kris
/
boringssl
1
0
Förgrening 0
Kod Ärenden 0 Pull-förfrågningar 0 Släpp 0 Wiki Aktiviteter
Du kan inte välja fler än 25 ämnen Ämnen måste starta med en bokstav eller siffra, kan innehålla bindestreck ('-') och vara max 35 tecken långa.
752 Incheckningar
12 Grenar
38 MiB
 
 
 
 
 
 
Träd: d3bcf13165
Grenar Taggar
${ item.name }
Skapa branchen ${ searchTerm }
från 'd3bcf13165'
${ noResults }
boringssl/ssl/s3_lib.c

1656 rader
50 KiB
Blame Historik 

  1. /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)

  2.  * All rights reserved.

  3.  *

  4.  * This package is an SSL implementation written

  5.  * by Eric Young (eay@cryptsoft.com).

  6.  * The implementation was written so as to conform with Netscapes SSL.

  7.  *

  8.  * This library is free for commercial and non-commercial use as long as

  9.  * the following conditions are aheared to.  The following conditions

  10.  * apply to all code found in this distribution, be it the RC4, RSA,

  11.  * lhash, DES, etc., code; not just the SSL code.  The SSL documentation

  12.  * included with this distribution is covered by the same copyright terms

  13.  * except that the holder is Tim Hudson (tjh@cryptsoft.com).

  14.  *

  15.  * Copyright remains Eric Young's, and as such any Copyright notices in

  16.  * the code are not to be removed.

  17.  * If this package is used in a product, Eric Young should be given attribution

  18.  * as the author of the parts of the library used.

  19.  * This can be in the form of a textual message at program startup or

  20.  * in documentation (online or textual) provided with the package.

  21.  *

  22.  * Redistribution and use in source and binary forms, with or without

  23.  * modification, are permitted provided that the following conditions

  24.  * are met:

  25.  * 1. Redistributions of source code must retain the copyright

  26.  *    notice, this list of conditions and the following disclaimer.

  27.  * 2. Redistributions in binary form must reproduce the above copyright

  28.  *    notice, this list of conditions and the following disclaimer in the

  29.  *    documentation and/or other materials provided with the distribution.

  30.  * 3. All advertising materials mentioning features or use of this software

  31.  *    must display the following acknowledgement:

  32.  *    "This product includes cryptographic software written by

  33.  *     Eric Young (eay@cryptsoft.com)"

  34.  *    The word 'cryptographic' can be left out if the rouines from the library

  35.  *    being used are not cryptographic related :-).

  36.  * 4. If you include any Windows specific code (or a derivative thereof) from

  37.  *    the apps directory (application code) you must include an acknowledgement:

  38.  *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"

  39.  *

  40.  * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND

  41.  * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE

  42.  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE

  43.  * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE

  44.  * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL

  45.  * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS

  46.  * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)

  47.  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT

  48.  * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY

  49.  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF

  50.  * SUCH DAMAGE.

  51.  *

  52.  * The licence and distribution terms for any publically available version or

  53.  * derivative of this code cannot be changed.  i.e. this code cannot simply be

  54.  * copied and put under another distribution licence

  55.  * [including the GNU Public Licence.]

  56.  */

  57. /* ====================================================================

  58.  * Copyright (c) 1998-2007 The OpenSSL Project.  All rights reserved.

  59.  *

  60.  * Redistribution and use in source and binary forms, with or without

  61.  * modification, are permitted provided that the following conditions

  62.  * are met:

  63.  *

  64.  * 1. Redistributions of source code must retain the above copyright

  65.  *    notice, this list of conditions and the following disclaimer.

  66.  *

  67.  * 2. Redistributions in binary form must reproduce the above copyright

  68.  *    notice, this list of conditions and the following disclaimer in

  69.  *    the documentation and/or other materials provided with the

  70.  *    distribution.

  71.  *

  72.  * 3. All advertising materials mentioning features or use of this

  73.  *    software must display the following acknowledgment:

  74.  *    "This product includes software developed by the OpenSSL Project

  75.  *    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"

  76.  *

  77.  * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to

  78.  *    endorse or promote products derived from this software without

  79.  *    prior written permission. For written permission, please contact

  80.  *    openssl-core@openssl.org.

  81.  *

  82.  * 5. Products derived from this software may not be called "OpenSSL"

  83.  *    nor may "OpenSSL" appear in their names without prior written

  84.  *    permission of the OpenSSL Project.

  85.  *

  86.  * 6. Redistributions of any form whatsoever must retain the following

  87.  *    acknowledgment:

  88.  *    "This product includes software developed by the OpenSSL Project

  89.  *    for use in the OpenSSL Toolkit (http://www.openssl.org/)"

  90.  *

  91.  * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY

  92.  * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE

  93.  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR

  94.  * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR

  95.  * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,

  96.  * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT

  97.  * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;

  98.  * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)

  99.  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,

  100.  * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)

  101.  * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED

  102.  * OF THE POSSIBILITY OF SUCH DAMAGE.

  103.  * ====================================================================

  104.  *

  105.  * This product includes cryptographic software written by Eric Young

  106.  * (eay@cryptsoft.com).  This product includes software written by Tim

  107.  * Hudson (tjh@cryptsoft.com).

  108.  *

  109.  */

  110. /* ====================================================================

  111.  * Copyright 2002 Sun Microsystems, Inc. ALL RIGHTS RESERVED.

  112.  *

  113.  * Portions of the attached software ("Contribution") are developed by

  114.  * SUN MICROSYSTEMS, INC., and are contributed to the OpenSSL project.

  115.  *

  116.  * The Contribution is licensed pursuant to the OpenSSL open source

  117.  * license provided above.

  118.  *

  119.  * ECC cipher suite support in OpenSSL originally written by

  120.  * Vipul Gupta and Sumit Gupta of Sun Microsystems Laboratories.

  121.  *

  122.  */

  123. /* ====================================================================

  124.  * Copyright 2005 Nokia. All rights reserved.

  125.  *

  126.  * The portions of the attached software ("Contribution") is developed by

  127.  * Nokia Corporation and is licensed pursuant to the OpenSSL open source

  128.  * license.

  129.  *

  130.  * The Contribution, originally written by Mika Kousa and Pasi Eronen of

  131.  * Nokia Corporation, consists of the "PSK" (Pre-Shared Key) ciphersuites

  132.  * support (see RFC 4279) to OpenSSL.

  133.  *

  134.  * No patent licenses or other rights except those expressly stated in

  135.  * the OpenSSL open source license shall be deemed granted or received

  136.  * expressly, by implication, estoppel, or otherwise.

  137.  *

  138.  * No assurances are provided by Nokia that the Contribution does not

  139.  * infringe the patent or other intellectual property rights of any third

  140.  * party or that the license provides you with all the necessary rights

  141.  * to make use of the Contribution.

  142.  *

  143.  * THE SOFTWARE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. IN

  144.  * ADDITION TO THE DISCLAIMERS INCLUDED IN THE LICENSE, NOKIA

  145.  * SPECIFICALLY DISCLAIMS ANY LIABILITY FOR CLAIMS BROUGHT BY YOU OR ANY

  146.  * OTHER ENTITY BASED ON INFRINGEMENT OF INTELLECTUAL PROPERTY RIGHTS OR

  147.  * OTHERWISE. */

  148. 

  149. #include <assert.h>

  150. #include <stdio.h>

  151. 

  152. #include <openssl/buf.h>

  153. #include <openssl/dh.h>

  154. #include <openssl/md5.h>

  155. #include <openssl/mem.h>

  156. #include <openssl/obj.h>

  157. 

  158. #include "ssl_locl.h"

  159. 

  160. 

  161. #define SSL3_NUM_CIPHERS (sizeof(ssl3_ciphers) / sizeof(SSL_CIPHER))

  162. 

  163. /* FIXED_NONCE_LEN is a macro that results in the correct value to set the

  164.  * fixed nonce length in SSL_CIPHER.algorithms2. It's the inverse of

  165.  * SSL_CIPHER_AEAD_FIXED_NONCE_LEN. */

  166. #define FIXED_NONCE_LEN(x) ((x / 2) << 24)

  167. 

  168. /* list of available SSLv3 ciphers (sorted by id) */

  169. const SSL_CIPHER ssl3_ciphers[] = {

  170.     /* The RSA ciphers */

  171.     /* Cipher 04 */

  172.     {

  173.      1, SSL3_TXT_RSA_RC4_128_MD5, SSL3_CK_RSA_RC4_128_MD5, SSL_kRSA, SSL_aRSA,

  174.      SSL_RC4, SSL_MD5, SSL_SSLV3, SSL_MEDIUM,

  175.      SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF | SSL_CIPHER_ALGORITHM2_STATEFUL_AEAD,

  176.      128, 128,

  177.     },

  178. 

  179.     /* Cipher 05 */

  180.     {

  181.      1, SSL3_TXT_RSA_RC4_128_SHA, SSL3_CK_RSA_RC4_128_SHA, SSL_kRSA, SSL_aRSA,

  182.      SSL_RC4, SSL_SHA1, SSL_SSLV3, SSL_MEDIUM,

  183.      SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, 128, 128,

  184.     },

  185. 

  186.     /* Cipher 0A */

  187.     {

  188.      1, SSL3_TXT_RSA_DES_192_CBC3_SHA, SSL3_CK_RSA_DES_192_CBC3_SHA, SSL_kRSA,

  189.      SSL_aRSA, SSL_3DES, SSL_SHA1, SSL_SSLV3, SSL_HIGH | SSL_FIPS,

  190.      SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, 112, 168,

  191.     },

  192. 

  193. 

  194.     /* The Ephemeral DH ciphers */

  195. 

  196.     /* Cipher 18 */

  197.     {

  198.      1, SSL3_TXT_ADH_RC4_128_MD5, SSL3_CK_ADH_RC4_128_MD5, SSL_kEDH, SSL_aNULL,

  199.      SSL_RC4, SSL_MD5, SSL_SSLV3, SSL_MEDIUM,

  200.      SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, 128, 128,

  201.     },

  202. 

  203. 

  204.     /* New AES ciphersuites */

  205. 

  206.     /* Cipher 2F */

  207.     {

  208.      1, TLS1_TXT_RSA_WITH_AES_128_SHA, TLS1_CK_RSA_WITH_AES_128_SHA, SSL_kRSA,

  209.      SSL_aRSA, SSL_AES128, SSL_SHA1, SSL_TLSV1, SSL_HIGH | SSL_FIPS,

  210.      SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, 128, 128,

  211.     },

  212. 

