM,
902 .algorithm_mac = SSL_AEAD,
903 .algorithm_ssl = SSL_TLSV1_3,
904 .algo_strength = SSL_HIGH,
905 .algorithm2 = SSL_HANDSHAKE_MAC_SHA384, /* XXX */
906 .strength_bits = 256,
913 .name = TLS1_3_TXT_CHACHA20_POLY1305_SHA256,
914 .id = TLS1_3_CK_CHACHA20_POLY1305_SHA256,
915 .algorithm_mkey = SSL_kTLS1_3,
916 .algorithm_auth = SSL_aTLS1_3,
917 .algorithm_enc = SSL_CHACHA20POLY1305,
918 .algorithm_mac = SSL_AEAD,
919 .algorithm_ssl = SSL_TLSV1_3,
920 .algo_strength = SSL_HIGH,
921 .algorithm2 = SSL_HANDSHAKE_MAC_SHA256, /* XXX */
922 .strength_bits = 256,
930 .name = TLS1_TXT_ECDHE_ECDSA_WITH_NULL_SHA,
931 .id = TLS1_CK_ECDHE_ECDSA_WITH_NULL_SHA,
932 .algorithm_mkey = SSL_kECDHE,
933 .algorithm_auth = SSL_aECDSA,
934 .algorithm_enc = SSL_eNULL,
935 .algorithm_mac = SSL_SHA1,
936 .algorithm_ssl = SSL_TLSV1,
937 .algo_strength = SSL_STRONG_NONE,
938 .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
946 .name = TLS1_TXT_ECDHE_ECDSA_WITH_RC4_128_SHA,
947 .id = TLS1_CK_ECDHE_ECDSA_WITH_RC4_128_SHA,
948 .algorithm_mkey = SSL_kECDHE,
949 .algorithm_auth = SSL_aECDSA,
950 .algorithm_enc = SSL_RC4,
951 .algorithm_mac = SSL_SHA1,
952 .algorithm_ssl = SSL_TLSV1,
953 .algo_strength = SSL_LOW,
954 .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
955 .strength_bits = 128,
962 .name = TLS1_TXT_ECDHE_ECDSA_WITH_DES_192_CBC3_SHA,
963 .id = TLS1_CK_ECDHE_ECDSA_WITH_DES_192_CBC3_SHA,
964 .algorithm_mkey = SSL_kECDHE,
965 .algorithm_auth = SSL_aECDSA,
966 .algorithm_enc = SSL_3DES,
967 .algorithm_mac = SSL_SHA1,
968 .algorithm_ssl = SSL_TLSV1,
969 .algo_strength = SSL_MEDIUM,
970 .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
971 .strength_bits = 112,
978 .name = TLS1_TXT_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,
979 .id = TLS1_CK_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,
980 .algorithm_mkey = SSL_kECDHE,
981 .algorithm_auth = SSL_aECDSA,
982 .algorithm_enc = SSL_AES128,
983 .algorithm_mac = SSL_SHA1,
984 .algorithm_ssl = SSL_TLSV1,
985 .algo_strength = SSL_HIGH,
986 .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
987 .strength_bits = 128,
994 .name = TLS1_TXT_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,
995 .id = TLS1_CK_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,
996 .algorithm_mkey = SSL_kECDHE,
997 .algorithm_auth = SSL_aECDSA,
998 .algorithm_enc = SSL_AES256,
999 .algorithm_mac = SSL_SHA1,
1000 .algorithm_ssl = SSL_TLSV1,
1001 .algo_strength = SSL_HIGH,
1002 .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
1003 .strength_bits = 256,
1010 .name = TLS1_TXT_ECDHE_RSA_WITH_NULL_SHA,
1011 .id = TLS1_CK_ECDHE_RSA_WITH_NULL_SHA,
1012 .algorithm_mkey = SSL_kECDHE,
1013 .algorithm_auth = SSL_aRSA,
1014 .algorithm_enc = SSL_eNULL,
1015 .algorithm_mac = SSL_SHA1,
1016 .algorithm_ssl = SSL_TLSV1,
1017 .algo_strength = SSL_STRONG_NONE,
1018 .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
1026 .name = TLS1_TXT_ECDHE_RSA_WITH_RC4_128_SHA,
1027 .id = TLS1_CK_ECDHE_RSA_WITH_RC4_128_SHA,
1028 .algorithm_mkey = SSL_kECDHE,
1029 .algorithm_auth = SSL_aRSA,
1030 .algorithm_enc = SSL_RC4,
1031 .algorithm_mac = SSL_SHA1,
1032 .algorithm_ssl = SSL_TLSV1,
1033 .algo_strength = SSL_LOW,
1034 .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
1035 .strength_bits = 128,
1042 .name = TLS1_TXT_ECDHE_RSA_WITH_DES_192_CBC3_SHA,
1043 .id = TLS1_CK_ECDHE_RSA_WITH_DES_192_CBC3_SHA,
1044 .algorithm_mkey = SSL_kECDHE,
1045 .algorithm_auth = SSL_aRSA,
1046 .algorithm_enc = SSL_3DES,
1047 .algorithm_mac = SSL_SHA1,
1048 .algorithm_ssl = SSL_TLSV1,
1049 .algo_strength = SSL_MEDIUM,
1050 .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
1051 .strength_bits = 112,
1058 .name = TLS1_TXT_ECDHE_RSA_WITH_AES_128_CBC_SHA,
1059 .id = TLS1_CK_ECDHE_RSA_WITH_AES_128_CBC_SHA,
1060 .algorithm_mkey = SSL_kECDHE,
1061 .algorithm_auth = SSL_aRSA,
1062 .algorithm_enc = SSL_AES128,
1063 .algorithm_mac = SSL_SHA1,
1064 .algorithm_ssl = SSL_TLSV1,
1065 .algo_strength = SSL_HIGH,
1066 .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
1067 .strength_bits = 128,
1074 .name = TLS1_TXT_ECDHE_RSA_WITH_AES_256_CBC_SHA,
1075 .id = TLS1_CK_ECDHE_RSA_WITH_AES_256_CBC_SHA,
1076 .algorithm_mkey = SSL_kECDHE,
1077 .algorithm_auth = SSL_aRSA,
1078 .algorithm_enc = SSL_AES256,
1079 .algorithm_mac = SSL_SHA1,
