]> git.ipfire.org Git - thirdparty/openssl.git/blame - ssl/s3_lib.c
projects / thirdparty / openssl.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
Update ASN1_TIME_to_tm's documentation
[thirdparty/openssl.git] / ssl / s3_lib.c
CommitLineData
846e33c7 1/*
9bb6f829 2 * Copyright 1995-2017 The OpenSSL Project Authors. All Rights Reserved.
aa8f3d76 3 * Copyright (c) 2002, Oracle and/or its affiliates. All rights reserved
c80149d9 4 * Copyright 2005 Nokia. All rights reserved.
5a4fbc69 5 *
846e33c7
RS		 6 * Licensed under the OpenSSL license (the "License"). You may not use
7 * this file except in compliance with the License. You can obtain a copy
8 * in the file LICENSE in the source distribution or at
9 * https://www.openssl.org/source/license.html
5a4fbc69 10 */
846e33c7 11
d02b48c6 12#include <stdio.h>
ec577822 13#include <openssl/objects.h>
d02b48c6 14#include "ssl_locl.h"
dbad1690 15#include <openssl/md5.h>
3c27208f 16#include <openssl/dh.h>
a3680c8f 17#include <openssl/rand.h>
d02b48c6 18
b6eb9827 19#define SSL3_NUM_CIPHERS OSSL_NELEM(ssl3_ciphers)
650c6e41 20#define SSL3_NUM_SCSVS OSSL_NELEM(ssl3_scsvs)
d02b48c6 21
643a3580
MC		 22/* TLSv1.3 downgrade protection sentinel values */
23const unsigned char tls11downgrade[] = {
24 0x44, 0x4f, 0x57, 0x4e, 0x47, 0x52, 0x44, 0x00
25};
26const unsigned char tls12downgrade[] = {
27 0x44, 0x4f, 0x57, 0x4e, 0x47, 0x52, 0x44, 0x01
28};
29
748f2546 30/*
ef28891b 31 * The list of available ciphers, mostly organized into the following
748f2546
RS		 32 * groups:
33 * Always there
34 * EC
35 * PSK
36 * SRP (within that: RSA EC PSK)
9bb6f829 37 * Cipher families: Chacha/poly, Camellia, Gost, IDEA, SEED
748f2546
RS		 38 * Weak ciphers
39 */
a230b26e 40static SSL_CIPHER ssl3_ciphers[] = {
0f113f3e
MC		 41 {
42 1,
43 SSL3_TXT_RSA_NULL_MD5,
bbb4ceb8 44 SSL3_RFC_RSA_NULL_MD5,
0f113f3e
MC		 45 SSL3_CK_RSA_NULL_MD5,
46 SSL_kRSA,
47 SSL_aRSA,
48 SSL_eNULL,
49 SSL_MD5,
3eb2aff4 50 SSL3_VERSION, TLS1_2_VERSION,
387cf213 51 DTLS1_BAD_VER, DTLS1_2_VERSION,
1510b5f7 52 SSL_STRONG_NONE,
0f113f3e
MC		 53 SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
54 0,
55 0,
56 },
0f113f3e
MC		 57 {
58 1,
59 SSL3_TXT_RSA_NULL_SHA,
bbb4ceb8 60 SSL3_RFC_RSA_NULL_SHA,
0f113f3e
MC		 61 SSL3_CK_RSA_NULL_SHA,
62 SSL_kRSA,
63 SSL_aRSA,
64 SSL_eNULL,
65 SSL_SHA1,
3eb2aff4 66 SSL3_VERSION, TLS1_2_VERSION,
387cf213 67 DTLS1_BAD_VER, DTLS1_2_VERSION,
1510b5f7 68 SSL_STRONG_NONE | SSL_FIPS,
0f113f3e
MC		 69 SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
70 0,
71 0,
72 },
d33726b9 73#ifndef OPENSSL_NO_WEAK_SSL_CIPHERS
0f113f3e
MC		 74 {
75 1,
76 SSL3_TXT_RSA_DES_192_CBC3_SHA,
bbb4ceb8 77 SSL3_RFC_RSA_DES_192_CBC3_SHA,
0f113f3e
MC		 78 SSL3_CK_RSA_DES_192_CBC3_SHA,
79 SSL_kRSA,
80 SSL_aRSA,
81 SSL_3DES,
82 SSL_SHA1,
3eb2aff4 83 SSL3_VERSION, TLS1_2_VERSION,
387cf213 84 DTLS1_BAD_VER, DTLS1_2_VERSION,
ef28891b 85 SSL_NOT_DEFAULT | SSL_MEDIUM | SSL_FIPS,
0f113f3e
MC		 86 SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
87 112,
88 168,
89 },
0f113f3e
MC		 90 {
91 1,
92 SSL3_TXT_DHE_DSS_DES_192_CBC3_SHA,
bbb4ceb8 93 SSL3_RFC_DHE_DSS_DES_192_CBC3_SHA,
0f113f3e
MC		 94 SSL3_CK_DHE_DSS_DES_192_CBC3_SHA,
95 SSL_kDHE,
96 SSL_aDSS,
97 SSL_3DES,
98 SSL_SHA1,
3eb2aff4 99 SSL3_VERSION, TLS1_2_VERSION,
387cf213 100 DTLS1_BAD_VER, DTLS1_2_VERSION,
4a8e9c22 101 SSL_NOT_DEFAULT | SSL_MEDIUM | SSL_FIPS,
0f113f3e
MC		 102 SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
103 112,
104 168,
105 },
0f113f3e
MC		 106 {
107 1,
108 SSL3_TXT_DHE_RSA_DES_192_CBC3_SHA,
bbb4ceb8 109 SSL3_RFC_DHE_RSA_DES_192_CBC3_SHA,
0f113f3e
MC		 110 SSL3_CK_DHE_RSA_DES_192_CBC3_SHA,
111 SSL_kDHE,
112 SSL_aRSA,
113 SSL_3DES,
114 SSL_SHA1,
3eb2aff4 115 SSL3_VERSION, TLS1_2_VERSION,
387cf213 116 DTLS1_BAD_VER, DTLS1_2_VERSION,
ef28891b 117 SSL_NOT_DEFAULT | SSL_MEDIUM | SSL_FIPS,
0f113f3e
MC		 118 SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
119 112,
120 168,
121 },
0f113f3e
MC		 122 {
123 1,
124 SSL3_TXT_ADH_DES_192_CBC_SHA,
bbb4ceb8 125 SSL3_RFC_ADH_DES_192_CBC_SHA,
0f113f3e
MC		 126 SSL3_CK_ADH_DES_192_CBC_SHA,
127 SSL_kDHE,
128 SSL_aNULL,
129 SSL_3DES,
130 SSL_SHA1,
3eb2aff4 131 SSL3_VERSION, TLS1_2_VERSION,
387cf213 132 DTLS1_BAD_VER, DTLS1_2_VERSION,
4a8e9c22 133 SSL_NOT_DEFAULT | SSL_MEDIUM | SSL_FIPS,
0f113f3e
MC		 134 SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
135 112,
136 168,
137 },
d33726b9 138#endif
0f113f3e
MC		 139 {
140 1,
141 TLS1_TXT_RSA_WITH_AES_128_SHA,
bbb4ceb8 142 TLS1_RFC_RSA_WITH_AES_128_SHA,
0f113f3e
MC		 143 TLS1_CK_RSA_WITH_AES_128_SHA,
144 SSL_kRSA,
145 SSL_aRSA,
146 SSL_AES128,
147 SSL_SHA1,
3eb2aff4 148 SSL3_VERSION, TLS1_2_VERSION,
387cf213 149 DTLS1_BAD_VER, DTLS1_2_VERSION,
361a1191 150 SSL_HIGH | SSL_FIPS,
0f113f3e
MC		 151 SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
152 128,
153 128,
154 },
0f113f3e
MC		 155 {
156 1,
157 TLS1_TXT_DHE_DSS_WITH_AES_128_SHA,
bbb4ceb8 158 TLS1_RFC_DHE_DSS_WITH_AES_128_SHA,
0f113f3e
MC		 159 TLS1_CK_DHE_DSS_WITH_AES_128_SHA,
160 SSL_kDHE,
161 SSL_aDSS,
162 SSL_AES128,
163 SSL_SHA1,
3eb2aff4 164 SSL3_VERSION, TLS1_2_VERSION,
387cf213 165 DTLS1_BAD_VER, DTLS1_2_VERSION,
a556f342 166 SSL_NOT_DEFAULT | SSL_HIGH | SSL_FIPS,
0f113f3e
MC		 167 SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
168 128,
169 128,
170 },
0f113f3e
MC		 171 {
172 1,
173 TLS1_TXT_DHE_RSA_WITH_AES_128_SHA,
bbb4ceb8 174 TLS1_RFC_DHE_RSA_WITH_AES_128_SHA,
0f113f3e
MC		 175 TLS1_CK_DHE_RSA_WITH_AES_128_SHA,
176 SSL_kDHE,
177 SSL_aRSA,
178 SSL_AES128,
179 SSL_SHA1,
3eb2aff4 180 SSL3_VERSION, TLS1_2_VERSION,
387cf213 181 DTLS1_BAD_VER, DTLS1_2_VERSION,
361a1191 182 SSL_HIGH | SSL_FIPS,
0f113f3e