  213.     /* Cipher 33 */

  214.     {

  215.      1, TLS1_TXT_DHE_RSA_WITH_AES_128_SHA, TLS1_CK_DHE_RSA_WITH_AES_128_SHA,

  216.      SSL_kEDH, SSL_aRSA, SSL_AES128, SSL_SHA1, SSL_TLSV1, SSL_HIGH | SSL_FIPS,

  217.      SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, 128, 128,

  218.     },

  219. 

  220.     /* Cipher 34 */

  221.     {

  222.      1, TLS1_TXT_ADH_WITH_AES_128_SHA, TLS1_CK_ADH_WITH_AES_128_SHA, SSL_kEDH,

  223.      SSL_aNULL, SSL_AES128, SSL_SHA1, SSL_TLSV1, SSL_HIGH | SSL_FIPS,

  224.      SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, 128, 128,

  225.     },

  226. 

  227.     /* Cipher 35 */

  228.     {

  229.      1, TLS1_TXT_RSA_WITH_AES_256_SHA, TLS1_CK_RSA_WITH_AES_256_SHA, SSL_kRSA,

  230.      SSL_aRSA, SSL_AES256, SSL_SHA1, SSL_TLSV1, SSL_HIGH | SSL_FIPS,

  231.      SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, 256, 256,

  232.     },

  233. 

  234.     /* Cipher 39 */

  235.     {

  236.      1, TLS1_TXT_DHE_RSA_WITH_AES_256_SHA, TLS1_CK_DHE_RSA_WITH_AES_256_SHA,

  237.      SSL_kEDH, SSL_aRSA, SSL_AES256, SSL_SHA1, SSL_TLSV1, SSL_HIGH | SSL_FIPS,

  238.      SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, 256, 256,

  239.     },

  240. 

  241.     /* Cipher 3A */

  242.     {

  243.      1, TLS1_TXT_ADH_WITH_AES_256_SHA, TLS1_CK_ADH_WITH_AES_256_SHA, SSL_kEDH,

  244.      SSL_aNULL, SSL_AES256, SSL_SHA1, SSL_TLSV1, SSL_HIGH | SSL_FIPS,

  245.      SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, 256, 256,

  246.     },

  247. 

  248. 

  249.     /* TLS v1.2 ciphersuites */

  250. 

  251.     /* Cipher 3C */

  252.     {

  253.      1, TLS1_TXT_RSA_WITH_AES_128_SHA256, TLS1_CK_RSA_WITH_AES_128_SHA256,

  254.      SSL_kRSA, SSL_aRSA, SSL_AES128, SSL_SHA256, SSL_TLSV1_2,

  255.      SSL_HIGH | SSL_FIPS, SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, 128, 128,

  256.     },

  257. 

  258.     /* Cipher 3D */

  259.     {

  260.      1, TLS1_TXT_RSA_WITH_AES_256_SHA256, TLS1_CK_RSA_WITH_AES_256_SHA256,

  261.      SSL_kRSA, SSL_aRSA, SSL_AES256, SSL_SHA256, SSL_TLSV1_2,

  262.      SSL_HIGH | SSL_FIPS, SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, 256, 256,

  263.     },

  264. 

  265.     /* Cipher 67 */

  266.     {

  267.      1, TLS1_TXT_DHE_RSA_WITH_AES_128_SHA256,

  268.      TLS1_CK_DHE_RSA_WITH_AES_128_SHA256, SSL_kEDH, SSL_aRSA, SSL_AES128,

  269.      SSL_SHA256, SSL_TLSV1_2, SSL_HIGH | SSL_FIPS,

  270.      SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, 128, 128,

  271.     },

  272. 

  273.     /* Cipher 6B */

  274.     {

  275.      1, TLS1_TXT_DHE_RSA_WITH_AES_256_SHA256,

  276.      TLS1_CK_DHE_RSA_WITH_AES_256_SHA256, SSL_kEDH, SSL_aRSA, SSL_AES256,

  277.      SSL_SHA256, SSL_TLSV1_2, SSL_HIGH | SSL_FIPS,

  278.      SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, 256, 256,

  279.     },

  280. 

  281.     /* Cipher 6C */

  282.     {

  283.      1, TLS1_TXT_ADH_WITH_AES_128_SHA256, TLS1_CK_ADH_WITH_AES_128_SHA256,

  284.      SSL_kEDH, SSL_aNULL, SSL_AES128, SSL_SHA256, SSL_TLSV1_2,

  285.      SSL_HIGH | SSL_FIPS, SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, 128, 128,

  286.     },

  287. 

  288.     /* Cipher 6D */

  289.     {

  290.      1, TLS1_TXT_ADH_WITH_AES_256_SHA256, TLS1_CK_ADH_WITH_AES_256_SHA256,

  291.      SSL_kEDH, SSL_aNULL, SSL_AES256, SSL_SHA256, SSL_TLSV1_2,

  292.      SSL_HIGH | SSL_FIPS, SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, 256, 256,

  293.     },

  294. 

  295.     /* Cipher 8A */

  296.     {

  297.      1, TLS1_TXT_PSK_WITH_RC4_128_SHA, TLS1_CK_PSK_WITH_RC4_128_SHA, SSL_kPSK,

  298.      SSL_aPSK, SSL_RC4, SSL_SHA1, SSL_TLSV1, SSL_MEDIUM,

  299.      SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, 128, 128,

  300.     },

  301. 

  302.     /* Cipher 8C */

  303.     {

  304.      1, TLS1_TXT_PSK_WITH_AES_128_CBC_SHA, TLS1_CK_PSK_WITH_AES_128_CBC_SHA,

  305.      SSL_kPSK, SSL_aPSK, SSL_AES128, SSL_SHA1, SSL_TLSV1, SSL_HIGH | SSL_FIPS,

  306.      SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, 128, 128,

  307.     },

  308. 

  309.     /* Cipher 8D */

  310.     {

  311.      1, TLS1_TXT_PSK_WITH_AES_256_CBC_SHA, TLS1_CK_PSK_WITH_AES_256_CBC_SHA,

  312.      SSL_kPSK, SSL_aPSK, SSL_AES256, SSL_SHA1, SSL_TLSV1, SSL_HIGH | SSL_FIPS,

  313.      SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, 256, 256,

  314.     },

  315. 

  316. 

  317.     /* GCM ciphersuites from RFC5288 */

  318. 

  319.     /* Cipher 9C */

  320.     {

  321.      1, TLS1_TXT_RSA_WITH_AES_128_GCM_SHA256,

  322.      TLS1_CK_RSA_WITH_AES_128_GCM_SHA256, SSL_kRSA, SSL_aRSA, SSL_AES128GCM,

  323.      SSL_AEAD, SSL_TLSV1_2, SSL_HIGH | SSL_FIPS,

  324.      SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256 | SSL_CIPHER_ALGORITHM2_AEAD |

  325.          FIXED_NONCE_LEN(4) |

  326.          SSL_CIPHER_ALGORITHM2_VARIABLE_NONCE_INCLUDED_IN_RECORD,

  327.      128, 128,

  328.     },

  329. 

  330.     /* Cipher 9D */

  331.     {

  332.      1, TLS1_TXT_RSA_WITH_AES_256_GCM_SHA384,

  333.      TLS1_CK_RSA_WITH_AES_256_GCM_SHA384, SSL_kRSA, SSL_aRSA, SSL_AES256GCM,

  334.      SSL_AEAD, SSL_TLSV1_2, SSL_HIGH | SSL_FIPS,

  335.      SSL_HANDSHAKE_MAC_SHA384 | TLS1_PRF_SHA384 | SSL_CIPHER_ALGORITHM2_AEAD |

  336.          FIXED_NONCE_LEN(4) |

  337.          SSL_CIPHER_ALGORITHM2_VARIABLE_NONCE_INCLUDED_IN_RECORD,

  338.      256, 256,

  339.     },

  340. 

  341.     /* Cipher 9E */

  342.     {

  343.      1, TLS1_TXT_DHE_RSA_WITH_AES_128_GCM_SHA256,

  344.      TLS1_CK_DHE_RSA_WITH_AES_128_GCM_SHA256, SSL_kEDH, SSL_aRSA, SSL_AES128GCM,

  345.      SSL_AEAD, SSL_TLSV1_2, SSL_HIGH | SSL_FIPS,

  346.      SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256 | SSL_CIPHER_ALGORITHM2_AEAD |

  347.          FIXED_NONCE_LEN(4) |

  348.          SSL_CIPHER_ALGORITHM2_VARIABLE_NONCE_INCLUDED_IN_RECORD,

  349.      128, 128,

  350.     },

  351. 

  352.     /* Cipher 9F */

  353.     {

  354.      1, TLS1_TXT_DHE_RSA_WITH_AES_256_GCM_SHA384,

  355.      TLS1_CK_DHE_RSA_WITH_AES_256_GCM_SHA384, SSL_kEDH, SSL_aRSA, SSL_AES256GCM,

  356.      SSL_AEAD, SSL_TLSV1_2, SSL_HIGH | SSL_FIPS,

  357.      SSL_HANDSHAKE_MAC_SHA384 | TLS1_PRF_SHA384 | SSL_CIPHER_ALGORITHM2_AEAD |

  358.          FIXED_NONCE_LEN(4) |

  359.          SSL_CIPHER_ALGORITHM2_VARIABLE_NONCE_INCLUDED_IN_RECORD,

  360.      256, 256,

  361.     },

  362. 

  363.     /* Cipher A6 */

  364.     {

  365.      1, TLS1_TXT_ADH_WITH_AES_128_GCM_SHA256,

  366.      TLS1_CK_ADH_WITH_AES_128_GCM_SHA256, SSL_kEDH, SSL_aNULL, SSL_AES128GCM,

  367.      SSL_AEAD, SSL_TLSV1_2, SSL_HIGH | SSL_FIPS,

  368.      SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256 | SSL_CIPHER_ALGORITHM2_AEAD |

  369.          FIXED_NONCE_LEN(4) |

  370.          SSL_CIPHER_ALGORITHM2_VARIABLE_NONCE_INCLUDED_IN_RECORD,

  371.      128, 128,

  372.     },

  373. 