1080 .algorithm_ssl = SSL_TLSV1,
1081 .algo_strength = SSL_HIGH,
1082 .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
1083 .strength_bits = 256,
1090 .name = TLS1_TXT_ECDH_anon_WITH_NULL_SHA,
1091 .id = TLS1_CK_ECDH_anon_WITH_NULL_SHA,
1092 .algorithm_mkey = SSL_kECDHE,
1093 .algorithm_auth = SSL_aNULL,
1094 .algorithm_enc = SSL_eNULL,
1095 .algorithm_mac = SSL_SHA1,
1096 .algorithm_ssl = SSL_TLSV1,
1097 .algo_strength = SSL_STRONG_NONE,
1098 .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
1106 .name = TLS1_TXT_ECDH_anon_WITH_RC4_128_SHA,
1107 .id = TLS1_CK_ECDH_anon_WITH_RC4_128_SHA,
1108 .algorithm_mkey = SSL_kECDHE,
1109 .algorithm_auth = SSL_aNULL,
1110 .algorithm_enc = SSL_RC4,
1111 .algorithm_mac = SSL_SHA1,
1112 .algorithm_ssl = SSL_TLSV1,
1113 .algo_strength = SSL_LOW,
1114 .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
1115 .strength_bits = 128,
1122 .name = TLS1_TXT_ECDH_anon_WITH_DES_192_CBC3_SHA,
1123 .id = TLS1_CK_ECDH_anon_WITH_DES_192_CBC3_SHA,
1124 .algorithm_mkey = SSL_kECDHE,
1125 .algorithm_auth = SSL_aNULL,
1126 .algorithm_enc = SSL_3DES,
1127 .algorithm_mac = SSL_SHA1,
1128 .algorithm_ssl = SSL_TLSV1,
1129 .algo_strength = SSL_MEDIUM,
1130 .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
1131 .strength_bits = 112,
1138 .name = TLS1_TXT_ECDH_anon_WITH_AES_128_CBC_SHA,
1139 .id = TLS1_CK_ECDH_anon_WITH_AES_128_CBC_SHA,
1140 .algorithm_mkey = SSL_kECDHE,
1141 .algorithm_auth = SSL_aNULL,
1142 .algorithm_enc = SSL_AES128,
1143 .algorithm_mac = SSL_SHA1,
1144 .algorithm_ssl = SSL_TLSV1,
1145 .algo_strength = SSL_HIGH,
1146 .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
1147 .strength_bits = 128,
1154 .name = TLS1_TXT_ECDH_anon_WITH_AES_256_CBC_SHA,
1155 .id = TLS1_CK_ECDH_anon_WITH_AES_256_CBC_SHA,
1156 .algorithm_mkey = SSL_kECDHE,
1157 .algorithm_auth = SSL_aNULL,
1158 .algorithm_enc = SSL_AES256,
1159 .algorithm_mac = SSL_SHA1,
1160 .algorithm_ssl = SSL_TLSV1,
1161 .algo_strength = SSL_HIGH,
1162 .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
1163 .strength_bits = 256,
1168 /* HMAC based TLS v1.2 ciphersuites from RFC5289 */
1173 .name = TLS1_TXT_ECDHE_ECDSA_WITH_AES_128_SHA256,
1174 .id = TLS1_CK_ECDHE_ECDSA_WITH_AES_128_SHA256,
1175 .algorithm_mkey = SSL_kECDHE,
1176 .algorithm_auth = SSL_aECDSA,
1177 .algorithm_enc = SSL_AES128,
1178 .algorithm_mac = SSL_SHA256,
1179 .algorithm_ssl = SSL_TLSV1_2,
1180 .algo_strength = SSL_HIGH,
1181 .algorithm2 = SSL_HANDSHAKE_MAC_SHA256|TLS1_PRF_SHA256,
1182 .strength_bits = 128,
1189 .name = TLS1_TXT_ECDHE_ECDSA_WITH_AES_256_SHA384,
1190 .id = TLS1_CK_ECDHE_ECDSA_WITH_AES_256_SHA384,
1191 .algorithm_mkey = SSL_kECDHE,
1192 .algorithm_auth = SSL_aECDSA,
1193 .algorithm_enc = SSL_AES256,
1194 .algorithm_mac = SSL_SHA384,
1195 .algorithm_ssl = SSL_TLSV1_2,
1196 .algo_strength = SSL_HIGH,
1197 .algorithm2 = SSL_HANDSHAKE_MAC_SHA384|TLS1_PRF_SHA384,
1198 .strength_bits = 256,
1205 .name = TLS1_TXT_ECDHE_RSA_WITH_AES_128_SHA256,
1206 .id = TLS1_CK_ECDHE_RSA_WITH_AES_128_SHA256,
1207 .algorithm_mkey = SSL_kECDHE,
1208 .algorithm_auth = SSL_aRSA,
1209 .algorithm_enc = SSL_AES128,
1210 .algorithm_mac = SSL_SHA256,
1211 .algorithm_ssl = SSL_TLSV1_2,
1212 .algo_strength = SSL_HIGH,
1213 .algorithm2 = SSL_HANDSHAKE_MAC_SHA256|TLS1_PRF_SHA256,
1214 .strength_bits = 128,
1221 .name = TLS1_TXT_ECDHE_RSA_WITH_AES_256_SHA384,
1222 .id = TLS1_CK_ECDHE_RSA_WITH_AES_256_SHA384,
1223 .algorithm_mkey = SSL_kECDHE,
1224 .algorithm_auth = SSL_aRSA,
1225 .algorithm_enc = SSL_AES256,
1226 .algorithm_mac = SSL_SHA384,
1227 .algorithm_ssl = SSL_TLSV1_2,
1228 .algo_strength = SSL_HIGH,
1229 .algorithm2 = SSL_HANDSHAKE_MAC_SHA384|TLS1_PRF_SHA384,
1230 .strength_bits = 256,
1234 /* GCM based TLS v1.2 ciphersuites from RFC5289 */
1239 .name = TLS1_TXT_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
1240 .id = TLS1_CK_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
1241 .algorithm_mkey = SSL_kECDHE,
1242 .algorithm_auth = SSL_aECDSA,
1243 .algorithm_enc = SSL_AES128GCM,
1244 .algorithm_mac = SSL_AEAD,
1245 .algorithm_ssl = SSL_TLSV1_2,
1246 .algo_strength = SSL_HIGH,
1247 .algorithm2 = SSL_HANDSHAKE_MAC_SHA256|TLS1_PRF_SHA256|
1249 SSL_CIPHER_ALGORITHM2_VARIABLE_NONCE_IN_RECORD,
1250 .strength_bits = 128,
