1 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
4 * This package is an SSL implementation written
5 * by Eric Young (eay@cryptsoft.com).
6 * The implementation was written so as to conform with Netscapes SSL.
8 * This library is free for commercial and non-commercial use as long as
9 * the following conditions are aheared to. The following conditions
10 * apply to all code found in this distribution, be it the RC4, RSA,
11 * lhash, DES, etc., code; not just the SSL code. The SSL documentation
12 * included with this distribution is covered by the same copyright terms
13 * except that the holder is Tim Hudson (tjh@cryptsoft.com).
15 * Copyright remains Eric Young's, and as such any Copyright notices in
16 * the code are not to be removed.
17 * If this package is used in a product, Eric Young should be given attribution
18 * as the author of the parts of the library used.
19 * This can be in the form of a textual message at program startup or
20 * in documentation (online or textual) provided with the package.
22 * Redistribution and use in source and binary forms, with or without
23 * modification, are permitted provided that the following conditions
25 * 1. Redistributions of source code must retain the copyright
26 * notice, this list of conditions and the following disclaimer.
27 * 2. Redistributions in binary form must reproduce the above copyright
28 * notice, this list of conditions and the following disclaimer in the
29 * documentation and/or other materials provided with the distribution.
30 * 3. All advertising materials mentioning features or use of this software
31 * must display the following acknowledgement:
32 * "This product includes cryptographic software written by
33 * Eric Young (eay@cryptsoft.com)"
34 * The word 'cryptographic' can be left out if the rouines from the library
35 * being used are not cryptographic related :-).
36 * 4. If you include any Windows specific code (or a derivative thereof) from
37 * the apps directory (application code) you must include an acknowledgement:
38 * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
40 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
41 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
42 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
43 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
44 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
45 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
46 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
47 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
48 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
49 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
52 * The licence and distribution terms for any publically available version or
53 * derivative of this code cannot be changed. i.e. this code cannot simply be
54 * copied and put under another distribution licence
55 * [including the GNU Public Licence.]
57 /* ====================================================================
58 * Copyright (c) 1998-2007 The OpenSSL Project. All rights reserved.
60 * Redistribution and use in source and binary forms, with or without
61 * modification, are permitted provided that the following conditions
64 * 1. Redistributions of source code must retain the above copyright
65 * notice, this list of conditions and the following disclaimer.
67 * 2. Redistributions in binary form must reproduce the above copyright
68 * notice, this list of conditions and the following disclaimer in
69 * the documentation and/or other materials provided with the
72 * 3. All advertising materials mentioning features or use of this
73 * software must display the following acknowledgment:
74 * "This product includes software developed by the OpenSSL Project
75 * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
77 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
78 * endorse or promote products derived from this software without
79 * prior written permission. For written permission, please contact
80 * openssl-core@openssl.org.
82 * 5. Products derived from this software may not be called "OpenSSL"
83 * nor may "OpenSSL" appear in their names without prior written
84 * permission of the OpenSSL Project.
86 * 6. Redistributions of any form whatsoever must retain the following
88 * "This product includes software developed by the OpenSSL Project
89 * for use in the OpenSSL Toolkit (http://www.openssl.org/)"
91 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
92 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
93 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
94 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
95 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
96 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
97 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
98 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
99 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
100 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
101 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
102 * OF THE POSSIBILITY OF SUCH DAMAGE.
103 * ====================================================================
105 * This product includes cryptographic software written by Eric Young
106 * (eay@cryptsoft.com). This product includes software written by Tim
107 * Hudson (tjh@cryptsoft.com).
110 /* ====================================================================
111 * Copyright 2002 Sun Microsystems, Inc. ALL RIGHTS RESERVED.
113 * Portions of the attached software ("Contribution") are developed by
114 * SUN MICROSYSTEMS, INC., and are contributed to the OpenSSL project.
116 * The Contribution is licensed pursuant to the OpenSSL open source
117 * license provided above.
119 * ECC cipher suite support in OpenSSL originally written by
120 * Vipul Gupta and Sumit Gupta of Sun Microsystems Laboratories.
123 /* ====================================================================
124 * Copyright 2005 Nokia. All rights reserved.
126 * The portions of the attached software ("Contribution") is developed by
127 * Nokia Corporation and is licensed pursuant to the OpenSSL open source
130 * The Contribution, originally written by Mika Kousa and Pasi Eronen of
131 * Nokia Corporation, consists of the "PSK" (Pre-Shared Key) ciphersuites
132 * support (see RFC 4279) to OpenSSL.
134 * No patent licenses or other rights except those expressly stated in
135 * the OpenSSL open source license shall be deemed granted or received
136 * expressly, by implication, estoppel, or otherwise.
138 * No assurances are provided by Nokia that the Contribution does not
139 * infringe the patent or other intellectual property rights of any third
140 * party or that the license provides you with all the necessary rights
141 * to make use of the Contribution.
143 * THE SOFTWARE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. IN
144 * ADDITION TO THE DISCLAIMERS INCLUDED IN THE LICENSE, NOKIA
145 * SPECIFICALLY DISCLAIMS ANY LIABILITY FOR CLAIMS BROUGHT BY YOU OR ANY
146 * OTHER ENTITY BASED ON INFRINGEMENT OF INTELLECTUAL PROPERTY RIGHTS OR
152 #include <openssl/buf.h>
153 #include <openssl/dh.h>
154 #include <openssl/md5.h>
155 #include <openssl/mem.h>