  374.     /* Cipher A7 */

  375.     {

  376.      1, TLS1_TXT_ADH_WITH_AES_256_GCM_SHA384,

  377.      TLS1_CK_ADH_WITH_AES_256_GCM_SHA384, SSL_kEDH, SSL_aNULL, SSL_AES256GCM,

  378.      SSL_AEAD, SSL_TLSV1_2, SSL_HIGH | SSL_FIPS,

  379.      SSL_HANDSHAKE_MAC_SHA384 | TLS1_PRF_SHA384 | SSL_CIPHER_ALGORITHM2_AEAD |

  380.          FIXED_NONCE_LEN(4) |

  381.          SSL_CIPHER_ALGORITHM2_VARIABLE_NONCE_INCLUDED_IN_RECORD,

  382.      256, 256,

  383.     },

  384. 

  385.     /* Cipher C007 */

  386.     {

  387.      1, TLS1_TXT_ECDHE_ECDSA_WITH_RC4_128_SHA,

  388.      TLS1_CK_ECDHE_ECDSA_WITH_RC4_128_SHA, SSL_kEECDH, SSL_aECDSA, SSL_RC4,

  389.      SSL_SHA1, SSL_TLSV1, SSL_MEDIUM, SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, 128,

  390.      128,

  391.     },

  392. 

  393.     /* Cipher C009 */

  394.     {

  395.      1, TLS1_TXT_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,

  396.      TLS1_CK_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, SSL_kEECDH, SSL_aECDSA,

  397.      SSL_AES128, SSL_SHA1, SSL_TLSV1, SSL_HIGH | SSL_FIPS,

  398.      SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, 128, 128,

  399.     },

  400. 

  401.     /* Cipher C00A */

  402.     {

  403.      1, TLS1_TXT_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,

  404.      TLS1_CK_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, SSL_kEECDH, SSL_aECDSA,

  405.      SSL_AES256, SSL_SHA1, SSL_TLSV1, SSL_HIGH | SSL_FIPS,

  406.      SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, 256, 256,

  407.     },

  408. 

  409.     /* Cipher C011 */

  410.     {

  411.      1, TLS1_TXT_ECDHE_RSA_WITH_RC4_128_SHA, TLS1_CK_ECDHE_RSA_WITH_RC4_128_SHA,

  412.      SSL_kEECDH, SSL_aRSA, SSL_RC4, SSL_SHA1, SSL_TLSV1, SSL_MEDIUM,

  413.      SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, 128, 128,

  414.     },

  415. 

  416.     /* Cipher C013 */

  417.     {

  418.      1, TLS1_TXT_ECDHE_RSA_WITH_AES_128_CBC_SHA,

  419.      TLS1_CK_ECDHE_RSA_WITH_AES_128_CBC_SHA, SSL_kEECDH, SSL_aRSA, SSL_AES128,

  420.      SSL_SHA1, SSL_TLSV1, SSL_HIGH | SSL_FIPS,

  421.      SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, 128, 128,

  422.     },

  423. 

  424.     /* Cipher C014 */

  425.     {

  426.      1, TLS1_TXT_ECDHE_RSA_WITH_AES_256_CBC_SHA,

  427.      TLS1_CK_ECDHE_RSA_WITH_AES_256_CBC_SHA, SSL_kEECDH, SSL_aRSA, SSL_AES256,

  428.      SSL_SHA1, SSL_TLSV1, SSL_HIGH | SSL_FIPS,

  429.      SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, 256, 256,

  430.     },

  431. 

  432.     /* Cipher C016 */

  433.     {

  434.      1, TLS1_TXT_ECDH_anon_WITH_RC4_128_SHA, TLS1_CK_ECDH_anon_WITH_RC4_128_SHA,

  435.      SSL_kEECDH, SSL_aNULL, SSL_RC4, SSL_SHA1, SSL_TLSV1, SSL_MEDIUM,

  436.      SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, 128, 128,

  437.     },

  438. 

  439.     /* Cipher C018 */

  440.     {

  441.      1, TLS1_TXT_ECDH_anon_WITH_AES_128_CBC_SHA,

  442.      TLS1_CK_ECDH_anon_WITH_AES_128_CBC_SHA, SSL_kEECDH, SSL_aNULL, SSL_AES128,

  443.      SSL_SHA1, SSL_TLSV1, SSL_HIGH | SSL_FIPS,

  444.      SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, 128, 128,

  445.     },

  446. 

  447.     /* Cipher C019 */

  448.     {

  449.      1, TLS1_TXT_ECDH_anon_WITH_AES_256_CBC_SHA,

  450.      TLS1_CK_ECDH_anon_WITH_AES_256_CBC_SHA, SSL_kEECDH, SSL_aNULL, SSL_AES256,

  451.      SSL_SHA1, SSL_TLSV1, SSL_HIGH | SSL_FIPS,

  452.      SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, 256, 256,

  453.     },

  454. 

  455. 

  456.     /* HMAC based TLS v1.2 ciphersuites from RFC5289 */

  457. 

  458.     /* Cipher C023 */

  459.     {

  460.      1, TLS1_TXT_ECDHE_ECDSA_WITH_AES_128_SHA256,

  461.      TLS1_CK_ECDHE_ECDSA_WITH_AES_128_SHA256, SSL_kEECDH, SSL_aECDSA,

  462.      SSL_AES128, SSL_SHA256, SSL_TLSV1_2, SSL_HIGH | SSL_FIPS,

  463.      SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256, 128, 128,

  464.     },

  465. 

  466.     /* Cipher C024 */

  467.     {

  468.      1, TLS1_TXT_ECDHE_ECDSA_WITH_AES_256_SHA384,

  469.      TLS1_CK_ECDHE_ECDSA_WITH_AES_256_SHA384, SSL_kEECDH, SSL_aECDSA,

  470.      SSL_AES256, SSL_SHA384, SSL_TLSV1_2, SSL_HIGH | SSL_FIPS,

  471.      SSL_HANDSHAKE_MAC_SHA384 | TLS1_PRF_SHA384, 256, 256,

  472.     },

  473. 

  474.     /* Cipher C027 */

  475.     {

  476.      1, TLS1_TXT_ECDHE_RSA_WITH_AES_128_SHA256,

  477.      TLS1_CK_ECDHE_RSA_WITH_AES_128_SHA256, SSL_kEECDH, SSL_aRSA, SSL_AES128,

  478.      SSL_SHA256, SSL_TLSV1_2, SSL_HIGH | SSL_FIPS,

  479.      SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256, 128, 128,

  480.     },

  481. 

  482.     /* Cipher C028 */

  483.     {

  484.      1, TLS1_TXT_ECDHE_RSA_WITH_AES_256_SHA384,

  485.      TLS1_CK_ECDHE_RSA_WITH_AES_256_SHA384, SSL_kEECDH, SSL_aRSA, SSL_AES256,

  486.      SSL_SHA384, SSL_TLSV1_2, SSL_HIGH | SSL_FIPS,

  487.      SSL_HANDSHAKE_MAC_SHA384 | TLS1_PRF_SHA384, 256, 256,

  488.     },

  489. 

  490. 

  491.     /* GCM based TLS v1.2 ciphersuites from RFC5289 */

  492. 

  493.     /* Cipher C02B */

  494.     {

  495.      1, TLS1_TXT_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,

  496.      TLS1_CK_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, SSL_kEECDH, SSL_aECDSA,

  497.      SSL_AES128GCM, SSL_AEAD, SSL_TLSV1_2, SSL_HIGH | SSL_FIPS,

  498.      SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256 | SSL_CIPHER_ALGORITHM2_AEAD |

  499.          FIXED_NONCE_LEN(4) |

  500.          SSL_CIPHER_ALGORITHM2_VARIABLE_NONCE_INCLUDED_IN_RECORD,

  501.      128, 128,

  502.     },

  503. 

  504.     /* Cipher C02C */

  505.     {

  506.      1, TLS1_TXT_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,

  507.      TLS1_CK_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, SSL_kEECDH, SSL_aECDSA,

  508.      SSL_AES256GCM, SSL_AEAD, SSL_TLSV1_2, SSL_HIGH | SSL_FIPS,

  509.      SSL_HANDSHAKE_MAC_SHA384 | TLS1_PRF_SHA384 | SSL_CIPHER_ALGORITHM2_AEAD |

  510.          FIXED_NONCE_LEN(4) |

  511.          SSL_CIPHER_ALGORITHM2_VARIABLE_NONCE_INCLUDED_IN_RECORD,

  512.      256, 256,

  513.     },

  514. 

  515.     /* Cipher C02F */

  516.     {

  517.      1, TLS1_TXT_ECDHE_RSA_WITH_AES_128_GCM_SHA256,

  518.      TLS1_CK_ECDHE_RSA_WITH_AES_128_GCM_SHA256, SSL_kEECDH, SSL_aRSA,

  519.      SSL_AES128GCM, SSL_AEAD, SSL_TLSV1_2, SSL_HIGH | SSL_FIPS,

  520.      SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256 | SSL_CIPHER_ALGORITHM2_AEAD |

  521.          FIXED_NONCE_LEN(4) |

  522.          SSL_CIPHER_ALGORITHM2_VARIABLE_NONCE_INCLUDED_IN_RECORD,

  523.      128, 128,

  524.     },

  525. 

  526.     /* Cipher C030 */

  527.     {

  528.      1, TLS1_TXT_ECDHE_RSA_WITH_AES_256_GCM_SHA384,

  529.      TLS1_CK_ECDHE_RSA_WITH_AES_256_GCM_SHA384, SSL_kEECDH, SSL_aRSA,

  530.      SSL_AES256GCM, SSL_AEAD, SSL_TLSV1_2, SSL_HIGH | SSL_FIPS,

  531.      SSL_HANDSHAKE_MAC_SHA384 | TLS1_PRF_SHA384 | SSL_CIPHER_ALGORITHM2_AEAD |

  532.          FIXED_NONCE_LEN(4) |

  533.          SSL_CIPHER_ALGORITHM2_VARIABLE_NONCE_INCLUDED_IN_RECORD,

  534.      256, 256,

  535.     },

  536. 

  537. 

  538.     /* ECDH PSK ciphersuites */

  539. 

  540.     /* Cipher CAFE */

  541.     {

  542.      1, TLS1_TXT_ECDHE_PSK_WITH_AES_128_GCM_SHA256,

  543.      TLS1_CK_ECDHE_PSK_WITH_AES_128_GCM_SHA256, SSL_kEECDH, SSL_aPSK,

  544.      SSL_AES128GCM, SSL_AEAD, SSL_TLSV1_2, SSL_HIGH,

  545.      SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256 | SSL_CIPHER_ALGORITHM2_AEAD |

  546.          FIXED_NONCE_LEN(4) |

  547.          SSL_CIPHER_ALGORITHM2_VARIABLE_NONCE_INCLUDED_IN_RECORD,

  548.      128, 128,

  549.     },

  550. 