1257 .name = TLS1_TXT_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
1258 .id = TLS1_CK_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
1259 .algorithm_mkey = SSL_kECDHE,
1260 .algorithm_auth = SSL_aECDSA,
1261 .algorithm_enc = SSL_AES256GCM,
1262 .algorithm_mac = SSL_AEAD,
1263 .algorithm_ssl = SSL_TLSV1_2,
1264 .algo_strength = SSL_HIGH,
1265 .algorithm2 = SSL_HANDSHAKE_MAC_SHA384|TLS1_PRF_SHA384|
1267 SSL_CIPHER_ALGORITHM2_VARIABLE_NONCE_IN_RECORD,
1268 .strength_bits = 256,
1275 .name = TLS1_TXT_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
1276 .id = TLS1_CK_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
1277 .algorithm_mkey = SSL_kECDHE,
1278 .algorithm_auth = SSL_aRSA,
1279 .algorithm_enc = SSL_AES128GCM,
1280 .algorithm_mac = SSL_AEAD,
1281 .algorithm_ssl = SSL_TLSV1_2,
1282 .algo_strength = SSL_HIGH,
1283 .algorithm2 = SSL_HANDSHAKE_MAC_SHA256|TLS1_PRF_SHA256|
1285 SSL_CIPHER_ALGORITHM2_VARIABLE_NONCE_IN_RECORD,
1286 .strength_bits = 128,
1293 .name = TLS1_TXT_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
1294 .id = TLS1_CK_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
1295 .algorithm_mkey = SSL_kECDHE,
1296 .algorithm_auth = SSL_aRSA,
1297 .algorithm_enc = SSL_AES256GCM,
1298 .algorithm_mac = SSL_AEAD,
1299 .algorithm_ssl = SSL_TLSV1_2,
1300 .algo_strength = SSL_HIGH,
1301 .algorithm2 = SSL_HANDSHAKE_MAC_SHA384|TLS1_PRF_SHA384|
1303 SSL_CIPHER_ALGORITHM2_VARIABLE_NONCE_IN_RECORD,
1304 .strength_bits = 256,
1311 .name = TLS1_TXT_ECDHE_RSA_WITH_CHACHA20_POLY1305,
1312 .id = TLS1_CK_ECDHE_RSA_CHACHA20_POLY1305,
1313 .algorithm_mkey = SSL_kECDHE,
1314 .algorithm_auth = SSL_aRSA,
1315 .algorithm_enc = SSL_CHACHA20POLY1305,
1316 .algorithm_mac = SSL_AEAD,
1317 .algorithm_ssl = SSL_TLSV1_2,
1318 .algo_strength = SSL_HIGH,
1319 .algorithm2 = SSL_HANDSHAKE_MAC_SHA256|TLS1_PRF_SHA256|
1320 FIXED_NONCE_LEN(12),
1321 .strength_bits = 256,
1328 .name = TLS1_TXT_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,
1329 .id = TLS1_CK_ECDHE_ECDSA_CHACHA20_POLY1305,
1330 .algorithm_mkey = SSL_kECDHE,
1331 .algorithm_auth = SSL_aECDSA,
1332 .algorithm_enc = SSL_CHACHA20POLY1305,
1333 .algorithm_mac = SSL_AEAD,
1334 .algorithm_ssl = SSL_TLSV1_2,
1335 .algo_strength = SSL_HIGH,
1336 .algorithm2 = SSL_HANDSHAKE_MAC_SHA256|TLS1_PRF_SHA256|
1337 FIXED_NONCE_LEN(12),
1338 .strength_bits = 256,
1345 .name = TLS1_TXT_DHE_RSA_WITH_CHACHA20_POLY1305,
1346 .id = TLS1_CK_DHE_RSA_CHACHA20_POLY1305,
1347 .algorithm_mkey = SSL_kDHE,
1348 .algorithm_auth = SSL_aRSA,
1349 .algorithm_enc = SSL_CHACHA20POLY1305,
1350 .algorithm_mac = SSL_AEAD,
1351 .algorithm_ssl = SSL_TLSV1_2,
1352 .algo_strength = SSL_HIGH,
1353 .algorithm2 = SSL_HANDSHAKE_MAC_SHA256|TLS1_PRF_SHA256|
1354 FIXED_NONCE_LEN(12),
1355 .strength_bits = 256,
1359 /* Cipher FF85 FIXME IANA */
1362 .name = "GOST2012256-GOST89-GOST89",
1363 .id = 0x300ff85, /* FIXME IANA */
1364 .algorithm_mkey = SSL_kGOST,
1365 .algorithm_auth = SSL_aGOST01,
1366 .algorithm_enc = SSL_eGOST2814789CNT,
1367 .algorithm_mac = SSL_GOST89MAC,
1368 .algorithm_ssl = SSL_TLSV1,
1369 .algo_strength = SSL_HIGH,
1370 .algorithm2 = SSL_HANDSHAKE_MAC_STREEBOG256|TLS1_PRF_STREEBOG256|
1372 .strength_bits = 256,
1376 /* Cipher FF87 FIXME IANA */
1379 .name = "GOST2012256-NULL-STREEBOG256",
1380 .id = 0x300ff87, /* FIXME IANA */
1381 .algorithm_mkey = SSL_kGOST,
1382 .algorithm_auth = SSL_aGOST01,
1383 .algorithm_enc = SSL_eNULL,
1384 .algorithm_mac = SSL_STREEBOG256,
1385 .algorithm_ssl = SSL_TLSV1,
1386 .algo_strength = SSL_STRONG_NONE,
1387 .algorithm2 = SSL_HANDSHAKE_MAC_STREEBOG256|TLS1_PRF_STREEBOG256,
1397 ssl3_num_ciphers(void)
1399 return (SSL3_NUM_CIPHERS);
1403 ssl3_get_cipher(unsigned int u)
1405 if (u < SSL3_NUM_CIPHERS)
1406 return (&(ssl3_ciphers[SSL3_NUM_CIPHERS - 1 - u]));
1412 ssl3_get_cipher_by_id(unsigned int id)
1414 const SSL_CIPHER *cp;
1418 cp = OBJ_bsearch_ssl_cipher_id(&c, ssl3_ciphers, SSL3_NUM_CIPHERS);
1419 if (cp != NULL && cp->valid == 1)
1426 ssl3_get_cipher_by_value(uint16_t value)
1428 return ssl3_get_cipher_by_id(SSL3_CK_ID | value);
1432 ssl3_cipher_get_value(const SSL_CIPHER *c)
1434 return (c->id & SSL3_CK_VALUE_MASK);
1438 ssl3_pending(const SSL *s)
1440 if (s->internal->rstate == SSL_ST_READ_BODY)
1443 return (S3I(s)->rrec.type == SSL3_RT_APPLICATION_DATA) ?