156 #include <openssl/obj.h>
158 #include "ssl_locl.h"
160 #define SSL3_NUM_CIPHERS (sizeof(ssl3_ciphers)/sizeof(SSL_CIPHER))
162 /* FIXED_NONCE_LEN is a macro that results in the correct value to set the
163 * fixed nonce length in SSL_CIPHER.algorithms2. It's the inverse of
164 * SSL_CIPHER_AEAD_FIXED_NONCE_LEN. */
165 #define FIXED_NONCE_LEN(x) ((x/2)<<24)
167 /* list of available SSLv3 ciphers (sorted by id) */
168 SSL_CIPHER ssl3_ciphers[]={
170 /* The RSA ciphers */
174 SSL3_TXT_RSA_NULL_MD5,
175 SSL3_CK_RSA_NULL_MD5,
181 SSL_NOT_EXP|SSL_STRONG_NONE,
182 SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
190 SSL3_TXT_RSA_NULL_SHA,
191 SSL3_CK_RSA_NULL_SHA,
197 SSL_NOT_EXP|SSL_STRONG_NONE|SSL_FIPS,
198 SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
206 SSL3_TXT_RSA_RC4_128_MD5,
207 SSL3_CK_RSA_RC4_128_MD5,
213 SSL_NOT_EXP|SSL_MEDIUM,
214 SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF|SSL_CIPHER_ALGORITHM2_STATEFUL_AEAD,
222 SSL3_TXT_RSA_RC4_128_SHA,
223 SSL3_CK_RSA_RC4_128_SHA,
229 SSL_NOT_EXP|SSL_MEDIUM,
230 SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
236 #ifndef OPENSSL_NO_IDEA
239 SSL3_TXT_RSA_IDEA_128_SHA,
240 SSL3_CK_RSA_IDEA_128_SHA,
246 SSL_NOT_EXP|SSL_MEDIUM,
247 SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
256 SSL3_TXT_RSA_DES_64_CBC_SHA,
257 SSL3_CK_RSA_DES_64_CBC_SHA,
264 SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
272 SSL3_TXT_RSA_DES_192_CBC3_SHA,
273 SSL3_CK_RSA_DES_192_CBC3_SHA,
279 SSL_NOT_EXP|SSL_HIGH|SSL_FIPS,
280 SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
290 SSL3_TXT_DH_DSS_DES_64_CBC_SHA,
291 SSL3_CK_DH_DSS_DES_64_CBC_SHA,
298 SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
306 SSL3_TXT_DH_DSS_DES_192_CBC3_SHA,
307 SSL3_CK_DH_DSS_DES_192_CBC3_SHA,
313 SSL_NOT_EXP|SSL_HIGH|SSL_FIPS,
314 SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
322 SSL3_TXT_DH_RSA_DES_64_CBC_SHA,
323 SSL3_CK_DH_RSA_DES_64_CBC_SHA,
330 SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
338 SSL3_TXT_DH_RSA_DES_192_CBC3_SHA,
339 SSL3_CK_DH_RSA_DES_192_CBC3_SHA,
345 SSL_NOT_EXP|SSL_HIGH|SSL_FIPS,
346 SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
351 /* The Ephemeral DH ciphers */
356 SSL3_TXT_EDH_DSS_DES_64_CBC_SHA,
357 SSL3_CK_EDH_DSS_DES_64_CBC_SHA,
364 SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
372 SSL3_TXT_EDH_DSS_DES_192_CBC3_SHA,
373 SSL3_CK_EDH_DSS_DES_192_CBC3_SHA,
379 SSL_NOT_EXP|SSL_HIGH|SSL_FIPS,
380 SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
388 SSL3_TXT_EDH_RSA_DES_64_CBC_SHA,
389 SSL3_CK_EDH_RSA_DES_64_CBC_SHA,
396 SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
404 SSL3_TXT_EDH_RSA_DES_192_CBC3_SHA,
405 SSL3_CK_EDH_RSA_DES_192_CBC3_SHA,
411 SSL_NOT_EXP|SSL_HIGH|SSL_FIPS,
412 SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
420 SSL3_TXT_ADH_RC4_128_MD5,
421 SSL3_CK_ADH_RC4_128_MD5,
427 SSL_NOT_EXP|SSL_MEDIUM,
428 SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
436 SSL3_TXT_ADH_DES_64_CBC_SHA,
437 SSL3_CK_ADH_DES_64_CBC_SHA,
444 SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
452 SSL3_TXT_ADH_DES_192_CBC_SHA,
453 SSL3_CK_ADH_DES_192_CBC_SHA,
459 SSL_NOT_EXP|SSL_HIGH|SSL_FIPS,
460 SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
465 /* Fortezza ciphersuite from SSL 3.0 spec */
470 SSL3_TXT_FZA_DMS_NULL_SHA,
471 SSL3_CK_FZA_DMS_NULL_SHA,
477 SSL_NOT_EXP|SSL_STRONG_NONE,
478 SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
486 SSL3_TXT_FZA_DMS_FZA_SHA,
487 SSL3_CK_FZA_DMS_FZA_SHA,
493 SSL_NOT_EXP|SSL_STRONG_NONE,
494 SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
502 SSL3_TXT_FZA_DMS_RC4_SHA,
503 SSL3_CK_FZA_DMS_RC4_SHA,
509 SSL_NOT_EXP|SSL_MEDIUM,
510 SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
516 /* New AES ciphersuites */
520 TLS1_TXT_RSA_WITH_AES_128_SHA,
521 TLS1_CK_RSA_WITH_AES_128_SHA,
527 SSL_NOT_EXP|SSL_HIGH|SSL_FIPS,
528 SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
535 TLS1_TXT_DH_DSS_WITH_AES_128_SHA,
536 TLS1_CK_DH_DSS_WITH_AES_128_SHA,
542 SSL_NOT_EXP|SSL_HIGH|SSL_FIPS,
543 SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
550 TLS1_TXT_DH_RSA_WITH_AES_128_SHA,
551 TLS1_CK_DH_RSA_WITH_AES_128_SHA,
557 SSL_NOT_EXP|SSL_HIGH|SSL_FIPS,
558 SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
565 TLS1_TXT_DHE_DSS_WITH_AES_128_SHA,
566 TLS1_CK_DHE_DSS_WITH_AES_128_SHA,
572 SSL_NOT_EXP|SSL_HIGH|SSL_FIPS,
573 SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
580 TLS1_TXT_DHE_RSA_WITH_AES_128_SHA,
581 TLS1_CK_DHE_RSA_WITH_AES_128_SHA,
587 SSL_NOT_EXP|SSL_HIGH|SSL_FIPS,
588 SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
595 TLS1_TXT_ADH_WITH_AES_128_SHA,
596 TLS1_CK_ADH_WITH_AES_128_SHA,
602 SSL_NOT_EXP|SSL_HIGH|SSL_FIPS,
603 SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
611 TLS1_TXT_RSA_WITH_AES_256_SHA,
612 TLS1_CK_RSA_WITH_AES_256_SHA,
618 SSL_NOT_EXP|SSL_HIGH|SSL_FIPS,
619 SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
626 TLS1_TXT_DH_DSS_WITH_AES_256_SHA,
627 TLS1_CK_DH_DSS_WITH_AES_256_SHA,
633 SSL_NOT_EXP|SSL_HIGH|SSL_FIPS,
634 SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
642 TLS1_TXT_DH_RSA_WITH_AES_256_SHA,
643 TLS1_CK_DH_RSA_WITH_AES_256_SHA,
649 SSL_NOT_EXP|SSL_HIGH|SSL_FIPS,
650 SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
658 TLS1_TXT_DHE_DSS_WITH_AES_256_SHA,
659 TLS1_CK_DHE_DSS_WITH_AES_256_SHA,
665 SSL_NOT_EXP|SSL_HIGH|SSL_FIPS,
666 SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
674 TLS1_TXT_DHE_RSA_WITH_AES_256_SHA,
675 TLS1_CK_DHE_RSA_WITH_AES_256_SHA,
681 SSL_NOT_EXP|SSL_HIGH|SSL_FIPS,
682 SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
690 TLS1_TXT_ADH_WITH_AES_256_SHA,
691 TLS1_CK_ADH_WITH_AES_256_SHA,
697 SSL_NOT_EXP|SSL_HIGH|SSL_FIPS,
698 SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
703 /* TLS v1.2 ciphersuites */
707 TLS1_TXT_RSA_WITH_NULL_SHA256,
708 TLS1_CK_RSA_WITH_NULL_SHA256,
714 SSL_NOT_EXP|SSL_STRONG_NONE|SSL_FIPS,
715 SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
723 TLS1_TXT_RSA_WITH_AES_128_SHA256,
724 TLS1_CK_RSA_WITH_AES_128_SHA256,
730 SSL_NOT_EXP|SSL_HIGH|SSL_FIPS,
731 SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
739 TLS1_TXT_RSA_WITH_AES_256_SHA256,
740 TLS1_CK_RSA_WITH_AES_256_SHA256,
746 SSL_NOT_EXP|SSL_HIGH|SSL_FIPS,
747 SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
755 TLS1_TXT_DH_DSS_WITH_AES_128_SHA256,
756 TLS1_CK_DH_DSS_WITH_AES_128_SHA256,
762 SSL_NOT_EXP|SSL_HIGH|SSL_FIPS,
763 SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
771 TLS1_TXT_DH_RSA_WITH_AES_128_SHA256,
772 TLS1_CK_DH_RSA_WITH_AES_128_SHA256,
778 SSL_NOT_EXP|SSL_HIGH|SSL_FIPS,
779 SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
787 TLS1_TXT_DHE_DSS_WITH_AES_128_SHA256,
788 TLS1_CK_DHE_DSS_WITH_AES_128_SHA256,
794 SSL_NOT_EXP|SSL_HIGH|SSL_FIPS,
795 SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
801 #if TLS1_ALLOW_EXPERIMENTAL_CIPHERSUITES
805 TLS1_TXT_DHE_DSS_WITH_RC4_128_SHA,
806 TLS1_CK_DHE_DSS_WITH_RC4_128_SHA,
812 SSL_NOT_EXP|SSL_MEDIUM,
813 SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
819 /* TLS v1.2 ciphersuites */
823 TLS1_TXT_DHE_RSA_WITH_AES_128_SHA256,
824 TLS1_CK_DHE_RSA_WITH_AES_128_SHA256,
830 SSL_NOT_EXP|SSL_HIGH|SSL_FIPS,