  551.     {

  552.      1, TLS1_TXT_ECDHE_RSA_WITH_CHACHA20_POLY1305,

  553.      TLS1_CK_ECDHE_RSA_CHACHA20_POLY1305, SSL_kEECDH, SSL_aRSA,

  554.      SSL_CHACHA20POLY1305, SSL_AEAD, SSL_TLSV1_2, SSL_HIGH,

  555.      SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256 | SSL_CIPHER_ALGORITHM2_AEAD |

  556.          FIXED_NONCE_LEN(0),

  557.      256, 0,

  558.     },

  559. 

  560.     {

  561.      1, TLS1_TXT_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,

  562.      TLS1_CK_ECDHE_ECDSA_CHACHA20_POLY1305, SSL_kEECDH, SSL_aECDSA,

  563.      SSL_CHACHA20POLY1305, SSL_AEAD, SSL_TLSV1_2, SSL_HIGH,

  564.      SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256 | SSL_CIPHER_ALGORITHM2_AEAD |

  565.          FIXED_NONCE_LEN(0),

  566.      256, 0,

  567.     },

  568. 

  569.     {

  570.      1, TLS1_TXT_DHE_RSA_WITH_CHACHA20_POLY1305,

  571.      TLS1_CK_DHE_RSA_CHACHA20_POLY1305, SSL_kEDH, SSL_aRSA,

  572.      SSL_CHACHA20POLY1305, SSL_AEAD, SSL_TLSV1_2, SSL_HIGH,

  573.      SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256 | SSL_CIPHER_ALGORITHM2_AEAD |

  574.          FIXED_NONCE_LEN(0),

  575.      256, 0,

  576.     },

  577. };

  578. 

  579. const SSL3_ENC_METHOD SSLv3_enc_data = {

  580.     ssl3_enc,

  581.     n_ssl3_mac,

  582.     ssl3_setup_key_block,

  583.     ssl3_generate_master_secret,

  584.     ssl3_change_cipher_state,

  585.     ssl3_final_finish_mac,

  586.     MD5_DIGEST_LENGTH+SHA_DIGEST_LENGTH,

  587.     ssl3_cert_verify_mac,

  588.     SSL3_MD_CLIENT_FINISHED_CONST, 4,

  589.     SSL3_MD_SERVER_FINISHED_CONST, 4,

  590.     ssl3_alert_code,

  591.     (int (*)(SSL *, uint8_t *, size_t, const char *, size_t, const uint8_t *,

  592.              size_t, int use_context)) ssl_undefined_function,

  593.     0,

  594.     SSL3_HM_HEADER_LENGTH,

  595.     ssl3_set_handshake_header,

  596.     ssl3_handshake_write,

  597. };

  598. 

  599. int ssl3_num_ciphers(void) { return SSL3_NUM_CIPHERS; }

  600. 

  601. const SSL_CIPHER *ssl3_get_cipher(unsigned int u) {

  602.   if (u >= SSL3_NUM_CIPHERS) {

  603.     return NULL;

  604.   }

  605. 

  606.   return &ssl3_ciphers[SSL3_NUM_CIPHERS - 1 - u];

  607. }

  608. 

  609. int ssl3_pending(const SSL *s) {

  610.   if (s->rstate == SSL_ST_READ_BODY) {

  611.     return 0;

  612.   }

  613. 

  614.   return (s->s3->rrec.type == SSL3_RT_APPLICATION_DATA) ? s->s3->rrec.length

  615.                                                         : 0;

  616. }

  617. 

  618. void ssl3_set_handshake_header(SSL *s, int htype, unsigned long len) {

  619.   uint8_t *p = (uint8_t *)s->init_buf->data;

  620.   *(p++) = htype;

  621.   l2n3(len, p);

  622.   s->init_num = (int)len + SSL3_HM_HEADER_LENGTH;

  623.   s->init_off = 0;

  624. 

  625.   /* Add the message to the handshake hash. */

  626.   ssl3_finish_mac(s, (uint8_t *)s->init_buf->data, s->init_num);

  627. }

  628. 

  629. int ssl3_handshake_write(SSL *s) { return ssl3_do_write(s, SSL3_RT_HANDSHAKE); }

  630. 

  631. int ssl3_new(SSL *s) {

  632.   SSL3_STATE *s3;

  633. 

  634.   s3 = OPENSSL_malloc(sizeof *s3);

  635.   if (s3 == NULL) {

  636.     goto err;

  637.   }

  638.   memset(s3, 0, sizeof *s3);

  639.   memset(s3->rrec.seq_num, 0, sizeof(s3->rrec.seq_num));

  640.   memset(s3->wrec.seq_num, 0, sizeof(s3->wrec.seq_num));

  641. 

  642.   s->s3 = s3;

  643. 

  644.   s->tlsext_channel_id_enabled = s->ctx->tlsext_channel_id_enabled;

  645.   if (s->ctx->tlsext_channel_id_private) {

  646.     s->tlsext_channel_id_private =

  647.         EVP_PKEY_dup(s->ctx->tlsext_channel_id_private);

  648.   }

  649.   s->method->ssl_clear(s);

  650. 

  651.   return 1;

  652. err:

  653.   return 0;

  654. }

  655. 

  656. void ssl3_free(SSL *s) {

  657.   if (s == NULL) {

  658.     return;

  659.   }

  660. 

  661.   if (s->s3->sniff_buffer != NULL) {

  662.     BUF_MEM_free(s->s3->sniff_buffer);

  663.   }

  664.   ssl3_cleanup_key_block(s);

  665.   if (s->s3->rbuf.buf != NULL) {

  666.     ssl3_release_read_buffer(s);

  667.   }

  668.   if (s->s3->wbuf.buf != NULL) {

  669.     ssl3_release_write_buffer(s);

  670.   }

  671.   if (s->s3->tmp.dh != NULL) {

  672.     DH_free(s->s3->tmp.dh);

  673.   }

  674.   if (s->s3->tmp.ecdh != NULL) {

  675.     EC_KEY_free(s->s3->tmp.ecdh);

  676.   }

  677. 

  678.   if (s->s3->tmp.ca_names != NULL) {

  679.     sk_X509_NAME_pop_free(s->s3->tmp.ca_names, X509_NAME_free);

  680.   }

  681.   if (s->s3->tmp.certificate_types != NULL) {

  682.     OPENSSL_free(s->s3->tmp.certificate_types);

  683.   }

  684.   if (s->s3->tmp.peer_ecpointformatlist) {

  685.     OPENSSL_free(s->s3->tmp.peer_ecpointformatlist);

  686.   }

  687.   if (s->s3->tmp.peer_ellipticcurvelist) {

  688.     OPENSSL_free(s->s3->tmp.peer_ellipticcurvelist);

  689.   }

  690.   if (s->s3->tmp.peer_psk_identity_hint) {

  691.     OPENSSL_free(s->s3->tmp.peer_psk_identity_hint);

  692.   }

  693.   if (s->s3->handshake_buffer) {

  694.     BIO_free(s->s3->handshake_buffer);

  695.   }

  696.   if (s->s3->handshake_dgst) {

  697.     ssl3_free_digest_list(s);

  698.   }

  699.   if (s->s3->alpn_selected) {

  700.     OPENSSL_free(s->s3->alpn_selected);

  701.   }

  702. 

  703.   OPENSSL_cleanse(s->s3, sizeof *s->s3);

  704.   OPENSSL_free(s->s3);

  705.   s->s3 = NULL;

  706. }

  707. 

  708. void ssl3_clear(SSL *s) {

  709.   uint8_t *rp, *wp;

  710.   size_t rlen, wlen;

  711.   int init_extra;

  712. 

  713.   /* TODO(davidben): Can this just call ssl3_free + ssl3_new. rbuf, wbuf, and

  714.    * init_extra are preserved, but this may not serve anything more than saving

  715.    * a malloc. */

  716. 

  717.   if (s->s3->sniff_buffer != NULL) {

  718.     BUF_MEM_free(s->s3->sniff_buffer);

  719.   }

  720.   s->s3->sniff_buffer = NULL;

  721. 

  722.   ssl3_cleanup_key_block(s);

  723.   if (s->s3->tmp.ca_names != NULL) {

  724.     sk_X509_NAME_pop_free(s->s3->tmp.ca_names, X509_NAME_free);

  725.   }

  726.   s->s3->tmp.ca_names = NULL;

  727.   if (s->s3->tmp.certificate_types != NULL) {

  728.     OPENSSL_free(s->s3->tmp.certificate_types);

  729.   }

  730.   s->s3->tmp.certificate_types = NULL;

  731.   if (s->s3->tmp.peer_ecpointformatlist) {

  732.     OPENSSL_free(s->s3->tmp.peer_ecpointformatlist);

  733.   }

  734.   s->s3->tmp.peer_ecpointformatlist = NULL;

  735.   if (s->s3->tmp.peer_ellipticcurvelist) {

  736.     OPENSSL_free(s->s3->tmp.peer_ellipticcurvelist);

  737.   }

  738.   s->s3->tmp.peer_ellipticcurvelist = NULL;

  739.   if (s->s3->tmp.peer_psk_identity_hint) {

  740.     OPENSSL_free(s->s3->tmp.peer_psk_identity_hint);

  741.   }

  742.   s->s3->tmp.peer_psk_identity_hint = NULL;

  743. 

  744.   if (s->s3->tmp.dh != NULL) {

  745.     DH_free(s->s3->tmp.dh);

  746.     s->s3->tmp.dh = NULL;

  747.   }

  748.   if (s->s3->tmp.ecdh != NULL) {

  749.     EC_KEY_free(s->s3->tmp.ecdh);

  750.     s->s3->tmp.ecdh = NULL;

  751.   }

  752.   rp = s->s3->rbuf.buf;

  753.   wp = s->s3->wbuf.buf;

  754.   rlen = s->s3->rbuf.len;

  755.   wlen = s->s3->wbuf.len;

  756.   init_extra = s->s3->init_extra;

  757.   if (s->s3->handshake_buffer) {

  758.     BIO_free(s->s3->handshake_buffer);

  759.     s->s3->handshake_buffer = NULL;

  760.   }

  761.   if (s->s3->handshake_dgst) {

  762.     ssl3_free_digest_list(s);

  763.   }

  764. 