1444 S3I(s)->rrec.length : 0;
1448 ssl3_handshake_msg_hdr_len(SSL *s)
1450 return (SSL_IS_DTLS(s) ? DTLS1_HM_HEADER_LENGTH :
1451 SSL3_HM_HEADER_LENGTH);
1455 ssl3_handshake_msg_start(SSL *s, CBB *handshake, CBB *body, uint8_t msg_type)
1459 if (!CBB_init(handshake, SSL3_RT_MAX_PLAIN_LENGTH))
1461 if (!CBB_add_u8(handshake, msg_type))
1463 if (SSL_IS_DTLS(s)) {
1464 unsigned char *data;
1466 if (!CBB_add_space(handshake, &data, DTLS1_HM_HEADER_LENGTH -
1467 SSL3_HM_HEADER_LENGTH))
1470 if (!CBB_add_u24_length_prefixed(handshake, body))
1480 ssl3_handshake_msg_finish(SSL *s, CBB *handshake)
1482 unsigned char *data = NULL;
1486 if (!CBB_finish(handshake, &data, &outlen))
1489 if (outlen > INT_MAX)
1492 if (!BUF_MEM_grow_clean(s->internal->init_buf, outlen))
1495 memcpy(s->internal->init_buf->data, data, outlen);
1497 s->internal->init_num = (int)outlen;
1498 s->internal->init_off = 0;
1500 if (SSL_IS_DTLS(s)) {
1505 CBS_init(&cbs, data, outlen);
1506 if (!CBS_get_u8(&cbs, &msg_type))
1509 len = outlen - ssl3_handshake_msg_hdr_len(s);
1511 dtls1_set_message_header(s, msg_type, len, 0, len);
1512 dtls1_buffer_message(s, 0);
1524 ssl3_handshake_write(SSL *s)
1526 return ssl3_record_write(s, SSL3_RT_HANDSHAKE);
1530 ssl3_record_write(SSL *s, int type)
1533 return dtls1_do_write(s, type);
1535 return ssl3_do_write(s, type);
1541 if ((s->s3 = calloc(1, sizeof(*s->s3))) == NULL)
1543 if ((S3I(s) = calloc(1, sizeof(*S3I(s)))) == NULL) {
1548 s->method->internal->ssl_clear(s);
1559 tls1_cleanup_key_block(s);
1560 ssl3_release_read_buffer(s);
1561 ssl3_release_write_buffer(s);
1562 freezero(S3I(s)->hs.sigalgs, S3I(s)->hs.sigalgs_len);
1564 DH_free(S3I(s)->tmp.dh);
1565 EC_KEY_free(S3I(s)->tmp.ecdh);
1566 freezero(S3I(s)->tmp.x25519, X25519_KEY_LENGTH);
1568 tls13_key_share_free(S3I(s)->hs_tls13.key_share);
1569 tls13_secrets_destroy(S3I(s)->hs_tls13.secrets);
1570 freezero(S3I(s)->hs_tls13.cookie, S3I(s)->hs_tls13.cookie_len);
1571 tls13_clienthello_hash_clear(&S3I(s)->hs_tls13);
1573 sk_X509_NAME_pop_free(S3I(s)->tmp.ca_names, X509_NAME_free);
1575 tls1_transcript_free(s);
1576 tls1_transcript_hash_free(s);
1578 free(S3I(s)->alpn_selected);
1580 freezero(S3I(s), sizeof(*S3I(s)));
1581 freezero(s->s3, sizeof(*s->s3));
1589 struct ssl3_state_internal_st *internal;
1590 unsigned char *rp, *wp;
1593 tls1_cleanup_key_block(s);
1594 sk_X509_NAME_pop_free(S3I(s)->tmp.ca_names, X509_NAME_free);
1596 DH_free(S3I(s)->tmp.dh);
1597 S3I(s)->tmp.dh = NULL;
1598 EC_KEY_free(S3I(s)->tmp.ecdh);
1599 S3I(s)->tmp.ecdh = NULL;
1600 S3I(s)->tmp.ecdh_nid = NID_undef;
1601 freezero(S3I(s)->tmp.x25519, X25519_KEY_LENGTH);
1602 S3I(s)->tmp.x25519 = NULL;
1604 freezero(S3I(s)->hs.sigalgs, S3I(s)->hs.sigalgs_len);
1605 S3I(s)->hs.sigalgs = NULL;
1606 S3I(s)->hs.sigalgs_len = 0;
1608 tls13_key_share_free(S3I(s)->hs_tls13.key_share);
1609 S3I(s)->hs_tls13.key_share = NULL;
1611 tls13_secrets_destroy(S3I(s)->hs_tls13.secrets);
1612 S3I(s)->hs_tls13.secrets = NULL;
1613 freezero(S3I(s)->hs_tls13.cookie, S3I(s)->hs_tls13.cookie_len);
1614 S3I(s)->hs_tls13.cookie = NULL;
1615 S3I(s)->hs_tls13.cookie_len = 0;
1616 tls13_clienthello_hash_clear(&S3I(s)->hs_tls13);
1618 S3I(s)->hs.extensions_seen = 0;
1620 rp = S3I(s)->rbuf.buf;
1621 wp = S3I(s)->wbuf.buf;
1622 rlen = S3I(s)->rbuf.len;
1623 wlen = S3I(s)->wbuf.len;
1625 tls1_transcript_free(s);
1626 tls1_transcript_hash_free(s);
1628 free(S3I(s)->alpn_selected);
1629 S3I(s)->alpn_selected = NULL;
1631 memset(S3I(s), 0, sizeof(*S3I(s)));
1633 memset(s->s3, 0, sizeof(*s->s3));
1636 S3I(s)->rbuf.buf = rp;
1637 S3I(s)->wbuf.buf = wp;
1638 S3I(s)->rbuf.len = rlen;
1639 S3I(s)->wbuf.len = wlen;
1641 ssl_free_wbio_buffer(s);
1644 S3I(s)->renegotiate = 0;
1645 S3I(s)->total_renegotiations = 0;
1646 S3I(s)->num_renegotiations = 0;
1647 S3I(s)->in_read_app_data = 0;
1649 s->internal->packet_length = 0;
1650 s->version = TLS1_VERSION;
1652 S3I(s)->hs.state = SSL_ST_BEFORE|((s->server) ? SSL_ST_ACCEPT : SSL_ST_CONNECT);
1656 _SSL_get_peer_tmp_key(SSL *s, EVP_PKEY **key)
1658 EVP_PKEY *pkey = NULL;
1664 if (s->session == NULL || SSI(s)->sess_cert == NULL)
1667 sc = SSI(s)->sess_cert;
1669 if ((pkey = EVP_PKEY_new()) == NULL)
1672 if (sc->peer_dh_tmp != NULL) {
1673 if (!EVP_PKEY_set1_DH(pkey, sc->peer_dh_tmp))
1675 } else if (sc->peer_ecdh_tmp) {
1676 if (!EVP_PKEY_set1_EC_KEY(pkey, sc->peer_ecdh_tmp))
1678 } else if (sc->peer_x25519_tmp != NULL) {
1679 if (!ssl_kex_dummy_ecdhe_x25519(pkey))
1681 } else if (S3I(s)->hs_tls13.key_share != NULL) {
1682 if (!tls13_key_share_peer_pkey(S3I(s)->hs_tls13.key_share,
1695 EVP_PKEY_free(pkey);
1701 _SSL_session_reused(SSL *s)
1703 return s->internal->hit;
1707 _SSL_num_renegotiations(SSL *s)
1709 return S3I(s)->num_renegotiations;
1713 _SSL_clear_num_renegotiations(SSL *s)
1717 renegs = S3I(s)->num_renegotiations;
1718 S3I(s)->num_renegotiations = 0;
1724 _SSL_total_renegotiations(SSL *s)
1726 return S3I(s)->total_renegotiations;
1730 _SSL_set_tmp_dh(SSL *s, DH *dh)
1735 SSLerror(s, ERR_R_PASSED_NULL_PARAMETER);
1739 if ((dh_tmp = DHparams_dup(dh)) == NULL) {
1740 SSLerror(s, ERR_R_DH_LIB);
1744 DH_free(s->cert->dh_tmp);
1745 s->cert->dh_tmp = dh_tmp;
1751 _SSL_set_dh_auto(SSL *s, int state)
1753 s->cert->dh_tmp_auto = state;
1758 _SSL_set_tmp_ecdh(SSL *s, EC_KEY *ecdh)
1760 const EC_GROUP *group;
1765 if ((group = EC_KEY_get0_group(ecdh)) == NULL)
1768 nid = EC_GROUP_get_curve_name(group);
1769 return SSL_set1_groups(s, &nid, 1);
1773 _SSL_set_ecdh_auto(SSL *s, int state)
1779 _SSL_set_tlsext_host_name(SSL *s, const char *name)