831 SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
839 TLS1_TXT_DH_DSS_WITH_AES_256_SHA256,
840 TLS1_CK_DH_DSS_WITH_AES_256_SHA256,
846 SSL_NOT_EXP|SSL_HIGH|SSL_FIPS,
847 SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
855 TLS1_TXT_DH_RSA_WITH_AES_256_SHA256,
856 TLS1_CK_DH_RSA_WITH_AES_256_SHA256,
862 SSL_NOT_EXP|SSL_HIGH|SSL_FIPS,
863 SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
871 TLS1_TXT_DHE_DSS_WITH_AES_256_SHA256,
872 TLS1_CK_DHE_DSS_WITH_AES_256_SHA256,
878 SSL_NOT_EXP|SSL_HIGH|SSL_FIPS,
879 SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
887 TLS1_TXT_DHE_RSA_WITH_AES_256_SHA256,
888 TLS1_CK_DHE_RSA_WITH_AES_256_SHA256,
894 SSL_NOT_EXP|SSL_HIGH|SSL_FIPS,
895 SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
903 TLS1_TXT_ADH_WITH_AES_128_SHA256,
904 TLS1_CK_ADH_WITH_AES_128_SHA256,
910 SSL_NOT_EXP|SSL_HIGH|SSL_FIPS,
911 SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
919 TLS1_TXT_ADH_WITH_AES_256_SHA256,
920 TLS1_CK_ADH_WITH_AES_256_SHA256,
926 SSL_NOT_EXP|SSL_HIGH|SSL_FIPS,
927 SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
936 TLS1_TXT_PSK_WITH_RC4_128_SHA,
937 TLS1_CK_PSK_WITH_RC4_128_SHA,
943 SSL_NOT_EXP|SSL_MEDIUM,
944 SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
952 TLS1_TXT_PSK_WITH_3DES_EDE_CBC_SHA,
953 TLS1_CK_PSK_WITH_3DES_EDE_CBC_SHA,
959 SSL_NOT_EXP|SSL_HIGH|SSL_FIPS,
960 SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
968 TLS1_TXT_PSK_WITH_AES_128_CBC_SHA,
969 TLS1_CK_PSK_WITH_AES_128_CBC_SHA,
975 SSL_NOT_EXP|SSL_HIGH|SSL_FIPS,
976 SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
984 TLS1_TXT_PSK_WITH_AES_256_CBC_SHA,
985 TLS1_CK_PSK_WITH_AES_256_CBC_SHA,
991 SSL_NOT_EXP|SSL_HIGH|SSL_FIPS,
992 SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
997 #ifndef OPENSSL_NO_SEED
998 /* SEED ciphersuites from RFC4162 */
1003 TLS1_TXT_RSA_WITH_SEED_SHA,
1004 TLS1_CK_RSA_WITH_SEED_SHA,
1010 SSL_NOT_EXP|SSL_MEDIUM,
1011 SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
1019 TLS1_TXT_DH_DSS_WITH_SEED_SHA,
1020 TLS1_CK_DH_DSS_WITH_SEED_SHA,
1026 SSL_NOT_EXP|SSL_MEDIUM,
1027 SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
1035 TLS1_TXT_DH_RSA_WITH_SEED_SHA,
1036 TLS1_CK_DH_RSA_WITH_SEED_SHA,
1042 SSL_NOT_EXP|SSL_MEDIUM,
1043 SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
1051 TLS1_TXT_DHE_DSS_WITH_SEED_SHA,
1052 TLS1_CK_DHE_DSS_WITH_SEED_SHA,
1058 SSL_NOT_EXP|SSL_MEDIUM,
1059 SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
1067 TLS1_TXT_DHE_RSA_WITH_SEED_SHA,
1068 TLS1_CK_DHE_RSA_WITH_SEED_SHA,
1074 SSL_NOT_EXP|SSL_MEDIUM,
1075 SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
1083 TLS1_TXT_ADH_WITH_SEED_SHA,
1084 TLS1_CK_ADH_WITH_SEED_SHA,
1090 SSL_NOT_EXP|SSL_MEDIUM,
1091 SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
1096 #endif /* OPENSSL_NO_SEED */
1098 /* GCM ciphersuites from RFC5288 */
1103 TLS1_TXT_RSA_WITH_AES_128_GCM_SHA256,
1104 TLS1_CK_RSA_WITH_AES_128_GCM_SHA256,
1110 SSL_NOT_EXP|SSL_HIGH|SSL_FIPS,
1111 SSL_HANDSHAKE_MAC_SHA256|TLS1_PRF_SHA256|SSL_CIPHER_ALGORITHM2_AEAD|FIXED_NONCE_LEN(4)|SSL_CIPHER_ALGORITHM2_VARIABLE_NONCE_INCLUDED_IN_RECORD,
1119 TLS1_TXT_RSA_WITH_AES_256_GCM_SHA384,
1120 TLS1_CK_RSA_WITH_AES_256_GCM_SHA384,
1126 SSL_NOT_EXP|SSL_HIGH|SSL_FIPS,
1127 SSL_HANDSHAKE_MAC_SHA384|TLS1_PRF_SHA384|SSL_CIPHER_ALGORITHM2_AEAD|FIXED_NONCE_LEN(4)|
1128 SSL_CIPHER_ALGORITHM2_VARIABLE_NONCE_INCLUDED_IN_RECORD,
1136 TLS1_TXT_DHE_RSA_WITH_AES_128_GCM_SHA256,
1137 TLS1_CK_DHE_RSA_WITH_AES_128_GCM_SHA256,
1143 SSL_NOT_EXP|SSL_HIGH|SSL_FIPS,
1144 SSL_HANDSHAKE_MAC_SHA256|TLS1_PRF_SHA256|SSL_CIPHER_ALGORITHM2_AEAD|FIXED_NONCE_LEN(4)|SSL_CIPHER_ALGORITHM2_VARIABLE_NONCE_INCLUDED_IN_RECORD,
1152 TLS1_TXT_DHE_RSA_WITH_AES_256_GCM_SHA384,
1153 TLS1_CK_DHE_RSA_WITH_AES_256_GCM_SHA384,
1159 SSL_NOT_EXP|SSL_HIGH|SSL_FIPS,
1160 SSL_HANDSHAKE_MAC_SHA384|TLS1_PRF_SHA384|SSL_CIPHER_ALGORITHM2_AEAD|FIXED_NONCE_LEN(4)|
1161 SSL_CIPHER_ALGORITHM2_VARIABLE_NONCE_INCLUDED_IN_RECORD,
1169 TLS1_TXT_DH_RSA_WITH_AES_128_GCM_SHA256,
1170 TLS1_CK_DH_RSA_WITH_AES_128_GCM_SHA256,
1176 SSL_NOT_EXP|SSL_HIGH|SSL_FIPS,
1177 SSL_HANDSHAKE_MAC_SHA256|TLS1_PRF_SHA256|SSL_CIPHER_ALGORITHM2_AEAD|FIXED_NONCE_LEN(4)|SSL_CIPHER_ALGORITHM2_VARIABLE_NONCE_INCLUDED_IN_RECORD,
1185 TLS1_TXT_DH_RSA_WITH_AES_256_GCM_SHA384,
1186 TLS1_CK_DH_RSA_WITH_AES_256_GCM_SHA384,
1192 SSL_NOT_EXP|SSL_HIGH|SSL_FIPS,
1193 SSL_HANDSHAKE_MAC_SHA384|TLS1_PRF_SHA384|SSL_CIPHER_ALGORITHM2_AEAD|FIXED_NONCE_LEN(4)|
1194 SSL_CIPHER_ALGORITHM2_VARIABLE_NONCE_INCLUDED_IN_RECORD,
1202 TLS1_TXT_DHE_DSS_WITH_AES_128_GCM_SHA256,
1203 TLS1_CK_DHE_DSS_WITH_AES_128_GCM_SHA256,
1209 SSL_NOT_EXP|SSL_HIGH|SSL_FIPS,
1210 SSL_HANDSHAKE_MAC_SHA256|TLS1_PRF_SHA256|SSL_CIPHER_ALGORITHM2_AEAD|FIXED_NONCE_LEN(4)|SSL_CIPHER_ALGORITHM2_VARIABLE_NONCE_INCLUDED_IN_RECORD,
1218 TLS1_TXT_DHE_DSS_WITH_AES_256_GCM_SHA384,
1219 TLS1_CK_DHE_DSS_WITH_AES_256_GCM_SHA384,
1225 SSL_NOT_EXP|SSL_HIGH|SSL_FIPS,
1226 SSL_HANDSHAKE_MAC_SHA384|TLS1_PRF_SHA384|SSL_CIPHER_ALGORITHM2_AEAD|FIXED_NONCE_LEN(4)|
1227 SSL_CIPHER_ALGORITHM2_VARIABLE_NONCE_INCLUDED_IN_RECORD,
1235 TLS1_TXT_DH_DSS_WITH_AES_128_GCM_SHA256,
1236 TLS1_CK_DH_DSS_WITH_AES_128_GCM_SHA256,
1242 SSL_NOT_EXP|SSL_HIGH|SSL_FIPS,
1243 SSL_HANDSHAKE_MAC_SHA256|TLS1_PRF_SHA256|SSL_CIPHER_ALGORITHM2_AEAD|FIXED_NONCE_LEN(4)|SSL_CIPHER_ALGORITHM2_VARIABLE_NONCE_INCLUDED_IN_RECORD,
1251 TLS1_TXT_DH_DSS_WITH_AES_256_GCM_SHA384,
1252 TLS1_CK_DH_DSS_WITH_AES_256_GCM_SHA384,
1258 SSL_NOT_EXP|SSL_HIGH|SSL_FIPS,
1259 SSL_HANDSHAKE_MAC_SHA384|TLS1_PRF_SHA384|SSL_CIPHER_ALGORITHM2_AEAD|FIXED_NONCE_LEN(4)|
1260 SSL_CIPHER_ALGORITHM2_VARIABLE_NONCE_INCLUDED_IN_RECORD,
1268 TLS1_TXT_ADH_WITH_AES_128_GCM_SHA256,
1269 TLS1_CK_ADH_WITH_AES_128_GCM_SHA256,
1275 SSL_NOT_EXP|SSL_HIGH|SSL_FIPS,
1276 SSL_HANDSHAKE_MAC_SHA256|TLS1_PRF_SHA256|SSL_CIPHER_ALGORITHM2_AEAD|FIXED_NONCE_LEN(4)|SSL_CIPHER_ALGORITHM2_VARIABLE_NONCE_INCLUDED_IN_RECORD,
1284 TLS1_TXT_ADH_WITH_AES_256_GCM_SHA384,
1285 TLS1_CK_ADH_WITH_AES_256_GCM_SHA384,
1291 SSL_NOT_EXP|SSL_HIGH|SSL_FIPS,
1292 SSL_HANDSHAKE_MAC_SHA384|TLS1_PRF_SHA384|SSL_CIPHER_ALGORITHM2_AEAD|FIXED_NONCE_LEN(4)|
1293 SSL_CIPHER_ALGORITHM2_VARIABLE_NONCE_INCLUDED_IN_RECORD,
1297 #ifdef OPENSSL_SSL_DEBUG_BROKEN_PROTOCOL
1314 #ifndef OPENSSL_NO_ECDH
1318 TLS1_TXT_ECDH_ECDSA_WITH_NULL_SHA,
1319 TLS1_CK_ECDH_ECDSA_WITH_NULL_SHA,
1325 SSL_NOT_EXP|SSL_STRONG_NONE|SSL_FIPS,
1326 SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
1334 TLS1_TXT_ECDH_ECDSA_WITH_RC4_128_SHA,
1335 TLS1_CK_ECDH_ECDSA_WITH_RC4_128_SHA,
1341 SSL_NOT_EXP|SSL_MEDIUM,
1342 SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
1350 TLS1_TXT_ECDH_ECDSA_WITH_DES_192_CBC3_SHA,
1351 TLS1_CK_ECDH_ECDSA_WITH_DES_192_CBC3_SHA,
1357 SSL_NOT_EXP|SSL_HIGH|SSL_FIPS,
1358 SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
1366 TLS1_TXT_ECDH_ECDSA_WITH_AES_128_CBC_SHA,
1367 TLS1_CK_ECDH_ECDSA_WITH_AES_128_CBC_SHA,
1373 SSL_NOT_EXP|SSL_HIGH|SSL_FIPS,
1374 SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
1382 TLS1_TXT_ECDH_ECDSA_WITH_AES_256_CBC_SHA,
1383 TLS1_CK_ECDH_ECDSA_WITH_AES_256_CBC_SHA,
1389 SSL_NOT_EXP|SSL_HIGH|SSL_FIPS,
1390 SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
1398 TLS1_TXT_ECDHE_ECDSA_WITH_NULL_SHA,