  765.   if (s->s3->alpn_selected) {

  766.     OPENSSL_free(s->s3->alpn_selected);

  767.     s->s3->alpn_selected = NULL;

  768.   }

  769.   memset(s->s3, 0, sizeof *s->s3);

  770.   s->s3->rbuf.buf = rp;

  771.   s->s3->wbuf.buf = wp;

  772.   s->s3->rbuf.len = rlen;

  773.   s->s3->wbuf.len = wlen;

  774.   s->s3->init_extra = init_extra;

  775. 

  776.   ssl_free_wbio_buffer(s);

  777. 

  778.   s->packet_length = 0;

  779.   s->s3->renegotiate = 0;

  780.   s->s3->total_renegotiations = 0;

  781.   s->s3->num_renegotiations = 0;

  782.   s->s3->in_read_app_data = 0;

  783.   s->version = TLS1_2_VERSION;

  784. 

  785.   if (s->next_proto_negotiated) {

  786.     OPENSSL_free(s->next_proto_negotiated);

  787.     s->next_proto_negotiated = NULL;

  788.     s->next_proto_negotiated_len = 0;

  789.   }

  790. 

  791.   s->s3->tlsext_channel_id_valid = 0;

  792. }

  793. 

  794. static int ssl3_set_req_cert_type(CERT *c, const uint8_t *p, size_t len);

  795. 

  796. long ssl3_ctrl(SSL *s, int cmd, long larg, void *parg) {

  797.   int ret = 0;

  798. 

  799.   if (cmd == SSL_CTRL_SET_TMP_RSA || cmd == SSL_CTRL_SET_TMP_RSA_CB ||

  800.       cmd == SSL_CTRL_SET_TMP_DH || cmd == SSL_CTRL_SET_TMP_DH_CB) {

  801.     if (!ssl_cert_inst(&s->cert)) {

  802.       OPENSSL_PUT_ERROR(SSL, ssl3_ctrl, ERR_R_MALLOC_FAILURE);

  803.       return 0;

  804.     }

  805.   }

  806. 

  807.   switch (cmd) {

  808.     case SSL_CTRL_GET_SESSION_REUSED:

  809.       ret = s->hit;

  810.       break;

  811. 

  812.     case SSL_CTRL_GET_CLIENT_CERT_REQUEST:

  813.       break;

  814. 

  815.     case SSL_CTRL_GET_NUM_RENEGOTIATIONS:

  816.       ret = s->s3->num_renegotiations;

  817.       break;

  818. 

  819.     case SSL_CTRL_CLEAR_NUM_RENEGOTIATIONS:

  820.       ret = s->s3->num_renegotiations;

  821.       s->s3->num_renegotiations = 0;

  822.       break;

  823. 

  824.     case SSL_CTRL_GET_TOTAL_RENEGOTIATIONS:

  825.       ret = s->s3->total_renegotiations;

  826.       break;

  827. 

  828.     case SSL_CTRL_GET_FLAGS:

  829.       ret = (int)(s->s3->flags);

  830.       break;

  831. 

  832.     case SSL_CTRL_NEED_TMP_RSA:

  833.       /* Temporary RSA keys are never used. */

  834.       ret = 0;

  835.       break;

  836. 

  837.     case SSL_CTRL_SET_TMP_RSA:

  838.       /* Temporary RSA keys are never used. */

  839.       OPENSSL_PUT_ERROR(SSL, ssl3_ctrl, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);

  840.       break;

  841. 

  842.     case SSL_CTRL_SET_TMP_RSA_CB:

  843.       OPENSSL_PUT_ERROR(SSL, ssl3_ctrl, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);

  844.       return ret;

  845. 

  846.     case SSL_CTRL_SET_TMP_DH: {

  847.       DH *dh = (DH *)parg;

  848.       if (dh == NULL) {

  849.         OPENSSL_PUT_ERROR(SSL, ssl3_ctrl, ERR_R_PASSED_NULL_PARAMETER);

  850.         return ret;

  851.       }

  852.       dh = DHparams_dup(dh);

  853.       if (dh == NULL) {

  854.         OPENSSL_PUT_ERROR(SSL, ssl3_ctrl, ERR_R_DH_LIB);

  855.         return ret;

  856.       }

  857.       if (!(s->options & SSL_OP_SINGLE_DH_USE) && !DH_generate_key(dh)) {

  858.         DH_free(dh);

  859.         OPENSSL_PUT_ERROR(SSL, ssl3_ctrl, ERR_R_DH_LIB);

  860.         return ret;

  861.       }

  862.       if (s->cert->dh_tmp != NULL) {

  863.         DH_free(s->cert->dh_tmp);

  864.       }

  865.       s->cert->dh_tmp = dh;

  866.       ret = 1;

  867.       break;

  868.     }

  869. 

  870.     case SSL_CTRL_SET_TMP_DH_CB:

  871.       OPENSSL_PUT_ERROR(SSL, ssl3_ctrl, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);

  872.       return ret;

  873. 

  874.     case SSL_CTRL_SET_TMP_ECDH: {

  875.       EC_KEY *ecdh = NULL;

  876. 

  877.       if (parg == NULL) {

  878.         OPENSSL_PUT_ERROR(SSL, ssl3_ctrl, ERR_R_PASSED_NULL_PARAMETER);

  879.         return ret;

  880.       }

  881.       if (!EC_KEY_up_ref((EC_KEY *)parg)) {

  882.         OPENSSL_PUT_ERROR(SSL, ssl3_ctrl, ERR_R_ECDH_LIB);

  883.         return ret;

  884.       }

  885.       ecdh = (EC_KEY *)parg;

  886.       if (!(s->options & SSL_OP_SINGLE_ECDH_USE) && !EC_KEY_generate_key(ecdh)) {

  887.         EC_KEY_free(ecdh);

  888.         OPENSSL_PUT_ERROR(SSL, ssl3_ctrl, ERR_R_ECDH_LIB);

  889.         return ret;

  890.       }

  891.       if (s->cert->ecdh_tmp != NULL) {

  892.         EC_KEY_free(s->cert->ecdh_tmp);

  893.       }

  894.       s->cert->ecdh_tmp = ecdh;

  895.       ret = 1;

  896.       break;

  897.     }

  898. 

  899.     case SSL_CTRL_SET_TMP_ECDH_CB:

  900.       OPENSSL_PUT_ERROR(SSL, ssl3_ctrl, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);

  901.       return ret;

  902. 

  903.     case SSL_CTRL_SET_TLSEXT_HOSTNAME:

  904.       if (larg == TLSEXT_NAMETYPE_host_name) {

  905.         if (s->tlsext_hostname != NULL) {

  906.           OPENSSL_free(s->tlsext_hostname);

  907.         }

  908.         s->tlsext_hostname = NULL;

  909. 

  910.         ret = 1;

  911.         if (parg == NULL) {

  912.           break;

  913.         }

  914.         if (strlen((char *)parg) > TLSEXT_MAXLEN_host_name) {

  915.           OPENSSL_PUT_ERROR(SSL, ssl3_ctrl, SSL_R_SSL3_EXT_INVALID_SERVERNAME);

  916.           return 0;

  917.         }

  918.         s->tlsext_hostname = BUF_strdup((char *) parg);

  919.         if (s->tlsext_hostname == NULL) {

  920.           OPENSSL_PUT_ERROR(SSL, ssl3_ctrl, ERR_R_INTERNAL_ERROR);

  921.           return 0;

  922.         }

  923.       } else {

  924.         OPENSSL_PUT_ERROR(SSL, ssl3_ctrl,

  925.                           SSL_R_SSL3_EXT_INVALID_SERVERNAME_TYPE);

  926.         return 0;

  927.       }

  928.       break;

  929. 

  930.     case SSL_CTRL_SET_TLSEXT_DEBUG_ARG:

  931.       s->tlsext_debug_arg = parg;

  932.       ret = 1;

  933.       break;

  934. 

  935.     case SSL_CTRL_CHAIN:

  936.       if (larg) {

  937.         return ssl_cert_set1_chain(s->cert, (STACK_OF(X509) *)parg);

  938.       } else {

  939.         return ssl_cert_set0_chain(s->cert, (STACK_OF(X509) *)parg);

  940.       }

  941. 

  942.     case SSL_CTRL_CHAIN_CERT:

  943.       if (larg) {

  944.         return ssl_cert_add1_chain_cert(s->cert, (X509 *)parg);

  945.       } else {

  946.         return ssl_cert_add0_chain_cert(s->cert, (X509 *)parg);

  947.       }

  948. 

  949.     case SSL_CTRL_GET_CHAIN_CERTS:

  950.       *(STACK_OF(X509) **)parg = s->cert->key->chain;

  951.       break;

  952. 

  953.     case SSL_CTRL_SELECT_CURRENT_CERT:

  954.       return ssl_cert_select_current(s->cert, (X509 *)parg);

  955. 

  956.     case SSL_CTRL_GET_CURVES: {

  957.       const uint16_t *clist = s->s3->tmp.peer_ellipticcurvelist;

  958.       size_t clistlen = s->s3->tmp.peer_ellipticcurvelist_length;

  959.       if (parg) {

  960.         size_t i;

  961.         int *cptr = parg;

  962.         int nid;

  963.         for (i = 0; i < clistlen; i++) {

  964.           nid = tls1_ec_curve_id2nid(clist[i]);

  965.           if (nid != OBJ_undef) {

  966.             cptr[i] = nid;

  967.           } else {

  968.             cptr[i] = TLSEXT_nid_unknown | clist[i];

  969.           }

  970.         }

  971.       }

  972.       return (int)clistlen;

  973.     }

  974. 

  975.     case SSL_CTRL_SET_CURVES:

  976.       return tls1_set_curves(&s->tlsext_ellipticcurvelist,

  977.                              &s->tlsext_ellipticcurvelist_length, parg, larg);

  978. 

  979.     case SSL_CTRL_SET_ECDH_AUTO:

  980.       s->cert->ecdh_tmp_auto = larg;

  981.       return 1;

  982. 

  983.     case SSL_CTRL_SET_SIGALGS:

  984.       return tls1_set_sigalgs(s->cert, parg, larg, 0);

  985. 

  986.     case SSL_CTRL_SET_CLIENT_SIGALGS:

  987.       return tls1_set_sigalgs(s->cert, parg, larg, 1);

  988. 