1781 free(s->tlsext_hostname);
1782 s->tlsext_hostname = NULL;
1787 if (strlen(name) > TLSEXT_MAXLEN_host_name) {
1788 SSLerror(s, SSL_R_SSL3_EXT_INVALID_SERVERNAME);
1792 if ((s->tlsext_hostname = strdup(name)) == NULL) {
1793 SSLerror(s, ERR_R_INTERNAL_ERROR);
1801 _SSL_set_tlsext_debug_arg(SSL *s, void *arg)
1803 s->internal->tlsext_debug_arg = arg;
1808 _SSL_set_tlsext_status_type(SSL *s, int type)
1810 s->tlsext_status_type = type;
1815 _SSL_get_tlsext_status_exts(SSL *s, STACK_OF(X509_EXTENSION) **exts)
1817 *exts = s->internal->tlsext_ocsp_exts;
1822 _SSL_set_tlsext_status_exts(SSL *s, STACK_OF(X509_EXTENSION) *exts)
1825 s->internal->tlsext_ocsp_exts = exts;
1830 _SSL_get_tlsext_status_ids(SSL *s, STACK_OF(OCSP_RESPID) **ids)
1832 *ids = s->internal->tlsext_ocsp_ids;
1837 _SSL_set_tlsext_status_ids(SSL *s, STACK_OF(OCSP_RESPID) *ids)
1840 s->internal->tlsext_ocsp_ids = ids;
1845 _SSL_get_tlsext_status_ocsp_resp(SSL *s, unsigned char **resp)
1847 if (s->internal->tlsext_ocsp_resp != NULL &&
1848 s->internal->tlsext_ocsp_resp_len < INT_MAX) {
1849 *resp = s->internal->tlsext_ocsp_resp;
1850 return (int)s->internal->tlsext_ocsp_resp_len;
1859 _SSL_set_tlsext_status_ocsp_resp(SSL *s, unsigned char *resp, int resp_len)
1861 free(s->internal->tlsext_ocsp_resp);
1862 s->internal->tlsext_ocsp_resp = NULL;
1863 s->internal->tlsext_ocsp_resp_len = 0;
1868 s->internal->tlsext_ocsp_resp = resp;
1869 s->internal->tlsext_ocsp_resp_len = (size_t)resp_len;
1875 SSL_set0_chain(SSL *ssl, STACK_OF(X509) *chain)
1877 return ssl_cert_set0_chain(ssl->cert, chain);
1881 SSL_set1_chain(SSL *ssl, STACK_OF(X509) *chain)
1883 return ssl_cert_set1_chain(ssl->cert, chain);
1887 SSL_add0_chain_cert(SSL *ssl, X509 *x509)
1889 return ssl_cert_add0_chain_cert(ssl->cert, x509);
1893 SSL_add1_chain_cert(SSL *ssl, X509 *x509)
1895 return ssl_cert_add1_chain_cert(ssl->cert, x509);
1899 SSL_get0_chain_certs(const SSL *ssl, STACK_OF(X509) **out_chain)
1903 if (ssl->cert->key != NULL)
1904 *out_chain = ssl->cert->key->chain;
1910 SSL_clear_chain_certs(SSL *ssl)
1912 return ssl_cert_set0_chain(ssl->cert, NULL);
1916 SSL_set1_groups(SSL *s, const int *groups, size_t groups_len)
1918 return tls1_set_groups(&s->internal->tlsext_supportedgroups,
1919 &s->internal->tlsext_supportedgroups_length, groups, groups_len);
1923 SSL_set1_groups_list(SSL *s, const char *groups)
1925 return tls1_set_group_list(&s->internal->tlsext_supportedgroups,
1926 &s->internal->tlsext_supportedgroups_length, groups);
1930 ssl3_ctrl(SSL *s, int cmd, long larg, void *parg)
1933 case SSL_CTRL_GET_SESSION_REUSED:
1934 return _SSL_session_reused(s);
1936 case SSL_CTRL_GET_NUM_RENEGOTIATIONS:
1937 return _SSL_num_renegotiations(s);
1939 case SSL_CTRL_CLEAR_NUM_RENEGOTIATIONS:
1940 return _SSL_clear_num_renegotiations(s);
1942 case SSL_CTRL_GET_TOTAL_RENEGOTIATIONS:
1943 return _SSL_total_renegotiations(s);
1945 case SSL_CTRL_SET_TMP_DH:
1946 return _SSL_set_tmp_dh(s, parg);
1948 case SSL_CTRL_SET_TMP_DH_CB:
1949 SSLerror(s, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
1952 case SSL_CTRL_SET_DH_AUTO:
1953 return _SSL_set_dh_auto(s, larg);
1955 case SSL_CTRL_SET_TMP_ECDH:
1956 return _SSL_set_tmp_ecdh(s, parg);
1958 case SSL_CTRL_SET_TMP_ECDH_CB:
1959 SSLerror(s, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
1962 case SSL_CTRL_SET_ECDH_AUTO:
1963 return _SSL_set_ecdh_auto(s, larg);
1965 case SSL_CTRL_SET_TLSEXT_HOSTNAME:
1966 if (larg != TLSEXT_NAMETYPE_host_name) {
1967 SSLerror(s, SSL_R_SSL3_EXT_INVALID_SERVERNAME_TYPE);
1970 return _SSL_set_tlsext_host_name(s, parg);
1972 case SSL_CTRL_SET_TLSEXT_DEBUG_ARG:
1973 return _SSL_set_tlsext_debug_arg(s, parg);
1975 case SSL_CTRL_SET_TLSEXT_STATUS_REQ_TYPE:
1976 return _SSL_set_tlsext_status_type(s, larg);
1978 case SSL_CTRL_GET_TLSEXT_STATUS_REQ_EXTS:
1979 return _SSL_get_tlsext_status_exts(s, parg);
1981 case SSL_CTRL_SET_TLSEXT_STATUS_REQ_EXTS:
1982 return _SSL_set_tlsext_status_exts(s, parg);
1984 case SSL_CTRL_GET_TLSEXT_STATUS_REQ_IDS:
1985 return _SSL_get_tlsext_status_ids(s, parg);
1987 case SSL_CTRL_SET_TLSEXT_STATUS_REQ_IDS:
1988 return _SSL_set_tlsext_status_ids(s, parg);
1990 case SSL_CTRL_GET_TLSEXT_STATUS_REQ_OCSP_RESP:
1991 return _SSL_get_tlsext_status_ocsp_resp(s, parg);
1993 case SSL_CTRL_SET_TLSEXT_STATUS_REQ_OCSP_RESP:
1994 return _SSL_set_tlsext_status_ocsp_resp(s, parg, larg);
1996 case SSL_CTRL_CHAIN:
1998 return SSL_set0_chain(s, (STACK_OF(X509) *)parg);
2000 return SSL_set1_chain(s, (STACK_OF(X509) *)parg);
2002 case SSL_CTRL_CHAIN_CERT:
2004 return SSL_add0_chain_cert(s, (X509 *)parg);
2006 return SSL_add1_chain_cert(s, (X509 *)parg);
2008 case SSL_CTRL_GET_CHAIN_CERTS:
2009 return SSL_get0_chain_certs(s, (STACK_OF(X509) **)parg);
2011 case SSL_CTRL_SET_GROUPS:
2012 return SSL_set1_groups(s, parg, larg);
2014 case SSL_CTRL_SET_GROUPS_LIST:
2015 return SSL_set1_groups_list(s, parg);
2017 /* XXX - rename to SSL_CTRL_GET_PEER_TMP_KEY and remove server check. */
2018 case SSL_CTRL_GET_SERVER_TMP_KEY:
2021 return _SSL_get_peer_tmp_key(s, parg);
2023 case SSL_CTRL_GET_MIN_PROTO_VERSION:
2024 return SSL_get_min_proto_version(s);
2026 case SSL_CTRL_GET_MAX_PROTO_VERSION:
2027 return SSL_get_max_proto_version(s);
2029 case SSL_CTRL_SET_MIN_PROTO_VERSION:
2030 if (larg < 0 || larg > UINT16_MAX)
2032 return SSL_set_min_proto_version(s, larg);
2034 case SSL_CTRL_SET_MAX_PROTO_VERSION:
2035 if (larg < 0 || larg > UINT16_MAX)
2037 return SSL_set_max_proto_version(s, larg);
2040 * Legacy controls that should eventually be removed.