1399 TLS1_CK_ECDHE_ECDSA_WITH_NULL_SHA,
1405 SSL_NOT_EXP|SSL_STRONG_NONE|SSL_FIPS,
1406 SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
1414 TLS1_TXT_ECDHE_ECDSA_WITH_RC4_128_SHA,
1415 TLS1_CK_ECDHE_ECDSA_WITH_RC4_128_SHA,
1421 SSL_NOT_EXP|SSL_MEDIUM,
1422 SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
1430 TLS1_TXT_ECDHE_ECDSA_WITH_DES_192_CBC3_SHA,
1431 TLS1_CK_ECDHE_ECDSA_WITH_DES_192_CBC3_SHA,
1437 SSL_NOT_EXP|SSL_HIGH|SSL_FIPS,
1438 SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
1446 TLS1_TXT_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,
1447 TLS1_CK_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,
1453 SSL_NOT_EXP|SSL_HIGH|SSL_FIPS,
1454 SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
1462 TLS1_TXT_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,
1463 TLS1_CK_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,
1469 SSL_NOT_EXP|SSL_HIGH|SSL_FIPS,
1470 SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
1478 TLS1_TXT_ECDH_RSA_WITH_NULL_SHA,
1479 TLS1_CK_ECDH_RSA_WITH_NULL_SHA,
1485 SSL_NOT_EXP|SSL_STRONG_NONE|SSL_FIPS,
1486 SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
1494 TLS1_TXT_ECDH_RSA_WITH_RC4_128_SHA,
1495 TLS1_CK_ECDH_RSA_WITH_RC4_128_SHA,
1501 SSL_NOT_EXP|SSL_MEDIUM,
1502 SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
1510 TLS1_TXT_ECDH_RSA_WITH_DES_192_CBC3_SHA,
1511 TLS1_CK_ECDH_RSA_WITH_DES_192_CBC3_SHA,
1517 SSL_NOT_EXP|SSL_HIGH|SSL_FIPS,
1518 SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
1526 TLS1_TXT_ECDH_RSA_WITH_AES_128_CBC_SHA,
1527 TLS1_CK_ECDH_RSA_WITH_AES_128_CBC_SHA,
1533 SSL_NOT_EXP|SSL_HIGH|SSL_FIPS,
1534 SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
1542 TLS1_TXT_ECDH_RSA_WITH_AES_256_CBC_SHA,
1543 TLS1_CK_ECDH_RSA_WITH_AES_256_CBC_SHA,
1549 SSL_NOT_EXP|SSL_HIGH|SSL_FIPS,
1550 SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
1558 TLS1_TXT_ECDHE_RSA_WITH_NULL_SHA,
1559 TLS1_CK_ECDHE_RSA_WITH_NULL_SHA,
1565 SSL_NOT_EXP|SSL_STRONG_NONE|SSL_FIPS,
1566 SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
1574 TLS1_TXT_ECDHE_RSA_WITH_RC4_128_SHA,
1575 TLS1_CK_ECDHE_RSA_WITH_RC4_128_SHA,
1581 SSL_NOT_EXP|SSL_MEDIUM,
1582 SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
1590 TLS1_TXT_ECDHE_RSA_WITH_DES_192_CBC3_SHA,
1591 TLS1_CK_ECDHE_RSA_WITH_DES_192_CBC3_SHA,
1597 SSL_NOT_EXP|SSL_HIGH|SSL_FIPS,
1598 SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
1606 TLS1_TXT_ECDHE_RSA_WITH_AES_128_CBC_SHA,
1607 TLS1_CK_ECDHE_RSA_WITH_AES_128_CBC_SHA,
1613 SSL_NOT_EXP|SSL_HIGH|SSL_FIPS,
1614 SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
1622 TLS1_TXT_ECDHE_RSA_WITH_AES_256_CBC_SHA,
1623 TLS1_CK_ECDHE_RSA_WITH_AES_256_CBC_SHA,
1629 SSL_NOT_EXP|SSL_HIGH|SSL_FIPS,
1630 SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
1638 TLS1_TXT_ECDH_anon_WITH_NULL_SHA,
1639 TLS1_CK_ECDH_anon_WITH_NULL_SHA,
1645 SSL_NOT_EXP|SSL_STRONG_NONE|SSL_FIPS,
1646 SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
1654 TLS1_TXT_ECDH_anon_WITH_RC4_128_SHA,
1655 TLS1_CK_ECDH_anon_WITH_RC4_128_SHA,
1661 SSL_NOT_EXP|SSL_MEDIUM,
1662 SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
1670 TLS1_TXT_ECDH_anon_WITH_DES_192_CBC3_SHA,
1671 TLS1_CK_ECDH_anon_WITH_DES_192_CBC3_SHA,
1677 SSL_NOT_EXP|SSL_HIGH|SSL_FIPS,
1678 SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
1686 TLS1_TXT_ECDH_anon_WITH_AES_128_CBC_SHA,
1687 TLS1_CK_ECDH_anon_WITH_AES_128_CBC_SHA,
1693 SSL_NOT_EXP|SSL_HIGH|SSL_FIPS,
1694 SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
1702 TLS1_TXT_ECDH_anon_WITH_AES_256_CBC_SHA,
1703 TLS1_CK_ECDH_anon_WITH_AES_256_CBC_SHA,
1709 SSL_NOT_EXP|SSL_HIGH|SSL_FIPS,
1710 SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
1714 #endif /* OPENSSL_NO_ECDH */
1716 #ifndef OPENSSL_NO_ECDH
1718 /* HMAC based TLS v1.2 ciphersuites from RFC5289 */
1723 TLS1_TXT_ECDHE_ECDSA_WITH_AES_128_SHA256,
1724 TLS1_CK_ECDHE_ECDSA_WITH_AES_128_SHA256,
1730 SSL_NOT_EXP|SSL_HIGH|SSL_FIPS,
1731 SSL_HANDSHAKE_MAC_SHA256|TLS1_PRF_SHA256,
1739 TLS1_TXT_ECDHE_ECDSA_WITH_AES_256_SHA384,
1740 TLS1_CK_ECDHE_ECDSA_WITH_AES_256_SHA384,
1746 SSL_NOT_EXP|SSL_HIGH|SSL_FIPS,
1747 SSL_HANDSHAKE_MAC_SHA384|TLS1_PRF_SHA384,
1755 TLS1_TXT_ECDH_ECDSA_WITH_AES_128_SHA256,
1756 TLS1_CK_ECDH_ECDSA_WITH_AES_128_SHA256,
1762 SSL_NOT_EXP|SSL_HIGH|SSL_FIPS,
1763 SSL_HANDSHAKE_MAC_SHA256|TLS1_PRF_SHA256,
1771 TLS1_TXT_ECDH_ECDSA_WITH_AES_256_SHA384,
1772 TLS1_CK_ECDH_ECDSA_WITH_AES_256_SHA384,
1778 SSL_NOT_EXP|SSL_HIGH|SSL_FIPS,
1779 SSL_HANDSHAKE_MAC_SHA384|TLS1_PRF_SHA384,
1787 TLS1_TXT_ECDHE_RSA_WITH_AES_128_SHA256,
1788 TLS1_CK_ECDHE_RSA_WITH_AES_128_SHA256,
1794 SSL_NOT_EXP|SSL_HIGH|SSL_FIPS,
1795 SSL_HANDSHAKE_MAC_SHA256|TLS1_PRF_SHA256,
1803 TLS1_TXT_ECDHE_RSA_WITH_AES_256_SHA384,
1804 TLS1_CK_ECDHE_RSA_WITH_AES_256_SHA384,
1810 SSL_NOT_EXP|SSL_HIGH|SSL_FIPS,
1811 SSL_HANDSHAKE_MAC_SHA384|TLS1_PRF_SHA384,
1819 TLS1_TXT_ECDH_RSA_WITH_AES_128_SHA256,
1820 TLS1_CK_ECDH_RSA_WITH_AES_128_SHA256,
1826 SSL_NOT_EXP|SSL_HIGH|SSL_FIPS,
1827 SSL_HANDSHAKE_MAC_SHA256|TLS1_PRF_SHA256,
1835 TLS1_TXT_ECDH_RSA_WITH_AES_256_SHA384,
1836 TLS1_CK_ECDH_RSA_WITH_AES_256_SHA384,
1842 SSL_NOT_EXP|SSL_HIGH|SSL_FIPS,
1843 SSL_HANDSHAKE_MAC_SHA384|TLS1_PRF_SHA384,
1848 /* GCM based TLS v1.2 ciphersuites from RFC5289 */
1853 TLS1_TXT_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
1854 TLS1_CK_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
1860 SSL_NOT_EXP|SSL_HIGH|SSL_FIPS,
1861 SSL_HANDSHAKE_MAC_SHA256|TLS1_PRF_SHA256|SSL_CIPHER_ALGORITHM2_AEAD|FIXED_NONCE_LEN(4)|SSL_CIPHER_ALGORITHM2_VARIABLE_NONCE_INCLUDED_IN_RECORD,
1869 TLS1_TXT_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
1870 TLS1_CK_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
1876 SSL_NOT_EXP|SSL_HIGH|SSL_FIPS,
1877 SSL_HANDSHAKE_MAC_SHA384|TLS1_PRF_SHA384|SSL_CIPHER_ALGORITHM2_AEAD|FIXED_NONCE_LEN(4)|
1878 SSL_CIPHER_ALGORITHM2_VARIABLE_NONCE_INCLUDED_IN_RECORD,
1886 TLS1_TXT_ECDH_ECDSA_WITH_AES_128_GCM_SHA256,
1887 TLS1_CK_ECDH_ECDSA_WITH_AES_128_GCM_SHA256,
1893 SSL_NOT_EXP|SSL_HIGH|SSL_FIPS,
1894 SSL_HANDSHAKE_MAC_SHA256|TLS1_PRF_SHA256|SSL_CIPHER_ALGORITHM2_AEAD|FIXED_NONCE_LEN(4)|SSL_CIPHER_ALGORITHM2_VARIABLE_NONCE_INCLUDED_IN_RECORD,
1902 TLS1_TXT_ECDH_ECDSA_WITH_AES_256_GCM_SHA384,
1903 TLS1_CK_ECDH_ECDSA_WITH_AES_256_GCM_SHA384,
1909 SSL_NOT_EXP|SSL_HIGH|SSL_FIPS,
1910 SSL_HANDSHAKE_MAC_SHA384|TLS1_PRF_SHA384|SSL_CIPHER_ALGORITHM2_AEAD|FIXED_NONCE_LEN(4)|
1911 SSL_CIPHER_ALGORITHM2_VARIABLE_NONCE_INCLUDED_IN_RECORD,
1919 TLS1_TXT_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
1920 TLS1_CK_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
1926 SSL_NOT_EXP|SSL_HIGH|SSL_FIPS,
1927 SSL_HANDSHAKE_MAC_SHA256|TLS1_PRF_SHA256|SSL_CIPHER_ALGORITHM2_AEAD|FIXED_NONCE_LEN(4)|SSL_CIPHER_ALGORITHM2_VARIABLE_NONCE_INCLUDED_IN_RECORD,
1935 TLS1_TXT_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
1936 TLS1_CK_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
1942 SSL_NOT_EXP|SSL_HIGH|SSL_FIPS,
1943 SSL_HANDSHAKE_MAC_SHA384|TLS1_PRF_SHA384|SSL_CIPHER_ALGORITHM2_AEAD|FIXED_NONCE_LEN(4)|
1944 SSL_CIPHER_ALGORITHM2_VARIABLE_NONCE_INCLUDED_IN_RECORD,
1952 TLS1_TXT_ECDH_RSA_WITH_AES_128_GCM_SHA256,
1953 TLS1_CK_ECDH_RSA_WITH_AES_128_GCM_SHA256,