  989.     case SSL_CTRL_GET_CLIENT_CERT_TYPES: {

  990.       const uint8_t **pctype = parg;

  991.       if (s->server || !s->s3->tmp.cert_req) {

  992.         return 0;

  993.       }

  994.       if (pctype) {

  995.         *pctype = s->s3->tmp.certificate_types;

  996.       }

  997.       return (int)s->s3->tmp.num_certificate_types;

  998.     }

  999. 

  1000.     case SSL_CTRL_SET_CLIENT_CERT_TYPES:

  1001.       if (!s->server) {

  1002.         return 0;

  1003.       }

  1004.       return ssl3_set_req_cert_type(s->cert, parg, larg);

  1005. 

  1006.     case SSL_CTRL_BUILD_CERT_CHAIN:

  1007.       return ssl_build_cert_chain(s->cert, s->ctx->cert_store, larg);

  1008. 

  1009.     case SSL_CTRL_SET_VERIFY_CERT_STORE:

  1010.       return ssl_cert_set_cert_store(s->cert, parg, 0, larg);

  1011. 

  1012.     case SSL_CTRL_SET_CHAIN_CERT_STORE:

  1013.       return ssl_cert_set_cert_store(s->cert, parg, 1, larg);

  1014. 

  1015.     case SSL_CTRL_GET_SERVER_TMP_KEY:

  1016.       if (s->server || !s->session || !s->session->sess_cert) {

  1017.         return 0;

  1018.       } else {

  1019.         SESS_CERT *sc;

  1020.         EVP_PKEY *ptmp;

  1021.         int rv = 0;

  1022.         sc = s->session->sess_cert;

  1023.         if (!sc->peer_dh_tmp && !sc->peer_ecdh_tmp) {

  1024.           return 0;

  1025.         }

  1026.         ptmp = EVP_PKEY_new();

  1027.         if (!ptmp) {

  1028.           return 0;

  1029.         }

  1030.         if (sc->peer_dh_tmp) {

  1031.           rv = EVP_PKEY_set1_DH(ptmp, sc->peer_dh_tmp);

  1032.         } else if (sc->peer_ecdh_tmp) {

  1033.           rv = EVP_PKEY_set1_EC_KEY(ptmp, sc->peer_ecdh_tmp);

  1034.         }

  1035.         if (rv) {

  1036.           *(EVP_PKEY **)parg = ptmp;

  1037.           return 1;

  1038.         }

  1039.         EVP_PKEY_free(ptmp);

  1040.         return 0;

  1041.       }

  1042. 

  1043.     case SSL_CTRL_GET_EC_POINT_FORMATS: {

  1044.       const uint8_t **pformat = parg;

  1045.       if (!s->s3->tmp.peer_ecpointformatlist) {

  1046.         return 0;

  1047.       }

  1048.       *pformat = s->s3->tmp.peer_ecpointformatlist;

  1049.       return (int)s->s3->tmp.peer_ecpointformatlist_length;

  1050.     }

  1051. 

  1052.     case SSL_CTRL_CHANNEL_ID:

  1053.       s->tlsext_channel_id_enabled = 1;

  1054.       ret = 1;

  1055.       break;

  1056. 

  1057.     case SSL_CTRL_SET_CHANNEL_ID:

  1058.       s->tlsext_channel_id_enabled = 1;

  1059.       if (EVP_PKEY_bits(parg) != 256) {

  1060.         OPENSSL_PUT_ERROR(SSL, ssl3_ctrl, SSL_R_CHANNEL_ID_NOT_P256);

  1061.         break;

  1062.       }

  1063.       if (s->tlsext_channel_id_private) {

  1064.         EVP_PKEY_free(s->tlsext_channel_id_private);

  1065.       }

  1066.       s->tlsext_channel_id_private = EVP_PKEY_dup((EVP_PKEY *)parg);

  1067.       ret = 1;

  1068.       break;

  1069. 

  1070.     case SSL_CTRL_GET_CHANNEL_ID:

  1071.       if (!s->s3->tlsext_channel_id_valid) {

  1072.         break;

  1073.       }

  1074.       memcpy(parg, s->s3->tlsext_channel_id, larg < 64 ? larg : 64);

  1075.       return 64;

  1076. 

  1077.     case SSL_CTRL_FALLBACK_SCSV:

  1078.       s->fallback_scsv = 1;

  1079.       ret = 1;

  1080.       break;

  1081. 

  1082.     default:

  1083.       break;

  1084.   }

  1085. 

  1086.   return ret;

  1087. }

  1088. 

  1089. long ssl3_callback_ctrl(SSL *s, int cmd, void (*fp)(void)) {

  1090.   int ret = 0;

  1091. 

  1092.   if ((cmd == SSL_CTRL_SET_TMP_RSA_CB || cmd == SSL_CTRL_SET_TMP_DH_CB) &&

  1093.       !ssl_cert_inst(&s->cert)) {

  1094.     OPENSSL_PUT_ERROR(SSL, ssl3_callback_ctrl, ERR_R_MALLOC_FAILURE);

  1095.     return 0;

  1096.   }

  1097. 

  1098.   switch (cmd) {

  1099.     case SSL_CTRL_SET_TMP_RSA_CB:

  1100.       /* Ignore the callback; temporary RSA keys are never used. */

  1101.       break;

  1102. 

  1103.     case SSL_CTRL_SET_TMP_DH_CB:

  1104.       s->cert->dh_tmp_cb = (DH * (*)(SSL *, int, int))fp;

  1105.       break;

  1106. 

  1107.     case SSL_CTRL_SET_TMP_ECDH_CB:

  1108.       s->cert->ecdh_tmp_cb = (EC_KEY * (*)(SSL *, int, int))fp;

  1109.       break;

  1110. 

  1111.     case SSL_CTRL_SET_TLSEXT_DEBUG_CB:

  1112.       s->tlsext_debug_cb =

  1113.           (void (*)(SSL *, int, int, uint8_t *, int, void *))fp;

  1114.       break;

  1115. 

  1116.     default:

  1117.       break;

  1118.   }

  1119. 

  1120.   return ret;

  1121. }

  1122. 

  1123. long ssl3_ctx_ctrl(SSL_CTX *ctx, int cmd, long larg, void *parg) {

  1124.   CERT *cert;

  1125. 

  1126.   cert = ctx->cert;

  1127. 

  1128.   switch (cmd) {

  1129.     case SSL_CTRL_NEED_TMP_RSA:

  1130.       /* Temporary RSA keys are never used. */

  1131.       return 0;

  1132. 

  1133.     case SSL_CTRL_SET_TMP_RSA:

  1134.       OPENSSL_PUT_ERROR(SSL, ssl3_ctx_ctrl, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);

  1135.       return 0;

  1136. 

  1137.     case SSL_CTRL_SET_TMP_RSA_CB:

  1138.       OPENSSL_PUT_ERROR(SSL, ssl3_ctx_ctrl, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);

  1139.       return 0;

  1140. 

  1141.     case SSL_CTRL_SET_TMP_DH: {

  1142.       DH *new = NULL, *dh;

  1143. 

  1144.       dh = (DH *)parg;

  1145.       new = DHparams_dup(dh);

  1146.       if (new == NULL) {

  1147.         OPENSSL_PUT_ERROR(SSL, ssl3_ctx_ctrl, ERR_R_DH_LIB);

  1148.         return 0;

  1149.       }

  1150.       if (!(ctx->options & SSL_OP_SINGLE_DH_USE) && !DH_generate_key(new)) {

  1151.         OPENSSL_PUT_ERROR(SSL, ssl3_ctx_ctrl, ERR_R_DH_LIB);

  1152.         DH_free(new);

  1153.         return 0;

  1154.       }

  1155.       if (cert->dh_tmp != NULL) {

  1156.         DH_free(cert->dh_tmp);

  1157.       }

  1158.       cert->dh_tmp = new;

  1159.       return 1;

  1160.     }

  1161. 

  1162.     case SSL_CTRL_SET_TMP_DH_CB:

  1163.       OPENSSL_PUT_ERROR(SSL, ssl3_ctx_ctrl, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);

  1164.       return 0;

  1165. 

  1166.     case SSL_CTRL_SET_TMP_ECDH: {

  1167.       EC_KEY *ecdh = NULL;

  1168. 

  1169.       if (parg == NULL) {

  1170.         OPENSSL_PUT_ERROR(SSL, ssl3_ctx_ctrl, ERR_R_ECDH_LIB);

  1171.         return 0;

  1172.       }

  1173.       ecdh = EC_KEY_dup((EC_KEY *)parg);

  1174.       if (ecdh == NULL) {

  1175.         OPENSSL_PUT_ERROR(SSL, ssl3_ctx_ctrl, ERR_R_EC_LIB);

  1176.         return 0;

  1177.       }

  1178.       if (!(ctx->options & SSL_OP_SINGLE_ECDH_USE) &&

  1179.           !EC_KEY_generate_key(ecdh)) {

  1180.         EC_KEY_free(ecdh);

  1181.         OPENSSL_PUT_ERROR(SSL, ssl3_ctx_ctrl, ERR_R_ECDH_LIB);

  1182.         return 0;

  1183.       }

  1184. 

  1185.       if (cert->ecdh_tmp != NULL) {

  1186.         EC_KEY_free(cert->ecdh_tmp);

  1187.       }

  1188.       cert->ecdh_tmp = ecdh;

  1189.       return 1;

  1190.     }

  1191. 

  1192.     case SSL_CTRL_SET_TMP_ECDH_CB:

  1193.       OPENSSL_PUT_ERROR(SSL, ssl3_ctx_ctrl, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);

  1194.       return 0;

  1195. 

  1196.     case SSL_CTRL_SET_TLSEXT_SERVERNAME_ARG:

  1197.       ctx->tlsext_servername_arg = parg;

  1198.       break;

  1199. 