2042 case SSL_CTRL_GET_CLIENT_CERT_REQUEST:
2045 case SSL_CTRL_GET_FLAGS:
2046 return (int)(s->s3->flags);
2048 case SSL_CTRL_NEED_TMP_RSA:
2051 case SSL_CTRL_SET_TMP_RSA:
2052 case SSL_CTRL_SET_TMP_RSA_CB:
2053 SSLerror(s, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
2061 ssl3_callback_ctrl(SSL *s, int cmd, void (*fp)(void))
2064 case SSL_CTRL_SET_TMP_RSA_CB:
2065 SSLerror(s, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
2068 case SSL_CTRL_SET_TMP_DH_CB:
2069 s->cert->dh_tmp_cb = (DH *(*)(SSL *, int, int))fp;
2072 case SSL_CTRL_SET_TMP_ECDH_CB:
2075 case SSL_CTRL_SET_TLSEXT_DEBUG_CB:
2076 s->internal->tlsext_debug_cb = (void (*)(SSL *, int , int,
2077 unsigned char *, int, void *))fp;
2085 _SSL_CTX_set_tmp_dh(SSL_CTX *ctx, DH *dh)
2089 if ((dh_tmp = DHparams_dup(dh)) == NULL) {
2090 SSLerrorx(ERR_R_DH_LIB);
2094 DH_free(ctx->internal->cert->dh_tmp);
2095 ctx->internal->cert->dh_tmp = dh_tmp;
2101 _SSL_CTX_set_dh_auto(SSL_CTX *ctx, int state)
2103 ctx->internal->cert->dh_tmp_auto = state;
2108 _SSL_CTX_set_tmp_ecdh(SSL_CTX *ctx, EC_KEY *ecdh)
2110 const EC_GROUP *group;
2115 if ((group = EC_KEY_get0_group(ecdh)) == NULL)
2118 nid = EC_GROUP_get_curve_name(group);
2119 return SSL_CTX_set1_groups(ctx, &nid, 1);
2123 _SSL_CTX_set_ecdh_auto(SSL_CTX *ctx, int state)
2129 _SSL_CTX_set_tlsext_servername_arg(SSL_CTX *ctx, void *arg)
2131 ctx->internal->tlsext_servername_arg = arg;
2136 _SSL_CTX_get_tlsext_ticket_keys(SSL_CTX *ctx, unsigned char *keys, int keys_len)
2141 if (keys_len != 48) {
2142 SSLerrorx(SSL_R_INVALID_TICKET_KEYS_LENGTH);
2146 memcpy(keys, ctx->internal->tlsext_tick_key_name, 16);
2147 memcpy(keys + 16, ctx->internal->tlsext_tick_hmac_key, 16);
2148 memcpy(keys + 32, ctx->internal->tlsext_tick_aes_key, 16);
2154 _SSL_CTX_set_tlsext_ticket_keys(SSL_CTX *ctx, unsigned char *keys, int keys_len)
2159 if (keys_len != 48) {
2160 SSLerrorx(SSL_R_INVALID_TICKET_KEYS_LENGTH);
2164 memcpy(ctx->internal->tlsext_tick_key_name, keys, 16);
2165 memcpy(ctx->internal->tlsext_tick_hmac_key, keys + 16, 16);
2166 memcpy(ctx->internal->tlsext_tick_aes_key, keys + 32, 16);
2172 _SSL_CTX_get_tlsext_status_arg(SSL_CTX *ctx, void **arg)
2174 *arg = ctx->internal->tlsext_status_arg;
2179 _SSL_CTX_set_tlsext_status_arg(SSL_CTX *ctx, void *arg)
2181 ctx->internal->tlsext_status_arg = arg;
2186 SSL_CTX_set0_chain(SSL_CTX *ctx, STACK_OF(X509) *chain)
2188 return ssl_cert_set0_chain(ctx->internal->cert, chain);
2192 SSL_CTX_set1_chain(SSL_CTX *ctx, STACK_OF(X509) *chain)
2194 return ssl_cert_set1_chain(ctx->internal->cert, chain);
2198 SSL_CTX_add0_chain_cert(SSL_CTX *ctx, X509 *x509)
2200 return ssl_cert_add0_chain_cert(ctx->internal->cert, x509);
2204 SSL_CTX_add1_chain_cert(SSL_CTX *ctx, X509 *x509)
2206 return ssl_cert_add1_chain_cert(ctx->internal->cert, x509);
2210 SSL_CTX_get0_chain_certs(const SSL_CTX *ctx, STACK_OF(X509) **out_chain)
2214 if (ctx->internal->cert->key != NULL)
2215 *out_chain = ctx->internal->cert->key->chain;
2221 SSL_CTX_clear_chain_certs(SSL_CTX *ctx)
2223 return ssl_cert_set0_chain(ctx->internal->cert, NULL);
2227 _SSL_CTX_add_extra_chain_cert(SSL_CTX *ctx, X509 *cert)
2229 if (ctx->extra_certs == NULL) {
2230 if ((ctx->extra_certs = sk_X509_new_null()) == NULL)
2233 if (sk_X509_push(ctx->extra_certs, cert) == 0)
2240 _SSL_CTX_get_extra_chain_certs(SSL_CTX *ctx, STACK_OF(X509) **certs)
2242 *certs = ctx->extra_certs;
2244 *certs = ctx->internal->cert->key->chain;
2250 _SSL_CTX_get_extra_chain_certs_only(SSL_CTX *ctx, STACK_OF(X509) **certs)
2252 *certs = ctx->extra_certs;
2257 _SSL_CTX_clear_extra_chain_certs(SSL_CTX *ctx)
2259 sk_X509_pop_free(ctx->extra_certs, X509_free);
2260 ctx->extra_certs = NULL;
2265 SSL_CTX_set1_groups(SSL_CTX *ctx, const int *groups, size_t groups_len)
2267 return tls1_set_groups(&ctx->internal->tlsext_supportedgroups,
2268 &ctx->internal->tlsext_supportedgroups_length, groups, groups_len);
2272 SSL_CTX_set1_groups_list(SSL_CTX *ctx, const char *groups)
2274 return tls1_set_group_list(&ctx->internal->tlsext_supportedgroups,
2275 &ctx->internal->tlsext_supportedgroups_length, groups);
2279 ssl3_ctx_ctrl(SSL_CTX *ctx, int cmd, long larg, void *parg)
2282 case SSL_CTRL_SET_TMP_DH:
2283 return _SSL_CTX_set_tmp_dh(ctx, parg);
2285 case SSL_CTRL_SET_TMP_DH_CB:
2286 SSLerrorx(ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
2289 case SSL_CTRL_SET_DH_AUTO:
2290 return _SSL_CTX_set_dh_auto(ctx, larg);
2292 case SSL_CTRL_SET_TMP_ECDH:
2293 return _SSL_CTX_set_tmp_ecdh(ctx, parg);