1959 SSL_NOT_EXP|SSL_HIGH|SSL_FIPS,
1960 SSL_HANDSHAKE_MAC_SHA256|TLS1_PRF_SHA256|SSL_CIPHER_ALGORITHM2_AEAD|FIXED_NONCE_LEN(4)|SSL_CIPHER_ALGORITHM2_VARIABLE_NONCE_INCLUDED_IN_RECORD,
1968 TLS1_TXT_ECDH_RSA_WITH_AES_256_GCM_SHA384,
1969 TLS1_CK_ECDH_RSA_WITH_AES_256_GCM_SHA384,
1975 SSL_NOT_EXP|SSL_HIGH|SSL_FIPS,
1976 SSL_HANDSHAKE_MAC_SHA384|TLS1_PRF_SHA384|SSL_CIPHER_ALGORITHM2_AEAD|FIXED_NONCE_LEN(4)|
1977 SSL_CIPHER_ALGORITHM2_VARIABLE_NONCE_INCLUDED_IN_RECORD,
1982 /* ECDH PSK ciphersuites */
1986 TLS1_TXT_ECDHE_PSK_WITH_AES_128_GCM_SHA256,
1987 TLS1_CK_ECDHE_PSK_WITH_AES_128_GCM_SHA256,
1993 SSL_NOT_EXP|SSL_HIGH,
1994 SSL_HANDSHAKE_MAC_SHA256|TLS1_PRF_SHA256|SSL_CIPHER_ALGORITHM2_AEAD|FIXED_NONCE_LEN(4)|
1995 SSL_CIPHER_ALGORITHM2_VARIABLE_NONCE_INCLUDED_IN_RECORD,
2000 #endif /* OPENSSL_NO_ECDH */
2004 TLS1_TXT_ECDHE_RSA_WITH_CHACHA20_POLY1305,
2005 TLS1_CK_ECDHE_RSA_CHACHA20_POLY1305,
2008 SSL_CHACHA20POLY1305,
2011 SSL_NOT_EXP|SSL_HIGH,
2012 SSL_HANDSHAKE_MAC_SHA256|TLS1_PRF_SHA256|SSL_CIPHER_ALGORITHM2_AEAD|FIXED_NONCE_LEN(0),
2019 TLS1_TXT_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,
2020 TLS1_CK_ECDHE_ECDSA_CHACHA20_POLY1305,
2023 SSL_CHACHA20POLY1305,
2026 SSL_NOT_EXP|SSL_HIGH,
2027 SSL_HANDSHAKE_MAC_SHA256|TLS1_PRF_SHA256|SSL_CIPHER_ALGORITHM2_AEAD|FIXED_NONCE_LEN(0),
2034 TLS1_TXT_DHE_RSA_WITH_CHACHA20_POLY1305,
2035 TLS1_CK_DHE_RSA_CHACHA20_POLY1305,
2038 SSL_CHACHA20POLY1305,
2041 SSL_NOT_EXP|SSL_HIGH,
2042 SSL_HANDSHAKE_MAC_SHA256|TLS1_PRF_SHA256|SSL_CIPHER_ALGORITHM2_AEAD|FIXED_NONCE_LEN(0),
2050 SSL3_ENC_METHOD SSLv3_enc_data={
2053 ssl3_setup_key_block,
2054 ssl3_generate_master_secret,
2055 ssl3_change_cipher_state,
2056 ssl3_final_finish_mac,
2057 MD5_DIGEST_LENGTH+SHA_DIGEST_LENGTH,
2058 ssl3_cert_verify_mac,
2059 SSL3_MD_CLIENT_FINISHED_CONST,4,
2060 SSL3_MD_SERVER_FINISHED_CONST,4,
2062 (int (*)(SSL *, unsigned char *, size_t, const char *,
2063 size_t, const unsigned char *, size_t,
2064 int use_context))ssl_undefined_function,
2066 SSL3_HM_HEADER_LENGTH,
2067 ssl3_set_handshake_header,
2068 ssl3_handshake_write
2071 long ssl3_default_timeout(void)
2073 /* 2 hours, the 24 hours mentioned in the SSLv3 spec
2074 * is way too long for http, the cache would over fill */
2078 int ssl3_num_ciphers(void)
2080 return(SSL3_NUM_CIPHERS);
2083 const SSL_CIPHER *ssl3_get_cipher(unsigned int u)
2085 if (u < SSL3_NUM_CIPHERS)
2086 return(&(ssl3_ciphers[SSL3_NUM_CIPHERS-1-u]));
2091 int ssl3_pending(const SSL *s)
2093 if (s->rstate == SSL_ST_READ_BODY)
2096 return (s->s3->rrec.type == SSL3_RT_APPLICATION_DATA) ? s->s3->rrec.length : 0;
2099 void ssl3_set_handshake_header(SSL *s, int htype, unsigned long len)
2101 unsigned char *p = (unsigned char *)s->init_buf->data;
2104 s->init_num = (int)len + SSL3_HM_HEADER_LENGTH;
2108 int ssl3_handshake_write(SSL *s)
2110 return ssl3_do_write(s, SSL3_RT_HANDSHAKE);
2113 int ssl3_new(SSL *s)
2117 if ((s3=OPENSSL_malloc(sizeof *s3)) == NULL) goto err;
2118 memset(s3,0,sizeof *s3);
2119 memset(s3->rrec.seq_num,0,sizeof(s3->rrec.seq_num));
2120 memset(s3->wrec.seq_num,0,sizeof(s3->wrec.seq_num));
2124 s->tlsext_channel_id_enabled = s->ctx->tlsext_channel_id_enabled;
2125 if (s->ctx->tlsext_channel_id_private)
2126 s->tlsext_channel_id_private = EVP_PKEY_dup(s->ctx->tlsext_channel_id_private);
2127 s->method->ssl_clear(s);
2133 void ssl3_free(SSL *s)
2138 ssl3_cleanup_key_block(s);
2139 if (s->s3->rbuf.buf != NULL)
2140 ssl3_release_read_buffer(s);
2141 if (s->s3->wbuf.buf != NULL)
2142 ssl3_release_write_buffer(s);
2143 #ifndef OPENSSL_NO_DH
2144 if (s->s3->tmp.dh != NULL)
2145 DH_free(s->s3->tmp.dh);
2147 #ifndef OPENSSL_NO_ECDH
2148 if (s->s3->tmp.ecdh != NULL)
2149 EC_KEY_free(s->s3->tmp.ecdh);
2152 if (s->s3->tmp.ca_names != NULL)
2153 sk_X509_NAME_pop_free(s->s3->tmp.ca_names,X509_NAME_free);
2154 if (s->s3->tmp.certificate_types != NULL)
2155 OPENSSL_free(s->s3->tmp.certificate_types);
2156 if (s->s3->handshake_buffer) {
2157 BIO_free(s->s3->handshake_buffer);
2159 if (s->s3->handshake_dgst) ssl3_free_digest_list(s);
2160 if (s->s3->alpn_selected)
2161 OPENSSL_free(s->s3->alpn_selected);
2163 OPENSSL_cleanse(s->s3,sizeof *s->s3);
2164 OPENSSL_free(s->s3);
2168 void ssl3_clear(SSL *s)
2170 unsigned char *rp,*wp;
2174 ssl3_cleanup_key_block(s);
2175 if (s->s3->tmp.ca_names != NULL)
2176 sk_X509_NAME_pop_free(s->s3->tmp.ca_names,X509_NAME_free);
2177 if (s->s3->tmp.certificate_types != NULL)
2178 OPENSSL_free(s->s3->tmp.certificate_types);
2179 s->s3->tmp.num_certificate_types = 0;
2181 #ifndef OPENSSL_NO_DH
2182 if (s->s3->tmp.dh != NULL)
2184 DH_free(s->s3->tmp.dh);
2185 s->s3->tmp.dh = NULL;
2188 #ifndef OPENSSL_NO_ECDH
2189 if (s->s3->tmp.ecdh != NULL)
2191 EC_KEY_free(s->s3->tmp.ecdh);
2192 s->s3->tmp.ecdh = NULL;
2195 rp = s->s3->rbuf.buf;
2196 wp = s->s3->wbuf.buf;
2197 rlen = s->s3->rbuf.len;
2198 wlen = s->s3->wbuf.len;
2199 init_extra = s->s3->init_extra;
2200 if (s->s3->handshake_buffer) {
2201 BIO_free(s->s3->handshake_buffer);
2202 s->s3->handshake_buffer = NULL;
2204 if (s->s3->handshake_dgst) {
2205 ssl3_free_digest_list(s);
2208 if (s->s3->alpn_selected)
2210 free(s->s3->alpn_selected);
2211 s->s3->alpn_selected = NULL;
2213 memset(s->s3,0,sizeof *s->s3);
2214 s->s3->rbuf.buf = rp;
2215 s->s3->wbuf.buf = wp;
2216 s->s3->rbuf.len = rlen;
2217 s->s3->wbuf.len = wlen;
2218 s->s3->init_extra = init_extra;
2220 ssl_free_wbio_buffer(s);
2223 s->s3->renegotiate=0;
2224 s->s3->total_renegotiations=0;
2225 s->s3->num_renegotiations=0;
2226 s->s3->in_read_app_data=0;
2227 s->version=SSL3_VERSION;
2229 #if !defined(OPENSSL_NO_NEXTPROTONEG)
2230 if (s->next_proto_negotiated)
2232 OPENSSL_free(s->next_proto_negotiated);
2233 s->next_proto_negotiated = NULL;
2234 s->next_proto_negotiated_len = 0;
2238 s->s3->tlsext_channel_id_valid = 0;
2241 static int ssl3_set_req_cert_type(CERT *c, const unsigned char *p, size_t len);
2243 long ssl3_ctrl(SSL *s, int cmd, long larg, void *parg)
2248 cmd == SSL_CTRL_SET_TMP_RSA ||
2249 cmd == SSL_CTRL_SET_TMP_RSA_CB ||
2250 #ifndef OPENSSL_NO_DSA
2251 cmd == SSL_CTRL_SET_TMP_DH ||
2252 cmd == SSL_CTRL_SET_TMP_DH_CB ||
2256 if (!ssl_cert_inst(&s->cert))
2258 OPENSSL_PUT_ERROR(SSL, ssl3_ctrl, ERR_R_MALLOC_FAILURE);
2265 case SSL_CTRL_GET_SESSION_REUSED:
2268 case SSL_CTRL_GET_CLIENT_CERT_REQUEST:
2270 case SSL_CTRL_GET_NUM_RENEGOTIATIONS:
2271 ret=s->s3->num_renegotiations;
2273 case SSL_CTRL_CLEAR_NUM_RENEGOTIATIONS:
2274 ret=s->s3->num_renegotiations;
2275 s->s3->num_renegotiations=0;
2277 case SSL_CTRL_GET_TOTAL_RENEGOTIATIONS:
2278 ret=s->s3->total_renegotiations;
2280 case SSL_CTRL_GET_FLAGS:
2281 ret=(int)(s->s3->flags);
2283 case SSL_CTRL_NEED_TMP_RSA:
2284 /* Temporary RSA keys are never used. */
2287 case SSL_CTRL_SET_TMP_RSA:
2288 /* Temporary RSA keys are never used. */
2289 OPENSSL_PUT_ERROR(SSL, ssl3_ctrl, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
2291 case SSL_CTRL_SET_TMP_RSA_CB:
2293 OPENSSL_PUT_ERROR(SSL, ssl3_ctrl, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
2297 #ifndef OPENSSL_NO_DH
2298 case SSL_CTRL_SET_TMP_DH:
2300 DH *dh = (DH *)parg;
2303 OPENSSL_PUT_ERROR(SSL, ssl3_ctrl, ERR_R_PASSED_NULL_PARAMETER);
2306 if ((dh = DHparams_dup(dh)) == NULL)