MC		 183 SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
184 128,
185 128,
186 },
0f113f3e
MC		 187 {
188 1,
189 TLS1_TXT_ADH_WITH_AES_128_SHA,
bbb4ceb8 190 TLS1_RFC_ADH_WITH_AES_128_SHA,
0f113f3e
MC		 191 TLS1_CK_ADH_WITH_AES_128_SHA,
192 SSL_kDHE,
193 SSL_aNULL,
194 SSL_AES128,
195 SSL_SHA1,
3eb2aff4 196 SSL3_VERSION, TLS1_2_VERSION,
387cf213 197 DTLS1_BAD_VER, DTLS1_2_VERSION,
361a1191 198 SSL_NOT_DEFAULT | SSL_HIGH | SSL_FIPS,
0f113f3e
MC		 199 SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
200 128,
201 128,
202 },
0f113f3e
MC		 203 {
204 1,
205 TLS1_TXT_RSA_WITH_AES_256_SHA,
bbb4ceb8 206 TLS1_RFC_RSA_WITH_AES_256_SHA,
0f113f3e
MC		 207 TLS1_CK_RSA_WITH_AES_256_SHA,
208 SSL_kRSA,
209 SSL_aRSA,
210 SSL_AES256,
211 SSL_SHA1,
3eb2aff4 212 SSL3_VERSION, TLS1_2_VERSION,
387cf213 213 DTLS1_BAD_VER, DTLS1_2_VERSION,
361a1191 214 SSL_HIGH | SSL_FIPS,
0f113f3e
MC		 215 SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
216 256,
217 256,
218 },
0f113f3e
MC		 219 {
220 1,
221 TLS1_TXT_DHE_DSS_WITH_AES_256_SHA,
bbb4ceb8 222 TLS1_RFC_DHE_DSS_WITH_AES_256_SHA,
0f113f3e
MC		 223 TLS1_CK_DHE_DSS_WITH_AES_256_SHA,
224 SSL_kDHE,
225 SSL_aDSS,
226 SSL_AES256,
227 SSL_SHA1,
3eb2aff4 228 SSL3_VERSION, TLS1_2_VERSION,
387cf213 229 DTLS1_BAD_VER, DTLS1_2_VERSION,
a556f342 230 SSL_NOT_DEFAULT | SSL_HIGH | SSL_FIPS,
0f113f3e
MC		 231 SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
232 256,
233 256,
234 },
0f113f3e
MC		 235 {
236 1,
237 TLS1_TXT_DHE_RSA_WITH_AES_256_SHA,
bbb4ceb8 238 TLS1_RFC_DHE_RSA_WITH_AES_256_SHA,
0f113f3e
MC		 239 TLS1_CK_DHE_RSA_WITH_AES_256_SHA,
240 SSL_kDHE,
241 SSL_aRSA,
242 SSL_AES256,
243 SSL_SHA1,
3eb2aff4 244 SSL3_VERSION, TLS1_2_VERSION,
387cf213 245 DTLS1_BAD_VER, DTLS1_2_VERSION,
361a1191 246 SSL_HIGH | SSL_FIPS,
0f113f3e
MC		 247 SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
248 256,
249 256,
250 },
0f113f3e
MC		 251 {
252 1,
253 TLS1_TXT_ADH_WITH_AES_256_SHA,
bbb4ceb8 254 TLS1_RFC_ADH_WITH_AES_256_SHA,
0f113f3e
MC		 255 TLS1_CK_ADH_WITH_AES_256_SHA,
256 SSL_kDHE,
257 SSL_aNULL,
258 SSL_AES256,
259 SSL_SHA1,
3eb2aff4 260 SSL3_VERSION, TLS1_2_VERSION,
387cf213 261 DTLS1_BAD_VER, DTLS1_2_VERSION,
361a1191 262 SSL_NOT_DEFAULT | SSL_HIGH | SSL_FIPS,
0f113f3e
MC		 263 SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
264 256,
265 256,
266 },
0f113f3e
MC		 267 {
268 1,
269 TLS1_TXT_RSA_WITH_NULL_SHA256,
bbb4ceb8 270 TLS1_RFC_RSA_WITH_NULL_SHA256,
0f113f3e
MC		 271 TLS1_CK_RSA_WITH_NULL_SHA256,
272 SSL_kRSA,
273 SSL_aRSA,
274 SSL_eNULL,
275 SSL_SHA256,
3eb2aff4
KR		 276 TLS1_2_VERSION, TLS1_2_VERSION,
277 DTLS1_2_VERSION, DTLS1_2_VERSION,
1510b5f7 278 SSL_STRONG_NONE | SSL_FIPS,
0f113f3e
MC		 279 SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
280 0,
281 0,
282 },
0f113f3e
MC		 283 {
284 1,
285 TLS1_TXT_RSA_WITH_AES_128_SHA256,
bbb4ceb8 286 TLS1_RFC_RSA_WITH_AES_128_SHA256,
0f113f3e
MC		 287 TLS1_CK_RSA_WITH_AES_128_SHA256,
288 SSL_kRSA,
289 SSL_aRSA,
290 SSL_AES128,
291 SSL_SHA256,
3eb2aff4
KR		 292 TLS1_2_VERSION, TLS1_2_VERSION,
293 DTLS1_2_VERSION, DTLS1_2_VERSION,
361a1191 294 SSL_HIGH | SSL_FIPS,
0f113f3e
MC		 295 SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
296 128,
297 128,
298 },
0f113f3e
MC		 299 {
300 1,
301 TLS1_TXT_RSA_WITH_AES_256_SHA256,
bbb4ceb8 302 TLS1_RFC_RSA_WITH_AES_256_SHA256,
0f113f3e
MC		 303 TLS1_CK_RSA_WITH_AES_256_SHA256,
304 SSL_kRSA,
305 SSL_aRSA,
306 SSL_AES256,
307 SSL_SHA256,
3eb2aff4
KR		 308 TLS1_2_VERSION, TLS1_2_VERSION,
309 DTLS1_2_VERSION, DTLS1_2_VERSION,
361a1191 310 SSL_HIGH | SSL_FIPS,
0f113f3e
MC		 311 SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
312 256,
313 256,
314 },
0f113f3e
MC		 315 {
316 1,
317 TLS1_TXT_DHE_DSS_WITH_AES_128_SHA256,
bbb4ceb8 318 TLS1_RFC_DHE_DSS_WITH_AES_128_SHA256,
0f113f3e
MC		 319 TLS1_CK_DHE_DSS_WITH_AES_128_SHA256,
320 SSL_kDHE,
321 SSL_aDSS,
322 SSL_AES128,
323 SSL_SHA256,
3eb2aff4
KR		 324 TLS1_2_VERSION, TLS1_2_VERSION,
325 DTLS1_2_VERSION, DTLS1_2_VERSION,
a556f342 326 SSL_NOT_DEFAULT | SSL_HIGH | SSL_FIPS,
0f113f3e
MC		 327 SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
328 128,
329 128,
330 },
0f113f3e
MC		 331 {
332 1,
333 TLS1_TXT_DHE_RSA_WITH_AES_128_SHA256,
bbb4ceb8 334 TLS1_RFC_DHE_RSA_WITH_AES_128_SHA256,
0f113f3e
MC		 335 TLS1_CK_DHE_RSA_WITH_AES_128_SHA256,
336 SSL_kDHE,
337 SSL_aRSA,
338 SSL_AES128,
339 SSL_SHA256,
3eb2aff4
KR		 340 TLS1_2_VERSION, TLS1_2_VERSION,
341 DTLS1_2_VERSION, DTLS1_2_VERSION,
361a1191 342 SSL_HIGH | SSL_FIPS,
0f113f3e
MC		 343 SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
344 128,
345 128,
346 },
0f113f3e
MC		 347 {
348 1,
349 TLS1_TXT_DHE_DSS_WITH_AES_256_SHA256,
bbb4ceb8 350 TLS1_RFC_DHE_DSS_WITH_AES_256_SHA256,
0f113f3e
MC		 351 TLS1_CK_DHE_DSS_WITH_AES_256_SHA256,
352 SSL_kDHE,
353 SSL_aDSS,
354 SSL_AES256,
355 SSL_SHA256,
3eb2aff4
KR		 356 TLS1_2_VERSION, TLS1_2_VERSION,
357 DTLS1_2_VERSION, DTLS1_2_VERSION,
a556f342 358 SSL_NOT_DEFAULT | SSL_HIGH | SSL_FIPS,
0f113f3e
MC		 359 SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
360 256,
361 256,
362 },
0f113f3e
MC		 363 {
364 1,
365 TLS1_TXT_DHE_RSA_WITH_AES_256_SHA256,
bbb4ceb8 366 TLS1_RFC_DHE_RSA_WITH_AES_256_SHA256,
0f113f3e
MC		 367 TLS1_CK_DHE_RSA_WITH_AES_256_SHA256,
368 SSL_kDHE,
369 SSL_aRSA,
370 SSL_AES256,
371 SSL_SHA256,
3eb2aff4
KR		 372 TLS1_2_VERSION, TLS1_2_VERSION,
373 DTLS1_2_VERSION, DTLS1_2_VERSION,
361a1191 374 SSL_HIGH | SSL_FIPS,
0f113f3e
MC		 375 SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
376 256,
377 256,
378 },
0f113f3e
MC		 379 {
380 1,
381 TLS1_TXT_ADH_WITH_AES_128_SHA256,
bbb4ceb8 382 TLS1_RFC_ADH_WITH_AES_128_SHA256,
0f113f3e
MC		 383 TLS1_CK_ADH_WITH_AES_128_SHA256,