2295 case SSL_CTRL_SET_TMP_ECDH_CB:
2296 SSLerrorx(ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
2299 case SSL_CTRL_SET_ECDH_AUTO:
2300 return _SSL_CTX_set_ecdh_auto(ctx, larg);
2302 case SSL_CTRL_SET_TLSEXT_SERVERNAME_ARG:
2303 return _SSL_CTX_set_tlsext_servername_arg(ctx, parg);
2305 case SSL_CTRL_GET_TLSEXT_TICKET_KEYS:
2306 return _SSL_CTX_get_tlsext_ticket_keys(ctx, parg, larg);
2308 case SSL_CTRL_SET_TLSEXT_TICKET_KEYS:
2309 return _SSL_CTX_set_tlsext_ticket_keys(ctx, parg, larg);
2311 case SSL_CTRL_GET_TLSEXT_STATUS_REQ_CB_ARG:
2312 return _SSL_CTX_get_tlsext_status_arg(ctx, parg);
2314 case SSL_CTRL_SET_TLSEXT_STATUS_REQ_CB_ARG:
2315 return _SSL_CTX_set_tlsext_status_arg(ctx, parg);
2317 case SSL_CTRL_CHAIN:
2319 return SSL_CTX_set0_chain(ctx, (STACK_OF(X509) *)parg);
2321 return SSL_CTX_set1_chain(ctx, (STACK_OF(X509) *)parg);
2323 case SSL_CTRL_CHAIN_CERT:
2325 return SSL_CTX_add0_chain_cert(ctx, (X509 *)parg);
2327 return SSL_CTX_add1_chain_cert(ctx, (X509 *)parg);
2329 case SSL_CTRL_GET_CHAIN_CERTS:
2330 return SSL_CTX_get0_chain_certs(ctx, (STACK_OF(X509) **)parg);
2332 case SSL_CTRL_EXTRA_CHAIN_CERT:
2333 return _SSL_CTX_add_extra_chain_cert(ctx, parg);
2335 case SSL_CTRL_GET_EXTRA_CHAIN_CERTS:
2337 return _SSL_CTX_get_extra_chain_certs(ctx, parg);
2339 return _SSL_CTX_get_extra_chain_certs_only(ctx, parg);
2341 case SSL_CTRL_CLEAR_EXTRA_CHAIN_CERTS:
2342 return _SSL_CTX_clear_extra_chain_certs(ctx);
2344 case SSL_CTRL_SET_GROUPS:
2345 return SSL_CTX_set1_groups(ctx, parg, larg);
2347 case SSL_CTRL_SET_GROUPS_LIST:
2348 return SSL_CTX_set1_groups_list(ctx, parg);
2350 case SSL_CTRL_GET_MIN_PROTO_VERSION:
2351 return SSL_CTX_get_min_proto_version(ctx);
2353 case SSL_CTRL_GET_MAX_PROTO_VERSION:
2354 return SSL_CTX_get_max_proto_version(ctx);
2356 case SSL_CTRL_SET_MIN_PROTO_VERSION:
2357 if (larg < 0 || larg > UINT16_MAX)
2359 return SSL_CTX_set_min_proto_version(ctx, larg);
2361 case SSL_CTRL_SET_MAX_PROTO_VERSION:
2362 if (larg < 0 || larg > UINT16_MAX)
2364 return SSL_CTX_set_max_proto_version(ctx, larg);
2367 * Legacy controls that should eventually be removed.
2369 case SSL_CTRL_NEED_TMP_RSA:
2372 case SSL_CTRL_SET_TMP_RSA:
2373 case SSL_CTRL_SET_TMP_RSA_CB:
2374 SSLerrorx(ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
2382 ssl3_ctx_callback_ctrl(SSL_CTX *ctx, int cmd, void (*fp)(void))
2385 case SSL_CTRL_SET_TMP_RSA_CB:
2386 SSLerrorx(ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
2389 case SSL_CTRL_SET_TMP_DH_CB:
2390 ctx->internal->cert->dh_tmp_cb =
2391 (DH *(*)(SSL *, int, int))fp;
2394 case SSL_CTRL_SET_TMP_ECDH_CB:
2397 case SSL_CTRL_SET_TLSEXT_SERVERNAME_CB:
2398 ctx->internal->tlsext_servername_callback =
2399 (int (*)(SSL *, int *, void *))fp;
2402 case SSL_CTRL_GET_TLSEXT_STATUS_REQ_CB:
2403 *(int (**)(SSL *, void *))fp = ctx->internal->tlsext_status_cb;
2406 case SSL_CTRL_SET_TLSEXT_STATUS_REQ_CB:
2407 ctx->internal->tlsext_status_cb = (int (*)(SSL *, void *))fp;
2410 case SSL_CTRL_SET_TLSEXT_TICKET_KEY_CB:
2411 ctx->internal->tlsext_ticket_key_cb = (int (*)(SSL *, unsigned char *,
2412 unsigned char *, EVP_CIPHER_CTX *, HMAC_CTX *, int))fp;
2420 * This function needs to check if the ciphers required are actually available.
2423 ssl3_get_cipher_by_char(const unsigned char *p)
2425 uint16_t cipher_value;
2428 /* We have to assume it is at least 2 bytes due to existing API. */
2429 CBS_init(&cbs, p, 2);
2430 if (!CBS_get_u16(&cbs, &cipher_value))
2433 return ssl3_get_cipher_by_value(cipher_value);
2437 ssl3_put_cipher_by_char(const SSL_CIPHER *c, unsigned char *p)
2444 if ((c->id & ~SSL3_CK_VALUE_MASK) != SSL3_CK_ID)
2447 memset(&cbb, 0, sizeof(cbb));
2449 /* We have to assume it is at least 2 bytes due to existing API. */
2450 if (!CBB_init_fixed(&cbb, p, 2))
2452 if (!CBB_add_u16(&cbb, ssl3_cipher_get_value(c)))
2454 if (!CBB_finish(&cbb, NULL, NULL))
2465 ssl3_choose_cipher(SSL *s, STACK_OF(SSL_CIPHER) *clnt,
2466 STACK_OF(SSL_CIPHER) *srvr)
2468 unsigned long alg_k, alg_a, mask_k, mask_a;
2469 STACK_OF(SSL_CIPHER) *prio, *allow;
2470 SSL_CIPHER *c, *ret = NULL;
2475 /* Let's see which ciphers we can support */
2478 can_use_ecc = (tls1_get_shared_curve(s) != NID_undef);
2481 * Do not set the compare functions, because this may lead to a
2482 * reordering by "id". We want to keep the original ordering.
2483 * We may pay a price in performance during sk_SSL_CIPHER_find(),
2484 * but would have to pay with the price of sk_SSL_CIPHER_dup().