  1200.     case SSL_CTRL_SET_TLSEXT_TICKET_KEYS:

  1201.     case SSL_CTRL_GET_TLSEXT_TICKET_KEYS: {

  1202.       uint8_t *keys = parg;

  1203.       if (!keys) {

  1204.         return 48;

  1205.       }

  1206.       if (larg != 48) {

  1207.         OPENSSL_PUT_ERROR(SSL, ssl3_ctx_ctrl, SSL_R_INVALID_TICKET_KEYS_LENGTH);

  1208.         return 0;

  1209.       }

  1210.       if (cmd == SSL_CTRL_SET_TLSEXT_TICKET_KEYS) {

  1211.         memcpy(ctx->tlsext_tick_key_name, keys, 16);

  1212.         memcpy(ctx->tlsext_tick_hmac_key, keys + 16, 16);

  1213.         memcpy(ctx->tlsext_tick_aes_key, keys + 32, 16);

  1214.       } else {

  1215.         memcpy(keys, ctx->tlsext_tick_key_name, 16);

  1216.         memcpy(keys + 16, ctx->tlsext_tick_hmac_key, 16);

  1217.         memcpy(keys + 32, ctx->tlsext_tick_aes_key, 16);

  1218.       }

  1219.       return 1;

  1220.     }

  1221. 

  1222.     case SSL_CTRL_SET_TLSEXT_STATUS_REQ_CB_ARG:

  1223.       ctx->tlsext_status_arg = parg;

  1224.       return 1;

  1225.       break;

  1226. 

  1227.     case SSL_CTRL_SET_CURVES:

  1228.       return tls1_set_curves(&ctx->tlsext_ellipticcurvelist,

  1229.                              &ctx->tlsext_ellipticcurvelist_length, parg, larg);

  1230. 

  1231.     case SSL_CTRL_SET_ECDH_AUTO:

  1232.       ctx->cert->ecdh_tmp_auto = larg;

  1233.       return 1;

  1234. 

  1235.     case SSL_CTRL_SET_SIGALGS:

  1236.       return tls1_set_sigalgs(ctx->cert, parg, larg, 0);

  1237. 

  1238.     case SSL_CTRL_SET_CLIENT_SIGALGS:

  1239.       return tls1_set_sigalgs(ctx->cert, parg, larg, 1);

  1240. 

  1241.     case SSL_CTRL_SET_CLIENT_CERT_TYPES:

  1242.       return ssl3_set_req_cert_type(ctx->cert, parg, larg);

  1243. 

  1244.     case SSL_CTRL_BUILD_CERT_CHAIN:

  1245.       return ssl_build_cert_chain(ctx->cert, ctx->cert_store, larg);

  1246. 

  1247.     case SSL_CTRL_SET_VERIFY_CERT_STORE:

  1248.       return ssl_cert_set_cert_store(ctx->cert, parg, 0, larg);

  1249. 

  1250.     case SSL_CTRL_SET_CHAIN_CERT_STORE:

  1251.       return ssl_cert_set_cert_store(ctx->cert, parg, 1, larg);

  1252. 

  1253.     case SSL_CTRL_EXTRA_CHAIN_CERT:

  1254.       if (ctx->extra_certs == NULL) {

  1255.         ctx->extra_certs = sk_X509_new_null();

  1256.         if (ctx->extra_certs == NULL) {

  1257.           return 0;

  1258.         }

  1259.       }

  1260.       sk_X509_push(ctx->extra_certs, (X509 *)parg);

  1261.       break;

  1262. 

  1263.     case SSL_CTRL_GET_EXTRA_CHAIN_CERTS:

  1264.       if (ctx->extra_certs == NULL && larg == 0) {

  1265.         *(STACK_OF(X509) **)parg = ctx->cert->key->chain;

  1266.       } else {

  1267.         *(STACK_OF(X509) **)parg = ctx->extra_certs;

  1268.       }

  1269.       break;

  1270. 

  1271.     case SSL_CTRL_CLEAR_EXTRA_CHAIN_CERTS:

  1272.       if (ctx->extra_certs) {

  1273.         sk_X509_pop_free(ctx->extra_certs, X509_free);

  1274.         ctx->extra_certs = NULL;

  1275.       }

  1276.       break;

  1277. 

  1278.     case SSL_CTRL_CHAIN:

  1279.       if (larg) {

  1280.         return ssl_cert_set1_chain(ctx->cert, (STACK_OF(X509) *)parg);

  1281.       } else {

  1282.         return ssl_cert_set0_chain(ctx->cert, (STACK_OF(X509) *)parg);

  1283.       }

  1284. 

  1285.     case SSL_CTRL_CHAIN_CERT:

  1286.       if (larg) {

  1287.         return ssl_cert_add1_chain_cert(ctx->cert, (X509 *)parg);

  1288.       } else {

  1289.         return ssl_cert_add0_chain_cert(ctx->cert, (X509 *)parg);

  1290.       }

  1291. 

  1292.     case SSL_CTRL_GET_CHAIN_CERTS:

  1293.       *(STACK_OF(X509) **)parg = ctx->cert->key->chain;

  1294.       break;

  1295. 

  1296.     case SSL_CTRL_SELECT_CURRENT_CERT:

  1297.       return ssl_cert_select_current(ctx->cert, (X509 *)parg);

  1298. 

  1299.     case SSL_CTRL_CHANNEL_ID:

  1300.       ctx->tlsext_channel_id_enabled = 1;

  1301.       return 1;

  1302. 

  1303.     case SSL_CTRL_SET_CHANNEL_ID:

  1304.       ctx->tlsext_channel_id_enabled = 1;

  1305.       if (EVP_PKEY_bits(parg) != 256) {

  1306.         OPENSSL_PUT_ERROR(SSL, ssl3_ctx_ctrl, SSL_R_CHANNEL_ID_NOT_P256);

  1307.         break;

  1308.       }

  1309.       if (ctx->tlsext_channel_id_private) {

  1310.         EVP_PKEY_free(ctx->tlsext_channel_id_private);

  1311.       }

  1312.       ctx->tlsext_channel_id_private = EVP_PKEY_dup((EVP_PKEY *)parg);

  1313.       break;

  1314. 

  1315.     default:

  1316.       return 0;

  1317.   }

  1318. 

  1319.   return 1;

  1320. }

  1321. 

  1322. long ssl3_ctx_callback_ctrl(SSL_CTX *ctx, int cmd, void (*fp)(void)) {

  1323.   CERT *cert;

  1324. 

  1325.   cert = ctx->cert;

  1326. 

  1327.   switch (cmd) {

  1328.     case SSL_CTRL_SET_TMP_RSA_CB:

  1329.       /* Ignore the callback; temporary RSA keys are never used. */

  1330.       break;

  1331. 

  1332.     case SSL_CTRL_SET_TMP_DH_CB:

  1333.       cert->dh_tmp_cb = (DH * (*)(SSL *, int, int))fp;

  1334.       break;

  1335. 

  1336.     case SSL_CTRL_SET_TMP_ECDH_CB:

  1337.       cert->ecdh_tmp_cb = (EC_KEY * (*)(SSL *, int, int))fp;

  1338.       break;

  1339. 

  1340.     case SSL_CTRL_SET_TLSEXT_SERVERNAME_CB:

  1341.       ctx->tlsext_servername_callback = (int (*)(SSL *, int *, void *))fp;

  1342.       break;

  1343. 

  1344.     case SSL_CTRL_SET_TLSEXT_STATUS_REQ_CB:

  1345.       ctx->tlsext_status_cb = (int (*)(SSL *, void *))fp;

  1346.       break;

  1347. 

  1348.     case SSL_CTRL_SET_TLSEXT_TICKET_KEY_CB:

  1349.       ctx->tlsext_ticket_key_cb = (int (

  1350.           *)(SSL *, uint8_t *, uint8_t *, EVP_CIPHER_CTX *, HMAC_CTX *, int))fp;

  1351.       break;

  1352. 

  1353.     default:

  1354.       return 0;

  1355.   }

  1356. 

  1357.   return 1;

  1358. }

  1359. 

  1360. /* ssl3_get_cipher_by_value returns the SSL_CIPHER with value |value| or NULL

  1361.  * if none exists.

  1362.  *

  1363.  * This function needs to check if the ciphers required are actually

  1364.  * available. */

  1365. const SSL_CIPHER *ssl3_get_cipher_by_value(uint16_t value) {

  1366.   SSL_CIPHER c;

  1367. 

  1368.   c.id = 0x03000000L | value;

  1369.   return bsearch(&c, ssl3_ciphers, SSL3_NUM_CIPHERS, sizeof(SSL_CIPHER),

  1370.                  ssl_cipher_id_cmp);

  1371. }

  1372. 

  1373. /* ssl3_get_cipher_by_value returns the cipher value of |c|. */

  1374. uint16_t ssl3_get_cipher_value(const SSL_CIPHER *c) {

  1375.   unsigned long id = c->id;

  1376.   /* All ciphers are SSLv3 now. */

  1377.   assert((id & 0xff000000) == 0x03000000);

  1378.   return id & 0xffff;

  1379. }

  1380. 

  1381. struct ssl_cipher_preference_list_st *ssl_get_cipher_preferences(SSL *s) {

  1382.   if (s->cipher_list != NULL) {

  1383.     return s->cipher_list;

  1384.   }

  1385. 

  1386.   if (s->version >= TLS1_1_VERSION && s->ctx != NULL &&

  1387.       s->ctx->cipher_list_tls11 != NULL) {

  1388.     return s->ctx->cipher_list_tls11;

  1389.   }

  1390. 

  1391.   if (s->ctx != NULL && s->ctx->cipher_list != NULL) {

  1392.     return s->ctx->cipher_list;

  1393.   }

  1394. 

  1395.   return NULL;

  1396. }

  1397. 

  1398. const SSL_CIPHER *ssl3_choose_cipher(

  1399.     SSL *s, STACK_OF(SSL_CIPHER) * clnt,

  1400.     struct ssl_cipher_preference_list_st *server_pref) {

  1401.   const SSL_CIPHER *c, *ret = NULL;

  1402.   STACK_OF(SSL_CIPHER) *srvr = server_pref->ciphers, *prio, *allow;

  1403.   size_t i;

  1404.   int ok;

  1405.   size_t cipher_index;

  1406.   unsigned long alg_k, alg_a, mask_k, mask_a;

  1407.   /* in_group_flags will either be NULL, or will point to an array of bytes

  1408.    * which indicate equal-preference groups in the |prio| stack. See the

  1409.    * comment about |in_group_flags| in the |ssl_cipher_preference_list_st|

  1410.    * struct. */

  1411.   const uint8_t *in_group_flags;

  1412.   /* group_min contains the minimal index so far found in a group, or -1 if no

  1413.    * such value exists yet. */

  1414.   int group_min = -1;

  1415. 