384 SSL_kDHE,
385 SSL_aNULL,
386 SSL_AES128,
387 SSL_SHA256,
3eb2aff4
KR		 388 TLS1_2_VERSION, TLS1_2_VERSION,
389 DTLS1_2_VERSION, DTLS1_2_VERSION,
361a1191 390 SSL_NOT_DEFAULT | SSL_HIGH | SSL_FIPS,
0f113f3e
MC		 391 SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
392 128,
393 128,
394 },
0f113f3e
MC		 395 {
396 1,
397 TLS1_TXT_ADH_WITH_AES_256_SHA256,
bbb4ceb8 398 TLS1_RFC_ADH_WITH_AES_256_SHA256,
0f113f3e
MC		 399 TLS1_CK_ADH_WITH_AES_256_SHA256,
400 SSL_kDHE,
401 SSL_aNULL,
402 SSL_AES256,
403 SSL_SHA256,
3eb2aff4
KR		 404 TLS1_2_VERSION, TLS1_2_VERSION,
405 DTLS1_2_VERSION, DTLS1_2_VERSION,
361a1191 406 SSL_NOT_DEFAULT | SSL_HIGH | SSL_FIPS,
0f113f3e
MC		 407 SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
408 256,
409 256,
410 },
0f113f3e
MC		 411 {
412 1,
748f2546 413 TLS1_TXT_RSA_WITH_AES_128_GCM_SHA256,
bbb4ceb8 414 TLS1_RFC_RSA_WITH_AES_128_GCM_SHA256,
748f2546
RS		 415 TLS1_CK_RSA_WITH_AES_128_GCM_SHA256,
416 SSL_kRSA,
417 SSL_aRSA,
418 SSL_AES128GCM,
419 SSL_AEAD,
420 TLS1_2_VERSION, TLS1_2_VERSION,
421 DTLS1_2_VERSION, DTLS1_2_VERSION,
422 SSL_HIGH | SSL_FIPS,
423 SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256,
424 128,
425 128,
426 },
0f113f3e
MC		 427 {
428 1,
748f2546 429 TLS1_TXT_RSA_WITH_AES_256_GCM_SHA384,
bbb4ceb8 430 TLS1_RFC_RSA_WITH_AES_256_GCM_SHA384,
748f2546 431 TLS1_CK_RSA_WITH_AES_256_GCM_SHA384,
0f113f3e
MC		 432 SSL_kRSA,
433 SSL_aRSA,
748f2546
RS		 434 SSL_AES256GCM,
435 SSL_AEAD,
436 TLS1_2_VERSION, TLS1_2_VERSION,
437 DTLS1_2_VERSION, DTLS1_2_VERSION,
438 SSL_HIGH | SSL_FIPS,
439 SSL_HANDSHAKE_MAC_SHA384 | TLS1_PRF_SHA384,
0f113f3e
MC		 440 256,
441 256,
442 },
0f113f3e
MC		 443 {
444 1,
748f2546 445 TLS1_TXT_DHE_RSA_WITH_AES_128_GCM_SHA256,
bbb4ceb8 446 TLS1_RFC_DHE_RSA_WITH_AES_128_GCM_SHA256,
748f2546 447 TLS1_CK_DHE_RSA_WITH_AES_128_GCM_SHA256,
0f113f3e 448 SSL_kDHE,
748f2546
RS		 449 SSL_aRSA,
450 SSL_AES128GCM,
451 SSL_AEAD,
452 TLS1_2_VERSION, TLS1_2_VERSION,
453 DTLS1_2_VERSION, DTLS1_2_VERSION,
454 SSL_HIGH | SSL_FIPS,
455 SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256,
456 128,
457 128,
0f113f3e 458 },
0f113f3e
MC		 459 {
460 1,
748f2546 461 TLS1_TXT_DHE_RSA_WITH_AES_256_GCM_SHA384,
bbb4ceb8 462 TLS1_RFC_DHE_RSA_WITH_AES_256_GCM_SHA384,
748f2546 463 TLS1_CK_DHE_RSA_WITH_AES_256_GCM_SHA384,
0f113f3e
MC		 464 SSL_kDHE,
465 SSL_aRSA,
748f2546
RS		 466 SSL_AES256GCM,
467 SSL_AEAD,
468 TLS1_2_VERSION, TLS1_2_VERSION,
469 DTLS1_2_VERSION, DTLS1_2_VERSION,
470 SSL_HIGH | SSL_FIPS,
471 SSL_HANDSHAKE_MAC_SHA384 | TLS1_PRF_SHA384,
0f113f3e
MC		 472 256,
473 256,
474 },
0f113f3e
MC		 475 {
476 1,
748f2546 477 TLS1_TXT_DHE_DSS_WITH_AES_128_GCM_SHA256,
bbb4ceb8 478 TLS1_RFC_DHE_DSS_WITH_AES_128_GCM_SHA256,
748f2546 479 TLS1_CK_DHE_DSS_WITH_AES_128_GCM_SHA256,
0f113f3e 480 SSL_kDHE,
748f2546
RS		 481 SSL_aDSS,
482 SSL_AES128GCM,
483 SSL_AEAD,
484 TLS1_2_VERSION, TLS1_2_VERSION,
485 DTLS1_2_VERSION, DTLS1_2_VERSION,
486 SSL_NOT_DEFAULT | SSL_HIGH | SSL_FIPS,
487 SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256,
0f113f3e
MC		 488 128,
489 128,
490 },
0f113f3e
MC		 491 {
492 1,
748f2546 493 TLS1_TXT_DHE_DSS_WITH_AES_256_GCM_SHA384,
bbb4ceb8 494 TLS1_RFC_DHE_DSS_WITH_AES_256_GCM_SHA384,
748f2546
RS		 495 TLS1_CK_DHE_DSS_WITH_AES_256_GCM_SHA384,
496 SSL_kDHE,
497 SSL_aDSS,
498 SSL_AES256GCM,
499 SSL_AEAD,
500 TLS1_2_VERSION, TLS1_2_VERSION,
501 DTLS1_2_VERSION, DTLS1_2_VERSION,
502 SSL_NOT_DEFAULT | SSL_HIGH | SSL_FIPS,
503 SSL_HANDSHAKE_MAC_SHA384 | TLS1_PRF_SHA384,
504 256,
505 256,
0f113f3e 506 },
0f113f3e
MC		 507 {
508 1,
748f2546 509 TLS1_TXT_ADH_WITH_AES_128_GCM_SHA256,
bbb4ceb8 510 TLS1_RFC_ADH_WITH_AES_128_GCM_SHA256,
748f2546
RS		 511 TLS1_CK_ADH_WITH_AES_128_GCM_SHA256,
512 SSL_kDHE,
513 SSL_aNULL,
514 SSL_AES128GCM,
515 SSL_AEAD,
516 TLS1_2_VERSION, TLS1_2_VERSION,
517 DTLS1_2_VERSION, DTLS1_2_VERSION,
518 SSL_NOT_DEFAULT | SSL_HIGH | SSL_FIPS,
519 SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256,
0f113f3e
MC		 520 128,
521 128,
522 },
0f113f3e
MC		 523 {
524 1,
748f2546 525 TLS1_TXT_ADH_WITH_AES_256_GCM_SHA384,
bbb4ceb8 526 TLS1_RFC_ADH_WITH_AES_256_GCM_SHA384,
748f2546
RS		 527 TLS1_CK_ADH_WITH_AES_256_GCM_SHA384,
528 SSL_kDHE,
529 SSL_aNULL,
530 SSL_AES256GCM,
531 SSL_AEAD,
532 TLS1_2_VERSION, TLS1_2_VERSION,
533 DTLS1_2_VERSION, DTLS1_2_VERSION,
534 SSL_NOT_DEFAULT | SSL_HIGH | SSL_FIPS,
535 SSL_HANDSHAKE_MAC_SHA384 | TLS1_PRF_SHA384,
0f113f3e
MC		 536 256,
537 256,
538 },
ea6114c6
DSH		 539 {
540 1,
748f2546 541 TLS1_TXT_RSA_WITH_AES_128_CCM,
bbb4ceb8 542 TLS1_RFC_RSA_WITH_AES_128_CCM,
748f2546
RS		 543 TLS1_CK_RSA_WITH_AES_128_CCM,
544 SSL_kRSA,
545 SSL_aRSA,
546 SSL_AES128CCM,
547 SSL_AEAD,
548 TLS1_2_VERSION, TLS1_2_VERSION,
549 DTLS1_2_VERSION, DTLS1_2_VERSION,
550 SSL_NOT_DEFAULT | SSL_HIGH,
551 SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256,
ea6114c6
DSH		 552 128,
553 128,
554 },
ea6114c6
DSH		 555 {
556 1,
748f2546 557 TLS1_TXT_RSA_WITH_AES_256_CCM,
bbb4ceb8 558 TLS1_RFC_RSA_WITH_AES_256_CCM,
748f2546
RS		 559 TLS1_CK_RSA_WITH_AES_256_CCM,
560 SSL_kRSA,
561 SSL_aRSA,
562 SSL_AES256CCM,
563 SSL_AEAD,
564 TLS1_2_VERSION, TLS1_2_VERSION,
565 DTLS1_2_VERSION, DTLS1_2_VERSION,
566 SSL_NOT_DEFAULT | SSL_HIGH,
567 SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256,
568 256,
569 256,
ea6114c6 570 },
ea6114c6
DSH		 571 {
572 1,
748f2546 573 TLS1_TXT_DHE_RSA_WITH_AES_128_CCM,
bbb4ceb8 574 TLS1_RFC_DHE_RSA_WITH_AES_128_CCM,
748f2546
RS		 575 TLS1_CK_DHE_RSA_WITH_AES_128_CCM,
576 SSL_kDHE,
577 SSL_aRSA,
578 SSL_AES128CCM,
579 SSL_AEAD,
580 TLS1_2_VERSION, TLS1_2_VERSION,
581 DTLS1_2_VERSION, DTLS1_2_VERSION,
582 SSL_NOT_DEFAULT | SSL_HIGH,