2308 OPENSSL_PUT_ERROR(SSL, ssl3_ctrl, ERR_R_DH_LIB);
2311 if (!(s->options & SSL_OP_SINGLE_DH_USE))
2313 if (!DH_generate_key(dh))
2316 OPENSSL_PUT_ERROR(SSL, ssl3_ctrl, ERR_R_DH_LIB);
2320 if (s->cert->dh_tmp != NULL)
2321 DH_free(s->cert->dh_tmp);
2322 s->cert->dh_tmp = dh;
2326 case SSL_CTRL_SET_TMP_DH_CB:
2328 OPENSSL_PUT_ERROR(SSL, ssl3_ctrl, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
2333 #ifndef OPENSSL_NO_ECDH
2334 case SSL_CTRL_SET_TMP_ECDH:
2336 EC_KEY *ecdh = NULL;
2340 OPENSSL_PUT_ERROR(SSL, ssl3_ctrl, ERR_R_PASSED_NULL_PARAMETER);
2343 if (!EC_KEY_up_ref((EC_KEY *)parg))
2345 OPENSSL_PUT_ERROR(SSL, ssl3_ctrl, ERR_R_ECDH_LIB);
2348 ecdh = (EC_KEY *)parg;
2349 if (!(s->options & SSL_OP_SINGLE_ECDH_USE))
2351 if (!EC_KEY_generate_key(ecdh))
2354 OPENSSL_PUT_ERROR(SSL, ssl3_ctrl, ERR_R_ECDH_LIB);
2358 if (s->cert->ecdh_tmp != NULL)
2359 EC_KEY_free(s->cert->ecdh_tmp);
2360 s->cert->ecdh_tmp = ecdh;
2364 case SSL_CTRL_SET_TMP_ECDH_CB:
2366 OPENSSL_PUT_ERROR(SSL, ssl3_ctrl, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
2370 #endif /* !OPENSSL_NO_ECDH */
2371 case SSL_CTRL_SET_TLSEXT_HOSTNAME:
2372 if (larg == TLSEXT_NAMETYPE_host_name)
2374 if (s->tlsext_hostname != NULL)
2375 OPENSSL_free(s->tlsext_hostname);
2376 s->tlsext_hostname = NULL;
2381 if (strlen((char *)parg) > TLSEXT_MAXLEN_host_name)
2383 OPENSSL_PUT_ERROR(SSL, ssl3_ctrl, SSL_R_SSL3_EXT_INVALID_SERVERNAME);
2386 if ((s->tlsext_hostname = BUF_strdup((char *)parg)) == NULL)
2388 OPENSSL_PUT_ERROR(SSL, ssl3_ctrl, ERR_R_INTERNAL_ERROR);
2394 OPENSSL_PUT_ERROR(SSL, ssl3_ctrl, SSL_R_SSL3_EXT_INVALID_SERVERNAME_TYPE);
2398 case SSL_CTRL_SET_TLSEXT_DEBUG_ARG:
2399 s->tlsext_debug_arg=parg;
2403 case SSL_CTRL_SET_TLSEXT_STATUS_REQ_TYPE:
2404 s->tlsext_status_type=larg;
2408 case SSL_CTRL_GET_TLSEXT_STATUS_REQ_EXTS:
2409 *(STACK_OF(X509_EXTENSION) **)parg = s->tlsext_ocsp_exts;
2413 case SSL_CTRL_SET_TLSEXT_STATUS_REQ_EXTS:
2414 s->tlsext_ocsp_exts = parg;
2418 case SSL_CTRL_GET_TLSEXT_STATUS_REQ_IDS:
2419 *(STACK_OF(OCSP_RESPID) **)parg = s->tlsext_ocsp_ids;
2423 case SSL_CTRL_SET_TLSEXT_STATUS_REQ_IDS:
2424 s->tlsext_ocsp_ids = parg;
2428 case SSL_CTRL_GET_TLSEXT_STATUS_REQ_OCSP_RESP:
2429 *(unsigned char **)parg = s->tlsext_ocsp_resp;
2430 return s->tlsext_ocsp_resplen;
2432 case SSL_CTRL_SET_TLSEXT_STATUS_REQ_OCSP_RESP:
2433 if (s->tlsext_ocsp_resp)
2434 OPENSSL_free(s->tlsext_ocsp_resp);
2435 s->tlsext_ocsp_resp = parg;
2436 s->tlsext_ocsp_resplen = larg;
2441 case SSL_CTRL_CHAIN:
2443 return ssl_cert_set1_chain(s->cert,
2444 (STACK_OF (X509) *)parg);
2446 return ssl_cert_set0_chain(s->cert,
2447 (STACK_OF (X509) *)parg);
2449 case SSL_CTRL_CHAIN_CERT:
2451 return ssl_cert_add1_chain_cert(s->cert, (X509 *)parg);
2453 return ssl_cert_add0_chain_cert(s->cert, (X509 *)parg);
2455 case SSL_CTRL_GET_CHAIN_CERTS:
2456 *(STACK_OF(X509) **)parg = s->cert->key->chain;
2459 case SSL_CTRL_SELECT_CURRENT_CERT:
2460 return ssl_cert_select_current(s->cert, (X509 *)parg);
2462 #ifndef OPENSSL_NO_EC
2463 case SSL_CTRL_GET_CURVES:
2465 const uint16_t *clist;
2469 clist = s->session->tlsext_ellipticcurvelist;
2470 clistlen = s->session->tlsext_ellipticcurvelist_length;
2476 for (i = 0; i < clistlen; i++)
2478 nid = tls1_ec_curve_id2nid(clist[i]);
2479 if (nid != OBJ_undef)
2482 cptr[i] = TLSEXT_nid_unknown | clist[i];
2485 return (int)clistlen;
2488 case SSL_CTRL_SET_CURVES:
2489 return tls1_set_curves(&s->tlsext_ellipticcurvelist,
2490 &s->tlsext_ellipticcurvelist_length,
2493 case SSL_CTRL_SET_ECDH_AUTO:
2494 s->cert->ecdh_tmp_auto = larg;
2497 case SSL_CTRL_SET_SIGALGS:
2498 return tls1_set_sigalgs(s->cert, parg, larg, 0);
2500 case SSL_CTRL_SET_CLIENT_SIGALGS:
2501 return tls1_set_sigalgs(s->cert, parg, larg, 1);
2503 case SSL_CTRL_GET_CLIENT_CERT_TYPES:
2505 const unsigned char **pctype = parg;
2506 if (s->server || !s->s3->tmp.cert_req)
2509 *pctype = s->s3->tmp.certificate_types;
2510 return (int)s->s3->tmp.num_certificate_types;
2513 case SSL_CTRL_SET_CLIENT_CERT_TYPES:
2516 return ssl3_set_req_cert_type(s->cert, parg, larg);
2518 case SSL_CTRL_BUILD_CERT_CHAIN:
2519 return ssl_build_cert_chain(s->cert, s->ctx->cert_store, larg);
2521 case SSL_CTRL_SET_VERIFY_CERT_STORE:
2522 return ssl_cert_set_cert_store(s->cert, parg, 0, larg);
2524 case SSL_CTRL_SET_CHAIN_CERT_STORE:
2525 return ssl_cert_set_cert_store(s->cert, parg, 1, larg);
2527 case SSL_CTRL_GET_PEER_SIGNATURE_NID:
2528 if (SSL_USE_SIGALGS(s))
2530 if (s->session && s->session->sess_cert)
2533 sig = s->session->sess_cert->peer_key->digest;
2536 *(int *)parg = EVP_MD_type(sig);
2542 /* Might want to do something here for other versions */
2546 case SSL_CTRL_GET_SERVER_TMP_KEY:
2547 if (s->server || !s->session || !s->session->sess_cert)
2554 sc = s->session->sess_cert;
2555 #if !defined(OPENSSL_NO_RSA) && !defined(OPENSSL_NO_DH) && !defined(OPENSSL_NO_EC)
2556 if (!sc->peer_rsa_tmp && !sc->peer_dh_tmp
2557 && !sc->peer_ecdh_tmp)
2560 ptmp = EVP_PKEY_new();
2564 else if (sc->peer_rsa_tmp)
2565 rv = EVP_PKEY_set1_RSA(ptmp, sc->peer_rsa_tmp);
2566 #ifndef OPENSSL_NO_DH
2567 else if (sc->peer_dh_tmp)
2568 rv = EVP_PKEY_set1_DH(ptmp, sc->peer_dh_tmp);
2570 #ifndef OPENSSL_NO_ECDH
2571 else if (sc->peer_ecdh_tmp)
2572 rv = EVP_PKEY_set1_EC_KEY(ptmp, sc->peer_ecdh_tmp);
2576 *(EVP_PKEY **)parg = ptmp;
2579 EVP_PKEY_free(ptmp);
2582 #ifndef OPENSSL_NO_EC
2583 case SSL_CTRL_GET_EC_POINT_FORMATS:
2585 SSL_SESSION *sess = s->session;
2586 const unsigned char **pformat = parg;
2587 if (!sess || !sess->tlsext_ecpointformatlist)
2589 *pformat = sess->tlsext_ecpointformatlist;
2590 return (int)sess->tlsext_ecpointformatlist_length;
2594 case SSL_CTRL_CHANNEL_ID:
2595 s->tlsext_channel_id_enabled = 1;
2599 case SSL_CTRL_SET_CHANNEL_ID:
2602 s->tlsext_channel_id_enabled = 1;
2603 if (EVP_PKEY_bits(parg) != 256)
2605 OPENSSL_PUT_ERROR(SSL, ssl3_ctrl, SSL_R_CHANNEL_ID_NOT_P256);
2608 if (s->tlsext_channel_id_private)
2609 EVP_PKEY_free(s->tlsext_channel_id_private);
2610 s->tlsext_channel_id_private = EVP_PKEY_dup((EVP_PKEY*) parg);
2614 case SSL_CTRL_GET_CHANNEL_ID:
2617 if (!s->s3->tlsext_channel_id_valid)
2619 memcpy(parg, s->s3->tlsext_channel_id, larg < 64 ? larg : 64);
2622 case SSL_CTRL_FALLBACK_SCSV:
2625 s->fallback_scsv = 1;
2635 long ssl3_callback_ctrl(SSL *s, int cmd, void (*fp)(void))
2640 cmd == SSL_CTRL_SET_TMP_RSA_CB ||
2641 #ifndef OPENSSL_NO_DSA
2642 cmd == SSL_CTRL_SET_TMP_DH_CB ||
2646 if (!ssl_cert_inst(&s->cert))
2648 OPENSSL_PUT_ERROR(SSL, ssl3_callback_ctrl, ERR_R_MALLOC_FAILURE);
2655 case SSL_CTRL_SET_TMP_RSA_CB:
2656 /* Ignore the callback; temporary RSA keys are never used. */
2658 #ifndef OPENSSL_NO_DH
2659 case SSL_CTRL_SET_TMP_DH_CB:
2661 s->cert->dh_tmp_cb = (DH *(*)(SSL *, int, int))fp;
2665 #ifndef OPENSSL_NO_ECDH
2666 case SSL_CTRL_SET_TMP_ECDH_CB:
2668 s->cert->ecdh_tmp_cb = (EC_KEY *(*)(SSL *, int, int))fp;
2672 case SSL_CTRL_SET_TLSEXT_DEBUG_CB:
2673 s->tlsext_debug_cb=(void (*)(SSL *,int ,int,
2674 unsigned char *, int, void *))fp;
2682 long ssl3_ctx_ctrl(SSL_CTX *ctx, int cmd, long larg, void *parg)
2690 case SSL_CTRL_NEED_TMP_RSA:
2691 /* Temporary RSA keys are never used. */
2693 case SSL_CTRL_SET_TMP_RSA:
2694 OPENSSL_PUT_ERROR(SSL, ssl3_ctx_ctrl, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