  1416.   if (s->options & SSL_OP_CIPHER_SERVER_PREFERENCE) {

  1417.     prio = srvr;

  1418.     in_group_flags = server_pref->in_group_flags;

  1419.     allow = clnt;

  1420.   } else {

  1421.     prio = clnt;

  1422.     in_group_flags = NULL;

  1423.     allow = srvr;

  1424.   }

  1425. 

  1426.   ssl_get_compatible_server_ciphers(s, &mask_k, &mask_a);

  1427. 

  1428.   for (i = 0; i < sk_SSL_CIPHER_num(prio); i++) {

  1429.     c = sk_SSL_CIPHER_value(prio, i);

  1430. 

  1431.     ok = 1;

  1432. 

  1433.     /* Skip TLS v1.2 only ciphersuites if not supported */

  1434.     if ((c->algorithm_ssl & SSL_TLSV1_2) && !SSL_USE_TLS1_2_CIPHERS(s)) {

  1435.       ok = 0;

  1436.     }

  1437. 

  1438.     alg_k = c->algorithm_mkey;

  1439.     alg_a = c->algorithm_auth;

  1440. 

  1441.     ok = ok && (alg_k & mask_k) && (alg_a & mask_a);

  1442. 

  1443.     if (ok && sk_SSL_CIPHER_find(allow, &cipher_index, c)) {

  1444.       if (in_group_flags != NULL && in_group_flags[i] == 1) {

  1445.         /* This element of |prio| is in a group. Update the minimum index found

  1446.          * so far and continue looking. */

  1447.         if (group_min == -1 || (size_t)group_min > cipher_index) {

  1448.           group_min = cipher_index;

  1449.         }

  1450.       } else {

  1451.         if (group_min != -1 && (size_t)group_min < cipher_index) {

  1452.           cipher_index = group_min;

  1453.         }

  1454.         ret = sk_SSL_CIPHER_value(allow, cipher_index);

  1455.         break;

  1456.       }

  1457.     }

  1458. 

  1459.     if (in_group_flags != NULL && in_group_flags[i] == 0 && group_min != -1) {

  1460.       /* We are about to leave a group, but we found a match in it, so that's

  1461.        * our answer. */

  1462.       ret = sk_SSL_CIPHER_value(allow, group_min);

  1463.       break;

  1464.     }

  1465.   }

  1466. 

  1467.   return ret;

  1468. }

  1469. 

  1470. int ssl3_get_req_cert_type(SSL *s, uint8_t *p) {

  1471.   int ret = 0;

  1472.   const uint8_t *sig;

  1473.   size_t i, siglen;

  1474.   int have_rsa_sign = 0;

  1475.   int have_ecdsa_sign = 0;

  1476. 

  1477.   /* If we have custom certificate types set, use them */

  1478.   if (s->cert->client_certificate_types) {

  1479.     memcpy(p, s->cert->client_certificate_types,

  1480.            s->cert->num_client_certificate_types);

  1481.     return s->cert->num_client_certificate_types;

  1482.   }

  1483. 

  1484.   /* get configured sigalgs */

  1485.   siglen = tls12_get_psigalgs(s, &sig);

  1486.   for (i = 0; i < siglen; i += 2, sig += 2) {

  1487.     switch (sig[1]) {

  1488.       case TLSEXT_signature_rsa:

  1489.         have_rsa_sign = 1;

  1490.         break;

  1491. 

  1492.       case TLSEXT_signature_ecdsa:

  1493.         have_ecdsa_sign = 1;

  1494.         break;

  1495.     }

  1496.   }

  1497. 

  1498.   if (have_rsa_sign) {

  1499.     p[ret++] = SSL3_CT_RSA_SIGN;

  1500.   }

  1501. 

  1502.   /* ECDSA certs can be used with RSA cipher suites as well so we don't need to

  1503.    * check for SSL_kECDH or SSL_kEECDH. */

  1504.   if (s->version >= TLS1_VERSION && have_ecdsa_sign) {

  1505.       p[ret++] = TLS_CT_ECDSA_SIGN;

  1506.   }

  1507. 

  1508.   return ret;

  1509. }

  1510. 

  1511. static int ssl3_set_req_cert_type(CERT *c, const uint8_t *p, size_t len) {

  1512.   if (c->client_certificate_types) {

  1513.     OPENSSL_free(c->client_certificate_types);

  1514.     c->client_certificate_types = NULL;

  1515.   }

  1516. 

  1517.   c->num_client_certificate_types = 0;

  1518.   if (!p || !len) {

  1519.     return 1;

  1520.   }

  1521. 

  1522.   if (len > 0xff) {

  1523.     return 0;

  1524.   }

  1525. 

  1526.   c->client_certificate_types = BUF_memdup(p, len);

  1527.   if (!c->client_certificate_types) {

  1528.     return 0;

  1529.   }

  1530. 

  1531.   c->num_client_certificate_types = len;

  1532.   return 1;

  1533. }

  1534. 

  1535. int ssl3_shutdown(SSL *s) {

  1536.   int ret;

  1537. 

  1538.   /* Do nothing if configured not to send a close_notify. */

  1539.   if (s->quiet_shutdown) {

  1540.     s->shutdown = SSL_SENT_SHUTDOWN | SSL_RECEIVED_SHUTDOWN;

  1541.     return 1;

  1542.   }

  1543. 

  1544.   if (!(s->shutdown & SSL_SENT_SHUTDOWN)) {

  1545.     s->shutdown |= SSL_SENT_SHUTDOWN;

  1546.     ssl3_send_alert(s, SSL3_AL_WARNING, SSL_AD_CLOSE_NOTIFY);

  1547. 

  1548.     /* our shutdown alert has been sent now, and if it still needs to be

  1549.      * written, s->s3->alert_dispatch will be true */

  1550.     if (s->s3->alert_dispatch) {

  1551.       return -1; /* return WANT_WRITE */

  1552.     }

  1553.   } else if (s->s3->alert_dispatch) {

  1554.     /* resend it if not sent */

  1555.     ret = s->method->ssl_dispatch_alert(s);

  1556.     if (ret == -1) {

  1557.       /* we only get to return -1 here the 2nd/Nth invocation, we must  have

  1558.        * already signalled return 0 upon a previous invoation, return

  1559.        * WANT_WRITE */

  1560.       return ret;

  1561.     }

  1562.   } else if (!(s->shutdown & SSL_RECEIVED_SHUTDOWN)) {

  1563.     /* If we are waiting for a close from our peer, we are closed */

  1564.     s->method->ssl_read_bytes(s, 0, NULL, 0, 0);

  1565.     if (!(s->shutdown & SSL_RECEIVED_SHUTDOWN)) {

  1566.       return -1; /* return WANT_READ */

  1567.     }

  1568.   }

  1569. 

  1570.   if (s->shutdown == (SSL_SENT_SHUTDOWN | SSL_RECEIVED_SHUTDOWN) &&

  1571.       !s->s3->alert_dispatch) {

  1572.     return 1;

  1573.   } else {

  1574.     return 0;

  1575.   }

  1576. }

  1577. 

  1578. int ssl3_write(SSL *s, const void *buf, int len) {

  1579.   ERR_clear_system_error();

  1580.   if (s->s3->renegotiate) {

  1581.     ssl3_renegotiate_check(s);

  1582.   }

  1583. 

  1584.   return s->method->ssl_write_bytes(s, SSL3_RT_APPLICATION_DATA, buf, len);

  1585. }

  1586. 

  1587. static int ssl3_read_internal(SSL *s, void *buf, int len, int peek) {

  1588.   int ret;

  1589. 

  1590.   ERR_clear_system_error();

  1591.   if (s->s3->renegotiate) {

  1592.     ssl3_renegotiate_check(s);

  1593.   }

  1594.   s->s3->in_read_app_data = 1;

  1595.   ret = s->method->ssl_read_bytes(s, SSL3_RT_APPLICATION_DATA, buf, len, peek);

  1596.   if (ret == -1 && s->s3->in_read_app_data == 2) {

  1597.     /* ssl3_read_bytes decided to call s->handshake_func, which called

  1598.      * ssl3_read_bytes to read handshake data. However, ssl3_read_bytes

  1599.      * actually found application data and thinks that application data makes

  1600.      * sense here; so disable handshake processing and try to read application

  1601.      * data again. */

  1602.     s->in_handshake++;

  1603.     ret =

  1604.         s->method->ssl_read_bytes(s, SSL3_RT_APPLICATION_DATA, buf, len, peek);

  1605.     s->in_handshake--;

  1606.   } else {

  1607.     s->s3->in_read_app_data = 0;

  1608.   }

  1609. 

  1610.   return ret;

  1611. }

  1612. 

  1613. int ssl3_read(SSL *s, void *buf, int len) {

  1614.   return ssl3_read_internal(s, buf, len, 0);

  1615. }

  1616. 

  1617. int ssl3_peek(SSL *s, void *buf, int len) {

  1618.   return ssl3_read_internal(s, buf, len, 1);

  1619. }

  1620. 

  1621. int ssl3_renegotiate(SSL *s) {

  1622.   if (s->handshake_func == NULL) {

  1623.     return 1;

  1624.   }

  1625. 

  1626.   s->s3->renegotiate = 1;

  1627.   return 1;

  1628. }

  1629. 

  1630. int ssl3_renegotiate_check(SSL *s) {

  1631.   if (s->s3->renegotiate && s->s3->rbuf.left == 0 && s->s3->wbuf.left == 0 &&

  1632.       !SSL_in_init(s)) {

  1633.     /* if we are the server, and we have sent a 'RENEGOTIATE' message, we

  1634.      * need to go to SSL_ST_ACCEPT. */

  1635.     s->state = SSL_ST_RENEGOTIATE;

  1636.     s->s3->renegotiate = 0;

  1637.     s->s3->num_renegotiations++;

  1638.     s->s3->total_renegotiations++;

  1639.     return 1;

  1640.   }

  1641. 

  1642.   return 0;

  1643. }

  1644. 

  1645. /* If we are using default SHA1+MD5 algorithms switch to new SHA256 PRF and

  1646.  * handshake macs if required. */

  1647. long ssl_get_algorithm2(SSL *s) {

  1648.   static const unsigned long kMask = SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF;

  1649.   long alg2 = s->s3->tmp.new_cipher->algorithm2;

  1650.   if (s->enc_method->enc_flags & SSL_ENC_FLAG_SHA256_PRF &&

  1651.       (alg2 & kMask) == kMask) {

  1652.     return SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256;

  1653.   }

  1654.   return alg2;

  1655. }