583 SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256,
ea6114c6
DSH		 584 128,
585 128,
586 },
ea6114c6
DSH		 587 {
588 1,
748f2546 589 TLS1_TXT_DHE_RSA_WITH_AES_256_CCM,
bbb4ceb8 590 TLS1_RFC_DHE_RSA_WITH_AES_256_CCM,
748f2546
RS		 591 TLS1_CK_DHE_RSA_WITH_AES_256_CCM,
592 SSL_kDHE,
593 SSL_aRSA,
594 SSL_AES256CCM,
595 SSL_AEAD,
596 TLS1_2_VERSION, TLS1_2_VERSION,
597 DTLS1_2_VERSION, DTLS1_2_VERSION,
598 SSL_NOT_DEFAULT | SSL_HIGH,
599 SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256,
ea6114c6
DSH		 600 256,
601 256,
602 },
ea6114c6
DSH		 603 {
604 1,
748f2546 605 TLS1_TXT_RSA_WITH_AES_128_CCM_8,
bbb4ceb8 606 TLS1_RFC_RSA_WITH_AES_128_CCM_8,
748f2546
RS		 607 TLS1_CK_RSA_WITH_AES_128_CCM_8,
608 SSL_kRSA,
ea6114c6 609 SSL_aRSA,
748f2546 610 SSL_AES128CCM8,
0f113f3e 611 SSL_AEAD,
3eb2aff4
KR		 612 TLS1_2_VERSION, TLS1_2_VERSION,
613 DTLS1_2_VERSION, DTLS1_2_VERSION,
748f2546 614 SSL_NOT_DEFAULT | SSL_HIGH,
0f113f3e
MC		 615 SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256,
616 128,
617 128,
618 },
0f113f3e
MC		 619 {
620 1,
748f2546 621 TLS1_TXT_RSA_WITH_AES_256_CCM_8,
bbb4ceb8 622 TLS1_RFC_RSA_WITH_AES_256_CCM_8,
748f2546 623 TLS1_CK_RSA_WITH_AES_256_CCM_8,
0f113f3e
MC		 624 SSL_kRSA,
625 SSL_aRSA,
748f2546 626 SSL_AES256CCM8,
0f113f3e 627 SSL_AEAD,
3eb2aff4
KR		 628 TLS1_2_VERSION, TLS1_2_VERSION,
629 DTLS1_2_VERSION, DTLS1_2_VERSION,
748f2546
RS		 630 SSL_NOT_DEFAULT | SSL_HIGH,
631 SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256,
0f113f3e
MC		 632 256,
633 256,
634 },
0f113f3e
MC		 635 {
636 1,
748f2546 637 TLS1_TXT_DHE_RSA_WITH_AES_128_CCM_8,
bbb4ceb8 638 TLS1_RFC_DHE_RSA_WITH_AES_128_CCM_8,
748f2546 639 TLS1_CK_DHE_RSA_WITH_AES_128_CCM_8,
0f113f3e
MC		 640 SSL_kDHE,
641 SSL_aRSA,
748f2546 642 SSL_AES128CCM8,
0f113f3e 643 SSL_AEAD,
3eb2aff4
KR		 644 TLS1_2_VERSION, TLS1_2_VERSION,
645 DTLS1_2_VERSION, DTLS1_2_VERSION,
748f2546 646 SSL_NOT_DEFAULT | SSL_HIGH,
0f113f3e
MC		 647 SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256,
648 128,
649 128,
650 },
0f113f3e
MC		 651 {
652 1,
748f2546 653 TLS1_TXT_DHE_RSA_WITH_AES_256_CCM_8,
bbb4ceb8 654 TLS1_RFC_DHE_RSA_WITH_AES_256_CCM_8,
748f2546 655 TLS1_CK_DHE_RSA_WITH_AES_256_CCM_8,
0f113f3e
MC		 656 SSL_kDHE,
657 SSL_aRSA,
748f2546 658 SSL_AES256CCM8,
0f113f3e 659 SSL_AEAD,
3eb2aff4
KR		 660 TLS1_2_VERSION, TLS1_2_VERSION,
661 DTLS1_2_VERSION, DTLS1_2_VERSION,
748f2546
RS		 662 SSL_NOT_DEFAULT | SSL_HIGH,
663 SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256,
0f113f3e
MC		 664 256,
665 256,
666 },
0f113f3e
MC		 667 {
668 1,
748f2546 669 TLS1_TXT_PSK_WITH_AES_128_CCM,
bbb4ceb8 670 TLS1_RFC_PSK_WITH_AES_128_CCM,
748f2546
RS		 671 TLS1_CK_PSK_WITH_AES_128_CCM,
672 SSL_kPSK,
673 SSL_aPSK,
674 SSL_AES128CCM,
0f113f3e 675 SSL_AEAD,
3eb2aff4
KR		 676 TLS1_2_VERSION, TLS1_2_VERSION,
677 DTLS1_2_VERSION, DTLS1_2_VERSION,
748f2546 678 SSL_NOT_DEFAULT | SSL_HIGH,
0f113f3e
MC		 679 SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256,
680 128,
681 128,
682 },
0f113f3e
MC		 683 {
684 1,
748f2546 685 TLS1_TXT_PSK_WITH_AES_256_CCM,
bbb4ceb8 686 TLS1_RFC_PSK_WITH_AES_256_CCM,
748f2546
RS		 687 TLS1_CK_PSK_WITH_AES_256_CCM,
688 SSL_kPSK,
689 SSL_aPSK,
690 SSL_AES256CCM,
0f113f3e 691 SSL_AEAD,
3eb2aff4
KR		 692 TLS1_2_VERSION, TLS1_2_VERSION,
693 DTLS1_2_VERSION, DTLS1_2_VERSION,
748f2546
RS		 694 SSL_NOT_DEFAULT | SSL_HIGH,
695 SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256,
0f113f3e
MC		 696 256,
697 256,
698 },
0f113f3e
MC		 699 {
700 1,
748f2546 701 TLS1_TXT_DHE_PSK_WITH_AES_128_CCM,
bbb4ceb8 702 TLS1_RFC_DHE_PSK_WITH_AES_128_CCM,
748f2546
RS		 703 TLS1_CK_DHE_PSK_WITH_AES_128_CCM,
704 SSL_kDHEPSK,
705 SSL_aPSK,
706 SSL_AES128CCM,
0f113f3e 707 SSL_AEAD,
3eb2aff4
KR		 708 TLS1_2_VERSION, TLS1_2_VERSION,
709 DTLS1_2_VERSION, DTLS1_2_VERSION,
748f2546 710 SSL_NOT_DEFAULT | SSL_HIGH,
0f113f3e
MC		 711 SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256,
712 128,
713 128,
714 },
0f113f3e
MC		 715 {
716 1,
748f2546 717 TLS1_TXT_DHE_PSK_WITH_AES_256_CCM,
bbb4ceb8 718 TLS1_RFC_DHE_PSK_WITH_AES_256_CCM,
748f2546
RS		 719 TLS1_CK_DHE_PSK_WITH_AES_256_CCM,
720 SSL_kDHEPSK,
721 SSL_aPSK,
722 SSL_AES256CCM,
0f113f3e 723 SSL_AEAD,
3eb2aff4
KR		 724 TLS1_2_VERSION, TLS1_2_VERSION,
725 DTLS1_2_VERSION, DTLS1_2_VERSION,
748f2546
RS		 726 SSL_NOT_DEFAULT | SSL_HIGH,
727 SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256,
0f113f3e
MC		 728 256,
729 256,
730 },
547dba74
DSH		 731 {
732 1,
748f2546 733 TLS1_TXT_PSK_WITH_AES_128_CCM_8,
bbb4ceb8 734 TLS1_RFC_PSK_WITH_AES_128_CCM_8,
748f2546 735 TLS1_CK_PSK_WITH_AES_128_CCM_8,
547dba74
DSH		 736 SSL_kPSK,
737 SSL_aPSK,
748f2546 738 SSL_AES128CCM8,
547dba74 739 SSL_AEAD,
3eb2aff4
KR		 740 TLS1_2_VERSION, TLS1_2_VERSION,
741 DTLS1_2_VERSION, DTLS1_2_VERSION,
748f2546 742 SSL_NOT_DEFAULT | SSL_HIGH,
547dba74
DSH		 743 SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256,
744 128,
745 128,
746 },
547dba74
DSH		 747 {
748 1,
748f2546 749 TLS1_TXT_PSK_WITH_AES_256_CCM_8,
bbb4ceb8 750 TLS1_RFC_PSK_WITH_AES_256_CCM_8,
748f2546 751 TLS1_CK_PSK_WITH_AES_256_CCM_8,
547dba74
DSH		 752 SSL_kPSK,
753 SSL_aPSK,
748f2546 754 SSL_AES256CCM8,
547dba74 755 SSL_AEAD,
3eb2aff4
KR		 756 TLS1_2_VERSION, TLS1_2_VERSION,
757 DTLS1_2_VERSION, DTLS1_2_VERSION,
748f2546
RS		 758 SSL_NOT_DEFAULT | SSL_HIGH,
759 SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256,
547dba74
DSH		 760 256,
761 256,
762 },
ea6114c6
DSH		 763 {
764 1,
748f2546 765 TLS1_TXT_DHE_PSK_WITH_AES_128_CCM_8,
bbb4ceb8 766 TLS1_RFC_DHE_PSK_WITH_AES_128_CCM_8,
748f2546 767 TLS1_CK_DHE_PSK_WITH_AES_128_CCM_8,
ea6114c6
DSH		 768 SSL_kDHEPSK,
769 SSL_aPSK,