2696 case SSL_CTRL_SET_TMP_RSA_CB:
2698 OPENSSL_PUT_ERROR(SSL, ssl3_ctx_ctrl, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
2702 #ifndef OPENSSL_NO_DH
2703 case SSL_CTRL_SET_TMP_DH:
2708 if ((new=DHparams_dup(dh)) == NULL)
2710 OPENSSL_PUT_ERROR(SSL, ssl3_ctx_ctrl, ERR_R_DH_LIB);
2713 if (!(ctx->options & SSL_OP_SINGLE_DH_USE))
2715 if (!DH_generate_key(new))
2717 OPENSSL_PUT_ERROR(SSL, ssl3_ctx_ctrl, ERR_R_DH_LIB);
2722 if (cert->dh_tmp != NULL)
2723 DH_free(cert->dh_tmp);
2728 case SSL_CTRL_SET_TMP_DH_CB:
2730 OPENSSL_PUT_ERROR(SSL, ssl3_ctx_ctrl, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
2735 #ifndef OPENSSL_NO_ECDH
2736 case SSL_CTRL_SET_TMP_ECDH:
2738 EC_KEY *ecdh = NULL;
2742 OPENSSL_PUT_ERROR(SSL, ssl3_ctx_ctrl, ERR_R_ECDH_LIB);
2745 ecdh = EC_KEY_dup((EC_KEY *)parg);
2748 OPENSSL_PUT_ERROR(SSL, ssl3_ctx_ctrl, ERR_R_EC_LIB);
2751 if (!(ctx->options & SSL_OP_SINGLE_ECDH_USE))
2753 if (!EC_KEY_generate_key(ecdh))
2756 OPENSSL_PUT_ERROR(SSL, ssl3_ctx_ctrl, ERR_R_ECDH_LIB);
2761 if (cert->ecdh_tmp != NULL)
2763 EC_KEY_free(cert->ecdh_tmp);
2765 cert->ecdh_tmp = ecdh;
2769 case SSL_CTRL_SET_TMP_ECDH_CB:
2771 OPENSSL_PUT_ERROR(SSL, ssl3_ctx_ctrl, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
2775 #endif /* !OPENSSL_NO_ECDH */
2776 case SSL_CTRL_SET_TLSEXT_SERVERNAME_ARG:
2777 ctx->tlsext_servername_arg=parg;
2779 case SSL_CTRL_SET_TLSEXT_TICKET_KEYS:
2780 case SSL_CTRL_GET_TLSEXT_TICKET_KEYS:
2782 unsigned char *keys = parg;
2787 OPENSSL_PUT_ERROR(SSL, ssl3_ctx_ctrl, SSL_R_INVALID_TICKET_KEYS_LENGTH);
2790 if (cmd == SSL_CTRL_SET_TLSEXT_TICKET_KEYS)
2792 memcpy(ctx->tlsext_tick_key_name, keys, 16);
2793 memcpy(ctx->tlsext_tick_hmac_key, keys + 16, 16);
2794 memcpy(ctx->tlsext_tick_aes_key, keys + 32, 16);
2798 memcpy(keys, ctx->tlsext_tick_key_name, 16);
2799 memcpy(keys + 16, ctx->tlsext_tick_hmac_key, 16);
2800 memcpy(keys + 32, ctx->tlsext_tick_aes_key, 16);
2805 case SSL_CTRL_SET_TLSEXT_STATUS_REQ_CB_ARG:
2806 ctx->tlsext_status_arg=parg;
2810 #ifndef OPENSSL_NO_EC
2811 case SSL_CTRL_SET_CURVES:
2812 return tls1_set_curves(&ctx->tlsext_ellipticcurvelist,
2813 &ctx->tlsext_ellipticcurvelist_length,
2816 case SSL_CTRL_SET_ECDH_AUTO:
2817 ctx->cert->ecdh_tmp_auto = larg;
2820 case SSL_CTRL_SET_SIGALGS:
2821 return tls1_set_sigalgs(ctx->cert, parg, larg, 0);
2823 case SSL_CTRL_SET_CLIENT_SIGALGS:
2824 return tls1_set_sigalgs(ctx->cert, parg, larg, 1);
2826 case SSL_CTRL_SET_CLIENT_CERT_TYPES:
2827 return ssl3_set_req_cert_type(ctx->cert, parg, larg);
2829 case SSL_CTRL_BUILD_CERT_CHAIN:
2830 return ssl_build_cert_chain(ctx->cert, ctx->cert_store, larg);
2832 case SSL_CTRL_SET_VERIFY_CERT_STORE:
2833 return ssl_cert_set_cert_store(ctx->cert, parg, 0, larg);
2835 case SSL_CTRL_SET_CHAIN_CERT_STORE:
2836 return ssl_cert_set_cert_store(ctx->cert, parg, 1, larg);
2839 /* A Thawte special :-) */
2840 case SSL_CTRL_EXTRA_CHAIN_CERT:
2841 if (ctx->extra_certs == NULL)
2843 if ((ctx->extra_certs=sk_X509_new_null()) == NULL)
2846 sk_X509_push(ctx->extra_certs,(X509 *)parg);
2849 case SSL_CTRL_GET_EXTRA_CHAIN_CERTS:
2850 if (ctx->extra_certs == NULL && larg == 0)
2851 *(STACK_OF(X509) **)parg = ctx->cert->key->chain;
2853 *(STACK_OF(X509) **)parg = ctx->extra_certs;
2856 case SSL_CTRL_CLEAR_EXTRA_CHAIN_CERTS:
2857 if (ctx->extra_certs)
2859 sk_X509_pop_free(ctx->extra_certs, X509_free);
2860 ctx->extra_certs = NULL;
2864 case SSL_CTRL_CHAIN:
2866 return ssl_cert_set1_chain(ctx->cert,
2867 (STACK_OF (X509) *)parg);
2869 return ssl_cert_set0_chain(ctx->cert,
2870 (STACK_OF (X509) *)parg);
2872 case SSL_CTRL_CHAIN_CERT:
2874 return ssl_cert_add1_chain_cert(ctx->cert, (X509 *)parg);
2876 return ssl_cert_add0_chain_cert(ctx->cert, (X509 *)parg);
2878 case SSL_CTRL_GET_CHAIN_CERTS:
2879 *(STACK_OF(X509) **)parg = ctx->cert->key->chain;
2882 case SSL_CTRL_SELECT_CURRENT_CERT:
2883 return ssl_cert_select_current(ctx->cert, (X509 *)parg);
2885 case SSL_CTRL_CHANNEL_ID:
2886 /* must be called on a server */
2887 if (ctx->method->ssl_accept == ssl_undefined_function)
2889 ctx->tlsext_channel_id_enabled=1;
2892 case SSL_CTRL_SET_CHANNEL_ID:
2893 ctx->tlsext_channel_id_enabled = 1;
2894 if (EVP_PKEY_bits(parg) != 256)
2896 OPENSSL_PUT_ERROR(SSL, ssl3_ctx_ctrl, SSL_R_CHANNEL_ID_NOT_P256);
2899 if (ctx->tlsext_channel_id_private)
2900 EVP_PKEY_free(ctx->tlsext_channel_id_private);
2901 ctx->tlsext_channel_id_private = EVP_PKEY_dup((EVP_PKEY*) parg);
2910 long ssl3_ctx_callback_ctrl(SSL_CTX *ctx, int cmd, void (*fp)(void))
2918 case SSL_CTRL_SET_TMP_RSA_CB:
2919 /* Ignore the callback; temporary RSA keys are never used. */
2921 #ifndef OPENSSL_NO_DH
2922 case SSL_CTRL_SET_TMP_DH_CB:
2924 cert->dh_tmp_cb = (DH *(*)(SSL *, int, int))fp;
2928 #ifndef OPENSSL_NO_ECDH
2929 case SSL_CTRL_SET_TMP_ECDH_CB:
2931 cert->ecdh_tmp_cb = (EC_KEY *(*)(SSL *, int, int))fp;
2935 case SSL_CTRL_SET_TLSEXT_SERVERNAME_CB:
2936 ctx->tlsext_servername_callback=(int (*)(SSL *,int *,void *))fp;
2939 case SSL_CTRL_SET_TLSEXT_STATUS_REQ_CB:
2940 ctx->tlsext_status_cb=(int (*)(SSL *,void *))fp;
2943 case SSL_CTRL_SET_TLSEXT_TICKET_KEY_CB:
2944 ctx->tlsext_ticket_key_cb=(int (*)(SSL *,unsigned char *,
2947 HMAC_CTX *, int))fp;
2956 /* ssl3_get_cipher_by_value returns the SSL_CIPHER with value |value| or NULL if
2959 * This function needs to check if the ciphers required are actually
2961 const SSL_CIPHER *ssl3_get_cipher_by_value(uint16_t value)
2965 c.id = 0x03000000L|value;
2966 return bsearch(&c, ssl3_ciphers, SSL3_NUM_CIPHERS, sizeof(SSL_CIPHER), ssl_cipher_id_cmp);
2969 /* ssl3_get_cipher_by_value returns the cipher value of |c|. */
2970 uint16_t ssl3_get_cipher_value(const SSL_CIPHER *c)
2972 unsigned long id = c->id;
2973 /* All ciphers are SSLv3 now. */
2974 assert((id & 0xff000000) == 0x03000000);
2978 struct ssl_cipher_preference_list_st* ssl_get_cipher_preferences(SSL *s)
2980 if (s->cipher_list != NULL)
2981 return(s->cipher_list);
2983 if (s->version >= TLS1_1_VERSION)
2985 if (s->ctx != NULL && s->ctx->cipher_list_tls11 != NULL)
2986 return s->ctx->cipher_list_tls11;
2989 if ((s->ctx != NULL) && (s->ctx->cipher_list != NULL))
2990 return(s->ctx->cipher_list);
2995 SSL_CIPHER *ssl3_choose_cipher(SSL *s, STACK_OF(SSL_CIPHER) *clnt,
2996 struct ssl_cipher_preference_list_st *server_pref)
2998 SSL_CIPHER *c,*ret=NULL;
2999 STACK_OF(SSL_CIPHER) *srvr = server_pref->ciphers, *prio, *allow;
3001 size_t cipher_index;
3003 unsigned long alg_k,alg_a,mask_k,mask_a;
3004 /* in_group_flags will either be NULL, or will point to an array of
3005 * bytes which indicate equal-preference groups in the |prio| stack.
3006 * See the comment about |in_group_flags| in the
3007 * |ssl_cipher_preference_list_st| struct. */
3008 const unsigned char *in_group_flags;
3009 /* group_min contains the minimal index so far found in a group, or -1
3010 * if no such value exists yet. */
3013 /* Let's see which ciphers we can support */
3017 /* Do not set the compare functions, because this may lead to a
3018 * reordering by "id". We want to keep the original ordering.
3019 * We may pay a price in performance during sk_SSL_CIPHER_find(),
3020 * but would have to pay with the price of sk_SSL_CIPHER_dup().