2487 if (s->internal->options & SSL_OP_CIPHER_SERVER_PREFERENCE) {
2495 for (i = 0; i < sk_SSL_CIPHER_num(prio); i++) {
2496 c = sk_SSL_CIPHER_value(prio, i);
2498 /* Skip TLS v1.2 only ciphersuites if not supported. */
2499 if ((c->algorithm_ssl & SSL_TLSV1_2) &&
2500 !SSL_USE_TLS1_2_CIPHERS(s))
2503 /* Skip TLS v1.3 only ciphersuites if not supported. */
2504 if ((c->algorithm_ssl & SSL_TLSV1_3) &&
2505 !SSL_USE_TLS1_3_CIPHERS(s))
2508 /* If TLS v1.3, only allow TLS v1.3 ciphersuites. */
2509 if (SSL_USE_TLS1_3_CIPHERS(s) &&
2510 !(c->algorithm_ssl & SSL_TLSV1_3))
2513 ssl_set_cert_masks(cert, c);
2514 mask_k = cert->mask_k;
2515 mask_a = cert->mask_a;
2517 alg_k = c->algorithm_mkey;
2518 alg_a = c->algorithm_auth;
2520 ok = (alg_k & mask_k) && (alg_a & mask_a);
2523 * If we are considering an ECC cipher suite that uses our
2524 * certificate check it.
2526 if (alg_a & SSL_aECDSA)
2527 ok = ok && tls1_check_ec_server_key(s);
2529 * If we are considering an ECC cipher suite that uses
2530 * an ephemeral EC key check it.
2532 if (alg_k & SSL_kECDHE)
2533 ok = ok && can_use_ecc;
2537 ii = sk_SSL_CIPHER_find(allow, c);
2539 ret = sk_SSL_CIPHER_value(allow, ii);
2547 ssl3_get_req_cert_types(SSL *s, CBB *cbb)
2549 unsigned long alg_k;
2551 alg_k = S3I(s)->hs.new_cipher->algorithm_mkey;
2553 #ifndef OPENSSL_NO_GOST
2554 if ((alg_k & SSL_kGOST) != 0) {
2555 if (!CBB_add_u8(cbb, TLS_CT_GOST01_SIGN))
2557 if (!CBB_add_u8(cbb, TLS_CT_GOST12_256_SIGN))
2559 if (!CBB_add_u8(cbb, TLS_CT_GOST12_512_SIGN))
2561 if (!CBB_add_u8(cbb, TLS_CT_GOST12_256_SIGN_COMPAT))
2563 if (!CBB_add_u8(cbb, TLS_CT_GOST12_512_SIGN_COMPAT))
2568 if ((alg_k & SSL_kDHE) != 0) {
2569 if (!CBB_add_u8(cbb, SSL3_CT_RSA_FIXED_DH))
2573 if (!CBB_add_u8(cbb, SSL3_CT_RSA_SIGN))
2577 * ECDSA certs can be used with RSA cipher suites as well
2578 * so we don't need to check for SSL_kECDH or SSL_kECDHE.
2580 if (!CBB_add_u8(cbb, TLS_CT_ECDSA_SIGN))
2587 ssl3_shutdown(SSL *s)
2592 * Don't do anything much if we have not done the handshake or
2593 * we don't want to send messages :-)
2595 if ((s->internal->quiet_shutdown) || (S3I(s)->hs.state == SSL_ST_BEFORE)) {
2596 s->internal->shutdown = (SSL_SENT_SHUTDOWN|SSL_RECEIVED_SHUTDOWN);
2600 if (!(s->internal->shutdown & SSL_SENT_SHUTDOWN)) {
2601 s->internal->shutdown|=SSL_SENT_SHUTDOWN;
2602 ssl3_send_alert(s, SSL3_AL_WARNING, SSL_AD_CLOSE_NOTIFY);
2604 * Our shutdown alert has been sent now, and if it still needs
2605 * to be written, S3I(s)->alert_dispatch will be true
2607 if (S3I(s)->alert_dispatch)
2608 return(-1); /* return WANT_WRITE */
2609 } else if (S3I(s)->alert_dispatch) {
2610 /* resend it if not sent */
2611 ret = s->method->ssl_dispatch_alert(s);
2614 * We only get to return -1 here the 2nd/Nth
2615 * invocation, we must have already signalled
2616 * return 0 upon a previous invoation,
2621 } else if (!(s->internal->shutdown & SSL_RECEIVED_SHUTDOWN)) {
2622 /* If we are waiting for a close from our peer, we are closed */
2623 s->method->internal->ssl_read_bytes(s, 0, NULL, 0, 0);
2624 if (!(s->internal->shutdown & SSL_RECEIVED_SHUTDOWN)) {
2625 return(-1); /* return WANT_READ */
2629 if ((s->internal->shutdown == (SSL_SENT_SHUTDOWN|SSL_RECEIVED_SHUTDOWN)) &&
2630 !S3I(s)->alert_dispatch)
2637 ssl3_write(SSL *s, const void *buf, int len)
2641 if (S3I(s)->renegotiate)
2642 ssl3_renegotiate_check(s);
2644 return s->method->internal->ssl_write_bytes(s,
2645 SSL3_RT_APPLICATION_DATA, buf, len);
2649 ssl3_read_internal(SSL *s, void *buf, int len, int peek)
2654 if (S3I(s)->renegotiate)
2655 ssl3_renegotiate_check(s);
2656 S3I(s)->in_read_app_data = 1;
2657 ret = s->method->internal->ssl_read_bytes(s,
2658 SSL3_RT_APPLICATION_DATA, buf, len, peek);
2659 if ((ret == -1) && (S3I(s)->in_read_app_data == 2)) {
2661 * ssl3_read_bytes decided to call s->internal->handshake_func, which
2662 * called ssl3_read_bytes to read handshake data.
2663 * However, ssl3_read_bytes actually found application data
2664 * and thinks that application data makes sense here; so disable
2665 * handshake processing and try to read application data again.
2667 s->internal->in_handshake++;
2668 ret = s->method->internal->ssl_read_bytes(s,
2669 SSL3_RT_APPLICATION_DATA, buf, len, peek);
2670 s->internal->in_handshake--;
2672 S3I(s)->in_read_app_data = 0;
2678 ssl3_read(SSL *s, void *buf, int len)
2680 return ssl3_read_internal(s, buf, len, 0);
2684 ssl3_peek(SSL *s, void *buf, int len)
2686 return ssl3_read_internal(s, buf, len, 1);
2690 ssl3_renegotiate(SSL *s)
2692 if (s->internal->handshake_func == NULL)
2695 if (s->s3->flags & SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS)
2698 S3I(s)->renegotiate = 1;
2703 ssl3_renegotiate_check(SSL *s)
2707 if (S3I(s)->renegotiate) {
2708 if ((S3I(s)->rbuf.left == 0) && (S3I(s)->wbuf.left == 0) &&
2711 * If we are the server, and we have sent
2712 * a 'RENEGOTIATE' message, we need to go
2716 S3I(s)->hs.state = SSL_ST_RENEGOTIATE;
2717 S3I(s)->renegotiate = 0;
2718 S3I(s)->num_renegotiations++;
2719 S3I(s)->total_renegotiations++;
2726 * If we are using default SHA1+MD5 algorithms switch to new SHA256 PRF
2727 * and handshake macs if required.
2730 ssl_get_algorithm2(SSL *s)
2732 long alg2 = S3I(s)->hs.new_cipher->algorithm2;
2734 if (s->method->internal->ssl3_enc->enc_flags & SSL_ENC_FLAG_SHA256_PRF &&
2735 alg2 == (SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF))
2736 return SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256;
projects / dragonfly.git / blob