748f2546 770 SSL_AES128CCM8,
ea6114c6 771 SSL_AEAD,
3eb2aff4
KR		 772 TLS1_2_VERSION, TLS1_2_VERSION,
773 DTLS1_2_VERSION, DTLS1_2_VERSION,
748f2546 774 SSL_NOT_DEFAULT | SSL_HIGH,
ea6114c6
DSH		 775 SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256,
776 128,
777 128,
778 },
ea6114c6
DSH		 779 {
780 1,
748f2546 781 TLS1_TXT_DHE_PSK_WITH_AES_256_CCM_8,
bbb4ceb8 782 TLS1_RFC_DHE_PSK_WITH_AES_256_CCM_8,
748f2546
RS		 783 TLS1_CK_DHE_PSK_WITH_AES_256_CCM_8,
784 SSL_kDHEPSK,
ea6114c6 785 SSL_aPSK,
748f2546 786 SSL_AES256CCM8,
ea6114c6 787 SSL_AEAD,
3eb2aff4
KR		 788 TLS1_2_VERSION, TLS1_2_VERSION,
789 DTLS1_2_VERSION, DTLS1_2_VERSION,
748f2546
RS		 790 SSL_NOT_DEFAULT | SSL_HIGH,
791 SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256,
ea6114c6
DSH		 792 256,
793 256,
794 },
ea6114c6
DSH		 795 {
796 1,
748f2546 797 TLS1_TXT_ECDHE_ECDSA_WITH_AES_128_CCM,
bbb4ceb8 798 TLS1_RFC_ECDHE_ECDSA_WITH_AES_128_CCM,
748f2546
RS		 799 TLS1_CK_ECDHE_ECDSA_WITH_AES_128_CCM,
800 SSL_kECDHE,
801 SSL_aECDSA,
802 SSL_AES128CCM,
ea6114c6 803 SSL_AEAD,
3eb2aff4
KR		 804 TLS1_2_VERSION, TLS1_2_VERSION,
805 DTLS1_2_VERSION, DTLS1_2_VERSION,
748f2546 806 SSL_NOT_DEFAULT | SSL_HIGH,
ea6114c6
DSH		 807 SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256,
808 128,
809 128,
810 },
ea6114c6
DSH		 811 {
812 1,
748f2546 813 TLS1_TXT_ECDHE_ECDSA_WITH_AES_256_CCM,
bbb4ceb8 814 TLS1_RFC_ECDHE_ECDSA_WITH_AES_256_CCM,
748f2546
RS		 815 TLS1_CK_ECDHE_ECDSA_WITH_AES_256_CCM,
816 SSL_kECDHE,
817 SSL_aECDSA,
818 SSL_AES256CCM,
ea6114c6 819 SSL_AEAD,
3eb2aff4
KR		 820 TLS1_2_VERSION, TLS1_2_VERSION,
821 DTLS1_2_VERSION, DTLS1_2_VERSION,
748f2546
RS		 822 SSL_NOT_DEFAULT | SSL_HIGH,
823 SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256,
ea6114c6
DSH		 824 256,
825 256,
826 },
ea6114c6
DSH		 827 {
828 1,
748f2546 829 TLS1_TXT_ECDHE_ECDSA_WITH_AES_128_CCM_8,
bbb4ceb8 830 TLS1_RFC_ECDHE_ECDSA_WITH_AES_128_CCM_8,
748f2546
RS		 831 TLS1_CK_ECDHE_ECDSA_WITH_AES_128_CCM_8,
832 SSL_kECDHE,
833 SSL_aECDSA,
834 SSL_AES128CCM8,
835 SSL_AEAD,
836 TLS1_2_VERSION, TLS1_2_VERSION,
837 DTLS1_2_VERSION, DTLS1_2_VERSION,
838 SSL_NOT_DEFAULT | SSL_HIGH,
839 SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256,
ea6114c6
DSH		 840 128,
841 128,
842 },
ea6114c6
DSH		 843 {
844 1,
748f2546 845 TLS1_TXT_ECDHE_ECDSA_WITH_AES_256_CCM_8,
bbb4ceb8 846 TLS1_RFC_ECDHE_ECDSA_WITH_AES_256_CCM_8,
748f2546
RS		 847 TLS1_CK_ECDHE_ECDSA_WITH_AES_256_CCM_8,
848 SSL_kECDHE,
849 SSL_aECDSA,
850 SSL_AES256CCM8,
851 SSL_AEAD,
852 TLS1_2_VERSION, TLS1_2_VERSION,
853 DTLS1_2_VERSION, DTLS1_2_VERSION,
854 SSL_NOT_DEFAULT | SSL_HIGH,
855 SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256,
ea6114c6
DSH		 856 256,
857 256,
858 },
582a17d6
MC		 859 {
860 1,
861 TLS1_3_TXT_AES_128_GCM_SHA256,
bbb4ceb8 862 TLS1_3_RFC_AES_128_GCM_SHA256,
582a17d6 863 TLS1_3_CK_AES_128_GCM_SHA256,
9c92ea45 864 0, 0,
582a17d6
MC		 865 SSL_AES128GCM,
866 SSL_AEAD,
867 TLS1_3_VERSION, TLS1_3_VERSION,
f68521ee
DSH		 868 SSL_kANY,
869 SSL_aANY,
870 SSL_HIGH,
871 SSL_HANDSHAKE_MAC_SHA256,
872 128,
873 128,
874 },
875 {
876 1,
877 TLS1_3_TXT_AES_256_GCM_SHA384,
bbb4ceb8 878 TLS1_3_RFC_AES_256_GCM_SHA384,
f68521ee
DSH		 879 TLS1_3_CK_AES_256_GCM_SHA384,
880 SSL_kANY,
881 SSL_aANY,
882 SSL_AES256GCM,
883 SSL_AEAD,
884 TLS1_3_VERSION, TLS1_3_VERSION,
582a17d6
MC		 885 0, 0,
886 SSL_HIGH,
f68521ee
DSH		 887 SSL_HANDSHAKE_MAC_SHA384,
888 256,
889 256,
890 },
891#if !defined(OPENSSL_NO_CHACHA) && !defined(OPENSSL_NO_POLY1305)
892 {
893 1,
894 TLS1_3_TXT_CHACHA20_POLY1305_SHA256,
bbb4ceb8 895 TLS1_3_RFC_CHACHA20_POLY1305_SHA256,
f68521ee
DSH		 896 TLS1_3_CK_CHACHA20_POLY1305_SHA256,
897 SSL_kANY,
898 SSL_aANY,
899 SSL_CHACHA20POLY1305,
900 SSL_AEAD,
901 TLS1_3_VERSION, TLS1_3_VERSION,
902 0, 0,
903 SSL_HIGH,
904 SSL_HANDSHAKE_MAC_SHA256,
905 256,
906 256,
907 },
908#endif
909 {
910 1,
911 TLS1_3_TXT_AES_128_CCM_SHA256,
bbb4ceb8 912 TLS1_3_RFC_AES_128_CCM_SHA256,
f68521ee
DSH		 913 TLS1_3_CK_AES_128_CCM_SHA256,
914 SSL_kANY,
915 SSL_aANY,
916 SSL_AES128CCM,
917 SSL_AEAD,
918 TLS1_3_VERSION, TLS1_3_VERSION,
919 0, 0,
920 SSL_NOT_DEFAULT | SSL_HIGH,
921 SSL_HANDSHAKE_MAC_SHA256,
922 128,
923 128,
924 },
925 {
926 1,
927 TLS1_3_TXT_AES_128_CCM_8_SHA256,
bbb4ceb8 928 TLS1_3_RFC_AES_128_CCM_8_SHA256,
f68521ee
DSH		 929 TLS1_3_CK_AES_128_CCM_8_SHA256,
930 SSL_kANY,
931 SSL_aANY,
932 SSL_AES128CCM8,
933 SSL_AEAD,
934 TLS1_3_VERSION, TLS1_3_VERSION,
935 0, 0,
936 SSL_NOT_DEFAULT | SSL_HIGH,
937 SSL_HANDSHAKE_MAC_SHA256,
582a17d6
MC		 938 128,
939 128,
940 },
ea6114c6 941
748f2546 942#ifndef OPENSSL_NO_EC
ea6114c6
DSH		 943 {
944 1,
748f2546 945 TLS1_TXT_ECDHE_ECDSA_WITH_NULL_SHA,
bbb4ceb8 946 TLS1_RFC_ECDHE_ECDSA_WITH_NULL_SHA,
748f2546
RS		 947 TLS1_CK_ECDHE_ECDSA_WITH_NULL_SHA,
948 SSL_kECDHE,
949 SSL_aECDSA,
ea6114c6 950 SSL_eNULL,
748f2546 951 SSL_SHA1,
fe55c4a2 952 TLS1_VERSION, TLS1_2_VERSION,
387cf213 953 DTLS1_BAD_VER, DTLS1_2_VERSION,
1510b5f7 954 SSL_STRONG_NONE | SSL_FIPS,
ea6114c6
DSH		 955 SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
956 0,
957 0,
958 },
d33726b9 959# ifndef OPENSSL_NO_WEAK_SSL_CIPHERS
ea6114c6
DSH		 960 {
961 1,
748f2546 962 TLS1_TXT_ECDHE_ECDSA_WITH_DES_192_CBC3_SHA,
bbb4ceb8 963 TLS1_RFC_ECDHE_ECDSA_WITH_DES_192_CBC3_SHA,
748f2546
RS		 964 TLS1_CK_ECDHE_ECDSA_WITH_DES_192_CBC3_SHA,
965 SSL_kECDHE,
966 SSL_aECDSA,
967 SSL_3DES,
968 SSL_SHA1,
fe55c4a2 969 TLS1_VERSION, TLS1_2_VERSION,
387cf213 970 DTLS1_BAD_VER, DTLS1_2_VERSION,
ef28891b 971 SSL_NOT_DEFAULT | SSL_MEDIUM | SSL_FIPS,
748f2546
RS		 972 SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
973 112,
974 168,
ea6114c6 975 },
d33726b9 976# endif