3022 sk_SSL_CIPHER_set_cmp_func(srvr, ssl_cipher_ptr_id_cmp);
3023 sk_SSL_CIPHER_set_cmp_func(clnt, ssl_cipher_ptr_id_cmp);
3027 printf("Server has %d from %p:\n", sk_SSL_CIPHER_num(srvr), (void *)srvr);
3028 for(i=0 ; i < sk_SSL_CIPHER_num(srvr) ; ++i)
3030 c=sk_SSL_CIPHER_value(srvr,i);
3031 printf("%p:%s\n",(void *)c,c->name);
3033 printf("Client sent %d from %p:\n", sk_SSL_CIPHER_num(clnt), (void *)clnt);
3034 for(i=0 ; i < sk_SSL_CIPHER_num(clnt) ; ++i)
3036 c=sk_SSL_CIPHER_value(clnt,i);
3037 printf("%p:%s\n",(void *)c,c->name);
3041 if (s->options & SSL_OP_CIPHER_SERVER_PREFERENCE || tls1_suiteb(s))
3044 in_group_flags = server_pref->in_group_flags;
3050 in_group_flags = NULL;
3054 tls1_set_cert_validity(s);
3056 for (i=0; i<sk_SSL_CIPHER_num(prio); i++)
3058 c=sk_SSL_CIPHER_value(prio,i);
3062 /* Skip TLS v1.2 only ciphersuites if not supported */
3063 if ((c->algorithm_ssl & SSL_TLSV1_2) &&
3064 !SSL_USE_TLS1_2_CIPHERS(s))
3067 ssl_set_cert_masks(cert,c);
3068 mask_k = cert->mask_k;
3069 mask_a = cert->mask_a;
3072 /* printf("ssl3_choose_cipher %d alg= %lx\n", i,c->algorithms);*/
3073 #endif /* KSSL_DEBUG */
3075 alg_k=c->algorithm_mkey;
3076 alg_a=c->algorithm_auth;
3078 /* with PSK there must be server callback set */
3079 if ((alg_a & SSL_aPSK) && s->psk_server_callback == NULL)
3082 ok = ok && (alg_k & mask_k) && (alg_a & mask_a);
3084 printf("%d:[%08lX:%08lX:%08lX:%08lX]%p:%s\n",ok,alg_k,alg_a,mask_k,mask_a,(void *)c,
3088 #ifndef OPENSSL_NO_EC
3089 /* if we are considering an ECC cipher suite that uses
3090 * an ephemeral EC key check it */
3091 if (alg_k & SSL_kEECDH)
3092 ok = ok && tls1_check_ec_tmp_key(s, c->id);
3093 #endif /* OPENSSL_NO_EC */
3095 if (ok && sk_SSL_CIPHER_find(allow, &cipher_index, c))
3097 if (in_group_flags != NULL && in_group_flags[i] == 1)
3099 /* This element of |prio| is in a group. Update
3100 * the minimum index found so far and continue
3102 if (group_min == -1 || group_min > cipher_index)
3103 group_min = cipher_index;
3107 if (group_min != -1 && group_min < cipher_index)
3108 cipher_index = group_min;
3109 ret=sk_SSL_CIPHER_value(allow,cipher_index);
3114 if (in_group_flags != NULL &&
3115 in_group_flags[i] == 0 &&
3118 /* We are about to leave a group, but we found a match
3119 * in it, so that's our answer. */
3120 ret=sk_SSL_CIPHER_value(allow,group_min);
3127 int ssl3_get_req_cert_type(SSL *s, unsigned char *p)
3130 const unsigned char *sig;
3132 int have_rsa_sign = 0, have_dsa_sign = 0;
3133 #ifndef OPENSSL_NO_ECDSA
3134 int have_ecdsa_sign = 0;
3137 unsigned long alg_k;
3139 /* If we have custom certificate types set, use them */
3140 if (s->cert->client_certificate_types)
3142 memcpy(p, s->cert->client_certificate_types,
3143 s->cert->num_client_certificate_types);
3144 return (int)s->cert->num_client_certificate_types;
3146 /* get configured sigalgs */
3147 siglen = tls12_get_psigalgs(s, &sig);
3148 if (s->cert->cert_flags & SSL_CERT_FLAGS_CHECK_TLS_STRICT)
3150 for (i = 0; i < siglen; i+=2, sig+=2)
3154 case TLSEXT_signature_rsa:
3158 case TLSEXT_signature_dsa:
3161 #ifndef OPENSSL_NO_ECDSA
3162 case TLSEXT_signature_ecdsa:
3163 have_ecdsa_sign = 1;
3169 alg_k = s->s3->tmp.new_cipher->algorithm_mkey;
3171 #ifndef OPENSSL_NO_DH
3172 if (alg_k & (SSL_kDHr|SSL_kEDH))
3174 /* Since this refers to a certificate signed with an RSA
3175 * algorithm, only check for rsa signing in strict mode.
3177 if (nostrict || have_rsa_sign)
3178 p[ret++]=SSL3_CT_RSA_FIXED_DH;
3179 # ifndef OPENSSL_NO_DSA
3180 if (nostrict || have_dsa_sign)
3181 p[ret++]=SSL3_CT_DSS_FIXED_DH;
3184 if ((s->version == SSL3_VERSION) &&
3185 (alg_k & (SSL_kEDH|SSL_kDHd|SSL_kDHr)))
3187 p[ret++]=SSL3_CT_RSA_EPHEMERAL_DH;
3188 # ifndef OPENSSL_NO_DSA
3189 p[ret++]=SSL3_CT_DSS_EPHEMERAL_DH;
3192 #endif /* !OPENSSL_NO_DH */
3194 p[ret++]=SSL3_CT_RSA_SIGN;
3195 #ifndef OPENSSL_NO_DSA
3197 p[ret++]=SSL3_CT_DSS_SIGN;
3199 #ifndef OPENSSL_NO_ECDH
3200 if ((alg_k & (SSL_kECDHr|SSL_kECDHe)) && (s->version >= TLS1_VERSION))
3202 if (nostrict || have_rsa_sign)
3203 p[ret++]=TLS_CT_RSA_FIXED_ECDH;
3204 if (nostrict || have_ecdsa_sign)
3205 p[ret++]=TLS_CT_ECDSA_FIXED_ECDH;
3209 #ifndef OPENSSL_NO_ECDSA
3210 /* ECDSA certs can be used with RSA cipher suites as well
3211 * so we don't need to check for SSL_kECDH or SSL_kEECDH
3213 if (s->version >= TLS1_VERSION)
3215 if (have_ecdsa_sign)
3216 p[ret++]=TLS_CT_ECDSA_SIGN;
3222 static int ssl3_set_req_cert_type(CERT *c, const unsigned char *p, size_t len)
3224 if (c->client_certificate_types)
3226 OPENSSL_free(c->client_certificate_types);
3227 c->client_certificate_types = NULL;
3229 c->num_client_certificate_types = 0;
3234 c->client_certificate_types = BUF_memdup(p, len);
3235 if (!c->client_certificate_types)
3237 c->num_client_certificate_types = len;
3241 int ssl3_shutdown(SSL *s)
3245 /* Don't do anything much if we have not done the handshake or
3246 * we don't want to send messages :-) */
3247 if ((s->quiet_shutdown) || (s->state == SSL_ST_BEFORE))
3249 s->shutdown=(SSL_SENT_SHUTDOWN|SSL_RECEIVED_SHUTDOWN);
3253 if (!(s->shutdown & SSL_SENT_SHUTDOWN))
3255 s->shutdown|=SSL_SENT_SHUTDOWN;
3257 ssl3_send_alert(s,SSL3_AL_WARNING,SSL_AD_CLOSE_NOTIFY);
3259 /* our shutdown alert has been sent now, and if it still needs
3260 * to be written, s->s3->alert_dispatch will be true */
3261 if (s->s3->alert_dispatch)
3262 return(-1); /* return WANT_WRITE */
3264 else if (s->s3->alert_dispatch)
3266 /* resend it if not sent */
3268 ret=s->method->ssl_dispatch_alert(s);
3271 /* we only get to return -1 here the 2nd/Nth
3272 * invocation, we must have already signalled
3273 * return 0 upon a previous invoation,
3274 * return WANT_WRITE */
3279 else if (!(s->shutdown & SSL_RECEIVED_SHUTDOWN))
3281 /* If we are waiting for a close from our peer, we are closed */
3282 s->method->ssl_read_bytes(s,0,NULL,0,0);
3283 if(!(s->shutdown & SSL_RECEIVED_SHUTDOWN))
3285 return(-1); /* return WANT_READ */
3289 if ((s->shutdown == (SSL_SENT_SHUTDOWN|SSL_RECEIVED_SHUTDOWN)) &&
3290 !s->s3->alert_dispatch)
3296 int ssl3_write(SSL *s, const void *buf, int len)
3301 if (s->shutdown & SSL_SEND_SHUTDOWN)
3303 s->rwstate=SSL_NOTHING;
3307 ERR_clear_system_error();
3308 if (s->s3->renegotiate) ssl3_renegotiate_check(s);
3310 /* This is an experimental flag that sends the
3311 * last handshake message in the same packet as the first
3312 * use data - used to see if it helps the TCP protocol during
3313 * session-id reuse */
3314 /* The second test is because the buffer may have been removed */
3315 if ((s->s3->flags & SSL3_FLAGS_POP_BUFFER) && (s->wbio == s->bbio))
3317 /* First time through, we write into the buffer */
3318 if (s->s3->delay_buf_pop_ret == 0)
3320 ret=ssl3_write_bytes(s,SSL3_RT_APPLICATION_DATA,
3322 if (ret <= 0) return(ret);
3324 s->s3->delay_buf_pop_ret=ret;
3327 s->rwstate=SSL_WRITING;
3328 n=BIO_flush(s->wbio);
3329 if (n <= 0) return(n);
3330 s->rwstate=SSL_NOTHING;
3332 /* We have flushed the buffer, so remove it */
3333 ssl_free_wbio_buffer(s);
3334 s->s3->flags&= ~SSL3_FLAGS_POP_BUFFER;
3336 ret=s->s3->delay_buf_pop_ret;
3337 s->s3->delay_buf_pop_ret=0;
3341 ret=s->method->ssl_write_bytes(s,SSL3_RT_APPLICATION_DATA,
3343 if (ret <= 0) return(ret);
3349 static int ssl3_read_internal(SSL *s, void *buf, int len, int peek)
3353 ERR_clear_system_error();
3354 if ((s->s3->flags & SSL3_FLAGS_POP_BUFFER) && (s->wbio == s->bbio))
3356 /* Deal with an application that calls SSL_read() when handshake data
3357 * is yet to be written.
3359 if (BIO_wpending(s->wbio) > 0)
3361 s->rwstate=SSL_WRITING;
3362 n=BIO_flush(s->wbio);
3363 if (n <= 0) return(n);
3364 s->rwstate=SSL_NOTHING;
3367 if (s->s3->renegotiate) ssl3_renegotiate_check(s);
3368 s->s3->in_read_app_data=1;
3369 ret=s->method->ssl_read_bytes(s,SSL3_RT_APPLICATION_DATA,buf,len,peek);
3370 if ((ret == -1) && (s->s3->in_read_app_data == 2))
3372 /* ssl3_read_bytes decided to call s->handshake_func, which
3373 * called ssl3_read_bytes to read handshake data.
3374 * However, ssl3_read_bytes actually found application data
3375 * and thinks that application data makes sense here; so disable
3376 * handshake processing and try to read application data again. */
3378 ret=s->method->ssl_read_bytes(s,SSL3_RT_APPLICATION_DATA,buf,len,peek);
3382 s->s3->in_read_app_data=0;
3387 int ssl3_read(SSL *s, void *buf, int len)
3389 return ssl3_read_internal(s, buf, len, 0);
3392 int ssl3_peek(SSL *s, void *buf, int len)
3394 return ssl3_read_internal(s, buf, len, 1);
3397 int ssl3_renegotiate(SSL *s)
3399 if (s->handshake_func == NULL)
3402 if (s->s3->flags & SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS)
3405 s->s3->renegotiate=1;
3409 int ssl3_renegotiate_check(SSL *s)
3413 if (s->s3->renegotiate)
3415 if ( (s->s3->rbuf.left == 0) &&
3416 (s->s3->wbuf.left == 0) &&
3420 if we are the server, and we have sent a 'RENEGOTIATE' message, we
3421 need to go to SSL_ST_ACCEPT.
3424 s->state=SSL_ST_RENEGOTIATE;
3425 s->s3->renegotiate=0;
3426 s->s3->num_renegotiations++;
3427 s->s3->total_renegotiations++;
3433 /* If we are using default SHA1+MD5 algorithms switch to new SHA256 PRF
3434 * and handshake macs if required.
3436 long ssl_get_algorithm2(SSL *s)
3438 static const unsigned long kMask = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF;
3439 long alg2 = s->s3->tmp.new_cipher->algorithm2;
3440 if (s->method->ssl3_enc->enc_flags & SSL_ENC_FLAG_SHA256_PRF
3441 && (alg2 & kMask) == kMask)
3442 return SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256;