ea6114c6
DSH		 977 {
978 1,
748f2546 979 TLS1_TXT_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,
bbb4ceb8 980 TLS1_RFC_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,
748f2546
RS		 981 TLS1_CK_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,
982 SSL_kECDHE,
983 SSL_aECDSA,
ea6114c6 984 SSL_AES128,
748f2546 985 SSL_SHA1,
fe55c4a2 986 TLS1_VERSION, TLS1_2_VERSION,
387cf213 987 DTLS1_BAD_VER, DTLS1_2_VERSION,
361a1191 988 SSL_HIGH | SSL_FIPS,
ea6114c6
DSH		 989 SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
990 128,
991 128,
992 },
ea6114c6
DSH		 993 {
994 1,
748f2546 995 TLS1_TXT_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,
bbb4ceb8 996 TLS1_RFC_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,
748f2546
RS		 997 TLS1_CK_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,
998 SSL_kECDHE,
999 SSL_aECDSA,
ea6114c6 1000 SSL_AES256,
748f2546 1001 SSL_SHA1,
fe55c4a2 1002 TLS1_VERSION, TLS1_2_VERSION,
387cf213 1003 DTLS1_BAD_VER, DTLS1_2_VERSION,
361a1191 1004 SSL_HIGH | SSL_FIPS,
748f2546 1005 SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
ea6114c6
DSH		 1006 256,
1007 256,
1008 },
ea6114c6
DSH		 1009 {
1010 1,
748f2546 1011 TLS1_TXT_ECDHE_RSA_WITH_NULL_SHA,
bbb4ceb8 1012 TLS1_RFC_ECDHE_RSA_WITH_NULL_SHA,
748f2546
RS		 1013 TLS1_CK_ECDHE_RSA_WITH_NULL_SHA,
1014 SSL_kECDHE,
1015 SSL_aRSA,
ea6114c6 1016 SSL_eNULL,
748f2546 1017 SSL_SHA1,
fe55c4a2 1018 TLS1_VERSION, TLS1_2_VERSION,
387cf213 1019 DTLS1_BAD_VER, DTLS1_2_VERSION,
1510b5f7 1020 SSL_STRONG_NONE | SSL_FIPS,
ea6114c6
DSH		 1021 SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
1022 0,
1023 0,
1024 },
d33726b9 1025# ifndef OPENSSL_NO_WEAK_SSL_CIPHERS
ea6114c6
DSH		 1026 {
1027 1,
748f2546 1028 TLS1_TXT_ECDHE_RSA_WITH_DES_192_CBC3_SHA,
bbb4ceb8 1029 TLS1_RFC_ECDHE_RSA_WITH_DES_192_CBC3_SHA,
748f2546
RS		 1030 TLS1_CK_ECDHE_RSA_WITH_DES_192_CBC3_SHA,
1031 SSL_kECDHE,
1032 SSL_aRSA,
1033 SSL_3DES,
1034 SSL_SHA1,
fe55c4a2 1035 TLS1_VERSION, TLS1_2_VERSION,
387cf213 1036 DTLS1_BAD_VER, DTLS1_2_VERSION,
ef28891b 1037 SSL_NOT_DEFAULT | SSL_MEDIUM | SSL_FIPS,
748f2546
RS		 1038 SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
1039 112,
1040 168,
ea6114c6 1041 },
d33726b9 1042# endif
ea6114c6
DSH		 1043 {
1044 1,
748f2546 1045 TLS1_TXT_ECDHE_RSA_WITH_AES_128_CBC_SHA,
bbb4ceb8 1046 TLS1_RFC_ECDHE_RSA_WITH_AES_128_CBC_SHA,
748f2546
RS		 1047 TLS1_CK_ECDHE_RSA_WITH_AES_128_CBC_SHA,
1048 SSL_kECDHE,
ea6114c6
DSH		 1049 SSL_aRSA,
1050 SSL_AES128,
748f2546 1051 SSL_SHA1,
fe55c4a2 1052 TLS1_VERSION, TLS1_2_VERSION,
387cf213 1053 DTLS1_BAD_VER, DTLS1_2_VERSION,
361a1191 1054 SSL_HIGH | SSL_FIPS,
ea6114c6
DSH		 1055 SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
1056 128,
1057 128,
1058 },
ea6114c6
DSH		 1059 {
1060 1,
748f2546 1061 TLS1_TXT_ECDHE_RSA_WITH_AES_256_CBC_SHA,
bbb4ceb8 1062 TLS1_RFC_ECDHE_RSA_WITH_AES_256_CBC_SHA,
748f2546
RS		 1063 TLS1_CK_ECDHE_RSA_WITH_AES_256_CBC_SHA,
1064 SSL_kECDHE,
ea6114c6
DSH		 1065 SSL_aRSA,
1066 SSL_AES256,
748f2546 1067 SSL_SHA1,
fe55c4a2 1068 TLS1_VERSION, TLS1_2_VERSION,
387cf213 1069 DTLS1_BAD_VER, DTLS1_2_VERSION,
361a1191 1070 SSL_HIGH | SSL_FIPS,
748f2546 1071 SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
ea6114c6
DSH		 1072 256,
1073 256,
1074 },
ea6114c6
DSH		 1075 {
1076 1,
748f2546 1077 TLS1_TXT_ECDH_anon_WITH_NULL_SHA,
bbb4ceb8 1078 TLS1_RFC_ECDH_anon_WITH_NULL_SHA,
748f2546
RS		 1079 TLS1_CK_ECDH_anon_WITH_NULL_SHA,
1080 SSL_kECDHE,
1081 SSL_aNULL,
ea6114c6 1082 SSL_eNULL,
748f2546 1083 SSL_SHA1,
fe55c4a2 1084 TLS1_VERSION, TLS1_2_VERSION,
387cf213 1085 DTLS1_BAD_VER, DTLS1_2_VERSION,
1510b5f7 1086 SSL_STRONG_NONE | SSL_FIPS,
ea6114c6
DSH		 1087 SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
1088 0,
1089 0,
1090 },
d33726b9 1091# ifndef OPENSSL_NO_WEAK_SSL_CIPHERS
ea6114c6
DSH		 1092 {
1093 1,
748f2546 1094 TLS1_TXT_ECDH_anon_WITH_DES_192_CBC3_SHA,
bbb4ceb8 1095 TLS1_RFC_ECDH_anon_WITH_DES_192_CBC3_SHA,
748f2546
RS		 1096 TLS1_CK_ECDH_anon_WITH_DES_192_CBC3_SHA,
1097 SSL_kECDHE,
1098 SSL_aNULL,
1099 SSL_3DES,
1100 SSL_SHA1,
fe55c4a2 1101 TLS1_VERSION, TLS1_2_VERSION,
387cf213 1102 DTLS1_BAD_VER, DTLS1_2_VERSION,
4a8e9c22 1103 SSL_NOT_DEFAULT | SSL_MEDIUM | SSL_FIPS,
748f2546
RS		 1104 SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
1105 112,
1106 168,
ea6114c6 1107 },
d33726b9 1108# endif
0f113f3e
MC		 1109 {
1110 1,
748f2546 1111 TLS1_TXT_ECDH_anon_WITH_AES_128_CBC_SHA,
bbb4ceb8 1112 TLS1_RFC_ECDH_anon_WITH_AES_128_CBC_SHA,
748f2546
RS		 1113 TLS1_CK_ECDH_anon_WITH_AES_128_CBC_SHA,
1114 SSL_kECDHE,
1115 SSL_aNULL,
1116 SSL_AES128,
1117 SSL_SHA1,
fe55c4a2 1118 TLS1_VERSION, TLS1_2_VERSION,
387cf213 1119 DTLS1_BAD_VER, DTLS1_2_VERSION,
748f2546
RS		 1120 SSL_NOT_DEFAULT | SSL_HIGH | SSL_FIPS,
1121 SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
1122 128,
1123 128,
1124 },
0f113f3e
MC		 1125 {
1126 1,
748f2546 1127 TLS1_TXT_ECDH_anon_WITH_AES_256_CBC_SHA,
bbb4ceb8 1128 TLS1_RFC_ECDH_anon_WITH_AES_256_CBC_SHA,
748f2546
RS		 1129 TLS1_CK_ECDH_anon_WITH_AES_256_CBC_SHA,
1130 SSL_kECDHE,
1131 SSL_aNULL,
1132 SSL_AES256,
1133 SSL_SHA1,
fe55c4a2 1134 TLS1_VERSION, TLS1_2_VERSION,
387cf213 1135 DTLS1_BAD_VER, DTLS1_2_VERSION,
748f2546
RS		 1136 SSL_NOT_DEFAULT | SSL_HIGH | SSL_FIPS,
1137 SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
1138 256,
1139 256,
1140 },
1141 {
1142 1,
1143 TLS1_TXT_ECDHE_ECDSA_WITH_AES_128_SHA256,
bbb4ceb8 1144 TLS1_RFC_ECDHE_ECDSA_WITH_AES_128_SHA256,
748f2546
RS		 1145 TLS1_CK_ECDHE_ECDSA_WITH_AES_128_SHA256,
1146 SSL_kECDHE,
1147 SSL_aECDSA,
1148 SSL_AES128,
0f113f3e 1149 SSL_SHA256,
3eb2aff4
KR		 1150 TLS1_2_VERSION, TLS1_2_VERSION,
1151 DTLS1_2_VERSION, DTLS1_2_VERSION,
748f2546 1152 SSL_HIGH | SSL_FIPS,
0f113f3e
MC		 1153 SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256,
1154 128,
1155 128,
1156 },
0f113f3e
MC		 1157 {
1158 1,
748f2546 1159 TLS1_TXT_ECDHE_ECDSA_WITH_AES_256_SHA384,
bbb4ceb8 1160 TLS1_RFC_ECDHE_ECDSA_WITH_AES_256_SHA384,
748f2546
RS		 1161 TLS1_CK_ECDHE_ECDSA_WITH_AES_256_SHA384,
1162 SSL_kECDHE,
1163 SSL_aECDSA,
1164 SSL_AES256,
1165 SSL_SHA384,
3eb2aff4
KR		 1166 TLS1_2_VERSION, TLS1_2_VERSION,
1167 DTLS1_2_VERSION, DTLS1_2_VERSION,
748f2546
RS		 1168 SSL_HIGH | SSL_FIPS,
1169 SSL_HANDSHAKE_MAC_SHA384 | TLS1_PRF_SHA384,
1170 256,
1171 256,
0f113f3e 1172 },
0f113f3e
MC		 1173 {
1174 1,
748f2546 1175 TLS1_TXT_ECDHE_RSA_WITH_AES_128_SHA256,
bbb4ceb8 1176 TLS1_RFC_ECDHE_RSA_WITH_AES_128_SHA256,
748f2546
RS		 1177 TLS1_CK_ECDHE_RSA_WITH_AES_128_SHA256,
1178 SSL_kECDHE,
1179 SSL_aRSA,
1180 SSL_AES128,
0f113f3e 1181 SSL_SHA256,
3eb2aff4
KR		 1182 TLS1_2_VERSION, TLS1_2_VERSION,
1183 DTLS1_2_VERSION, DTLS1_2_VERSION,
748f2546 1184 SSL_HIGH | SSL_FIPS,
0f113f3e
MC		 1185 SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256,
1186 128,
1187 128,
1188 },
0f113f3e
MC		 1189 {
1190 1,
748f2546 1191 TLS1_TXT_ECDHE_RSA_WITH_AES_256_SHA384,
bbb4ceb8 1192 TLS1_RFC_ECDHE_RSA_WITH_AES_256_SHA384,
748f2546
RS		 1193 TLS1_CK_ECDHE_RSA_WITH_AES_256_SHA384,
1194 SSL_kECDHE,
0f113f3e 1195 SSL_aRSA,
748f2546
RS		 1196 SSL_AES256,
1197 SSL_SHA384,
3eb2aff4
KR		 1198 TLS1_2_VERSION, TLS1_2_VERSION,
1199 DTLS1_2_VERSION, DTLS1_2_VERSION,
748f2546
RS		 1200 SSL_HIGH | SSL_FIPS,
1201 SSL_HANDSHAKE_MAC_SHA384 | TLS1_PRF_SHA384,
0f113f3e
MC		 1202 256,
1203 256,
1204 },
0f113f3e
MC		 1205 {
1206 1,
748f2546 1207 TLS1_TXT_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
bbb4ceb8 1208 TLS1_RFC_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
748f2546
RS		 1209 TLS1_CK_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
1210 SSL_kECDHE,
1211 SSL_aECDSA,
1212 SSL_AES128GCM,
1213 SSL_AEAD,
3eb2aff4
KR		 1214 TLS1_2_VERSION, TLS1_2_VERSION,
1215 DTLS1_2_VERSION, DTLS1_2_VERSION,
748f2546 1216 SSL_HIGH | SSL_FIPS,
0f113f3e 1217 SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256,
748f2546
RS		 1218 128,
1219 128,
1220 },
1221 {
1222 1,
1223 TLS1_TXT_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
bbb4ceb8 1224 TLS1_RFC_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
748f2546
RS		 1225 TLS1_CK_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
1226 SSL_kECDHE,
1227 SSL_aECDSA,
1228 SSL_AES256GCM,
1229 SSL_AEAD,
1230 TLS1_2_VERSION, TLS1_2_VERSION,
1231 DTLS1_2_VERSION, DTLS1_2_VERSION,
1232 SSL_HIGH | SSL_FIPS,
1233 SSL_HANDSHAKE_MAC_SHA384 | TLS1_PRF_SHA384,
0f113f3e
MC		 1234 256,
1235 256,
1236 },
0f113f3e
MC		 1237 {
1238 1,
748f2546 1239 TLS1_TXT_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
bbb4ceb8 1240 TLS1_RFC_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
748f2546
RS		 1241 TLS1_CK_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
1242 SSL_kECDHE,
0f113f3e 1243 SSL_aRSA,
748f2546
RS		 1244 SSL_AES128GCM,
1245 SSL_AEAD,
3eb2aff4
KR		 1246 TLS1_2_VERSION, TLS1_2_VERSION,
1247 DTLS1_2_VERSION, DTLS1_2_VERSION,
748f2546 1248 SSL_HIGH | SSL_FIPS,
0f113f3e 1249 SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256,
748f2546
RS		 1250 128,
1251 128,
0f113f3e 1252 },
0f113f3e
MC		 1253 {
1254 1,
748f2546 1255 TLS1_TXT_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
bbb4ceb8 1256 TLS1_RFC_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
748f2546
RS		 1257 TLS1_CK_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
1258 SSL_kECDHE,
1259 SSL_aRSA,
1260 SSL_AES256GCM,
1261 SSL_AEAD,
3eb2aff4
KR		 1262 TLS1_2_VERSION, TLS1_2_VERSION,
1263 DTLS1_2_VERSION, DTLS1_2_VERSION,
748f2546
RS		 1264 SSL_HIGH | SSL_FIPS,
1265 SSL_HANDSHAKE_MAC_SHA384 | TLS1_PRF_SHA384,
0f113f3e
MC		 1266 256,
1267 256,
1268 },
a230b26e 1269#endif /* OPENSSL_NO_EC */
0f113f3e 1270
748f2546 1271#ifndef OPENSSL_NO_PSK
0f113f3e
MC		 1272 {
1273 1,
748f2546 1274 TLS1_TXT_PSK_WITH_NULL_SHA,
bbb4ceb8 1275 TLS1_RFC_PSK_WITH_NULL_SHA,
748f2546
RS		 1276 TLS1_CK_PSK_WITH_NULL_SHA,
1277 SSL_kPSK,
1278 SSL_aPSK,
0f113f3e
MC		 1279 SSL_eNULL,
1280 SSL_SHA1,
3eb2aff4 1281 SSL3_VERSION, TLS1_2_VERSION,
387cf213 1282 DTLS1_BAD_VER, DTLS1_2_VERSION,
1510b5f7 1283 SSL_STRONG_NONE | SSL_FIPS,
0f113f3e
MC		 1284 SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
1285 0,
1286 0,
1287 },
0f113f3e
MC		 1288 {
1289 1,
748f2546 1290 TLS1_TXT_DHE_PSK_WITH_NULL_SHA,
bbb4ceb8 1291 TLS1_RFC_DHE_PSK_WITH_NULL_SHA,
748f2546
RS		 1292 TLS1_CK_DHE_PSK_WITH_NULL_SHA,
1293 SSL_kDHEPSK,
1294 SSL_aPSK,
1295 SSL_eNULL,
0f113f3e 1296 SSL_SHA1,
3eb2aff4 1297 SSL3_VERSION, TLS1_2_VERSION,
387cf213 1298 DTLS1_BAD_VER, DTLS1_2_VERSION,
748f2546 1299 SSL_STRONG_NONE | SSL_FIPS,
0f113f3e 1300 SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
748f2546
RS		 1301 0,
1302 0,
0f113f3e 1303 },
0f113f3e
MC		 1304 {
1305 1,
748f2546 1306 TLS1_TXT_RSA_PSK_WITH_NULL_SHA,
bbb4ceb8 1307 TLS1_RFC_RSA_PSK_WITH_NULL_SHA,
748f2546
RS		 1308 TLS1_CK_RSA_PSK_WITH_NULL_SHA,
1309 SSL_kRSAPSK,
1310 SSL_aRSA,
1311 SSL_eNULL,
1312 SSL_SHA1,
1313 SSL3_VERSION, TLS1_2_VERSION,
387cf213 1314 DTLS1_BAD_VER, DTLS1_2_VERSION,
748f2546
RS		 1315 SSL_STRONG_NONE | SSL_FIPS,
1316 SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
1317 0,
1318 0,
1319 },
d33726b9 1320# ifndef OPENSSL_NO_WEAK_SSL_CIPHERS
748f2546
RS		 1321 {
1322 1,
1323 TLS1_TXT_PSK_WITH_3DES_EDE_CBC_SHA,
bbb4ceb8 1324 TLS1_RFC_PSK_WITH_3DES_EDE_CBC_SHA,
748f2546
RS		 1325 TLS1_CK_PSK_WITH_3DES_EDE_CBC_SHA,
1326 SSL_kPSK,
1327 SSL_aPSK,
0f113f3e
MC		 1328 SSL_3DES,
1329 SSL_SHA1,
3eb2aff4 1330 SSL3_VERSION, TLS1_2_VERSION,
387cf213 1331 DTLS1_BAD_VER, DTLS1_2_VERSION,
ef28891b 1332 SSL_NOT_DEFAULT | SSL_MEDIUM | SSL_FIPS,
0f113f3e
MC		 1333 SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
1334 112,
1335 168,
1336 },
d33726b9 1337# endif
0f113f3e
MC		 1338 {
1339 1,
748f2546 1340 TLS1_TXT_PSK_WITH_AES_128_CBC_SHA,
bbb4ceb8 1341 TLS1_RFC_PSK_WITH_AES_128_CBC_SHA,
748f2546
RS		 1342 TLS1_CK_PSK_WITH_AES_128_CBC_SHA,
1343 SSL_kPSK,
1344 SSL_aPSK,
0f113f3e
MC		 1345 SSL_AES128,
1346 SSL_SHA1,
3eb2aff4 1347 SSL3_VERSION, TLS1_2_VERSION,
387cf213 1348 DTLS1_BAD_VER, DTLS1_2_VERSION,
361a1191 1349 SSL_HIGH | SSL_FIPS,
0f113f3e
MC		 1350 SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
1351 128,
1352 128,
1353 },
0f113f3e
MC		 1354 {
1355 1,
748f2546 1356 TLS1_TXT_PSK_WITH_AES_256_CBC_SHA,
bbb4ceb8 1357 TLS1_RFC_PSK_WITH_AES_256_CBC_SHA,
748f2546
RS		 1358 TLS1_CK_PSK_WITH_AES_256_CBC_SHA,
1359 SSL_kPSK,
1360 SSL_aPSK,
0f113f3e
MC		 1361 SSL_AES256,
1362 SSL_SHA1,
3eb2aff4 1363 SSL3_VERSION, TLS1_2_VERSION,
387cf213 1364 DTLS1_BAD_VER, DTLS1_2_VERSION,
361a1191 1365 SSL_HIGH | SSL_FIPS,
0f113f3e
MC		 1366 SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
1367 256,
1368 256,
1369 },
d33726b9 1370# ifndef OPENSSL_NO_WEAK_SSL_CIPHERS
0f113f3e
MC		 1371 {
1372 1,
748f2546 1373 TLS1_TXT_DHE_PSK_WITH_3DES_EDE_CBC_SHA,
bbb4ceb8 1374 TLS1_RFC_DHE_PSK_WITH_3DES_EDE_CBC_SHA,
748f2546
RS		 1375 TLS1_CK_DHE_PSK_WITH_3DES_EDE_CBC_SHA,
1376 SSL_kDHEPSK,
1377 SSL_aPSK,
1378 SSL_3DES,
0f113f3e 1379 SSL_SHA1,
3eb2aff4 1380 SSL3_VERSION, TLS1_2_VERSION,
387cf213 1381 DTLS1_BAD_VER, DTLS1_2_VERSION,
ef28891b 1382 SSL_NOT_DEFAULT | SSL_MEDIUM | SSL_FIPS,
0f113f3e 1383 SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
748f2546
RS		 1384 112,
1385 168,
0f113f3e 1386 },
d33726b9 1387# endif
0f113f3e
MC		 1388 {
1389 1,
748f2546 1390 TLS1_TXT_DHE_PSK_WITH_AES_128_CBC_SHA,
bbb4ceb8 1391 TLS1_RFC_DHE_PSK_WITH_AES_128_CBC_SHA,
748f2546
RS		 1392 TLS1_CK_DHE_PSK_WITH_AES_128_CBC_SHA,
1393 SSL_kDHEPSK,
1394 SSL_aPSK,
1395 SSL_AES128,
1396 SSL_SHA1,
1397 SSL3_VERSION, TLS1_2_VERSION,
387cf213 1398 DTLS1_BAD_VER, DTLS1_2_VERSION,
748f2546 1399 SSL_HIGH | SSL_FIPS,
0f113f3e
MC		 1400 SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
1401 128,
1402 128,
1403 },
0f113f3e
MC		 1404 {
1405 1,
748f2546 1406 TLS1_TXT_DHE_PSK_WITH_AES_256_CBC_SHA,
bbb4ceb8 1407 TLS1_RFC_DHE_PSK_WITH_AES_256_CBC_SHA,
748f2546
RS		 1408 TLS1_CK_DHE_PSK_WITH_AES_256_CBC_SHA,
1409 SSL_kDHEPSK,
1410 SSL_aPSK,
1411 SSL_AES256,
1412 SSL_SHA1,
1413 SSL3_VERSION, TLS1_2_VERSION,
387cf213 1414 DTLS1_BAD_VER, DTLS1_2_VERSION,
748f2546
RS		 1415 SSL_HIGH | SSL_FIPS,
1416 SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
1417 256,
1418 256,
1419 },
d33726b9 1420# ifndef OPENSSL_NO_WEAK_SSL_CIPHERS
748f2546
RS		 1421 {
1422 1,
1423 TLS1_TXT_RSA_PSK_WITH_3DES_EDE_CBC_SHA,
bbb4ceb8 1424 TLS1_RFC_RSA_PSK_WITH_3DES_EDE_CBC_SHA,
748f2546
RS		 1425 TLS1_CK_RSA_PSK_WITH_3DES_EDE_CBC_SHA,
1426 SSL_kRSAPSK,
0f113f3e
MC		 1427 SSL_aRSA,
1428 SSL_3DES,
1429 SSL_SHA1,
3eb2aff4 1430 SSL3_VERSION, TLS1_2_VERSION,
387cf213 1431 DTLS1_BAD_VER, DTLS1_2_VERSION,
ef28891b 1432 SSL_NOT_DEFAULT | SSL_MEDIUM | SSL_FIPS,
0f113f3e
MC		 1433 SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
1434 112,
1435 168,
1436 },
d33726b9 1437# endif
0f113f3e
MC		 1438 {
1439 1,
748f2546 1440 TLS1_TXT_RSA_PSK_WITH_AES_128_CBC_SHA,
bbb4ceb8 1441 TLS1_RFC_RSA_PSK_WITH_AES_128_CBC_SHA,
748f2546
RS		 1442 TLS1_CK_RSA_PSK_WITH_AES_128_CBC_SHA,
1443 SSL_kRSAPSK,
0f113f3e
MC		 1444 SSL_aRSA,
1445 SSL_AES128,
1446 SSL_SHA1,
3eb2aff4 1447 SSL3_VERSION, TLS1_2_VERSION,
387cf213 1448 DTLS1_BAD_VER, DTLS1_2_VERSION,
361a1191 1449 SSL_HIGH | SSL_FIPS,
0f113f3e
MC		 1450 SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
1451 128,
1452 128,
1453 },
0f113f3e
MC		 1454 {
1455 1,
748f2546 1456 TLS1_TXT_RSA_PSK_WITH_AES_256_CBC_SHA,
bbb4ceb8 1457 TLS1_RFC_RSA_PSK_WITH_AES_256_CBC_SHA,
748f2546
RS		 1458 TLS1_CK_RSA_PSK_WITH_AES_256_CBC_SHA,
1459 SSL_kRSAPSK,
0f113f3e
MC		 1460 SSL_aRSA,
1461 SSL_AES256,
1462 SSL_SHA1,
3eb2aff4 1463 SSL3_VERSION, TLS1_2_VERSION,
387cf213 1464 DTLS1_BAD_VER, DTLS1_2_VERSION,
361a1191 1465 SSL_HIGH | SSL_FIPS,
0f113f3e
MC		 1466 SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
1467 256,
1468 256,
1469 },
0f113f3e
MC		 1470 {
1471 1,
748f2546 1472 TLS1_TXT_PSK_WITH_AES_128_GCM_SHA256,
bbb4ceb8 1473 TLS1_RFC_PSK_WITH_AES_128_GCM_SHA256,
748f2546
RS		 1474 TLS1_CK_PSK_WITH_AES_128_GCM_SHA256,
1475 SSL_kPSK,
1476 SSL_aPSK,
1477 SSL_AES128GCM,
1478 SSL_AEAD,
1479 TLS1_2_VERSION, TLS1_2_VERSION,
1480 DTLS1_2_VERSION, DTLS1_2_VERSION,
1481 SSL_HIGH | SSL_FIPS,
1482 SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256,
0f113f3e
MC		 1483 128,
1484 128,
1485 },
0f113f3e
MC		 1486 {
1487 1,
748f2546 1488 TLS1_TXT_PSK_WITH_AES_256_GCM_SHA384,
bbb4ceb8 1489 TLS1_RFC_PSK_WITH_AES_256_GCM_SHA384,
748f2546
RS		 1490 TLS1_CK_PSK_WITH_AES_256_GCM_SHA384,
1491 SSL_kPSK,
1492 SSL_aPSK,
1493 SSL_AES256GCM,
1494 SSL_AEAD,
1495 TLS1_2_VERSION, TLS1_2_VERSION,
1496 DTLS1_2_VERSION, DTLS1_2_VERSION,
1497 SSL_HIGH | SSL_FIPS,
1498 SSL_HANDSHAKE_MAC_SHA384 | TLS1_PRF_SHA384,
1499 256,
1500 256,
0f113f3e 1501 },
0f113f3e
MC		 1502 {
1503 1,
748f2546 1504 TLS1_TXT_DHE_PSK_WITH_AES_128_GCM_SHA256,
bbb4ceb8 1505 TLS1_RFC_DHE_PSK_WITH_AES_128_GCM_SHA256,
748f2546
RS		 1506 TLS1_CK_DHE_PSK_WITH_AES_128_GCM_SHA256,
1507 SSL_kDHEPSK,
1508 SSL_aPSK,
1509 SSL_AES128GCM,
1510 SSL_AEAD,
1511 TLS1_2_VERSION, TLS1_2_VERSION,
1512 DTLS1_2_VERSION, DTLS1_2_VERSION,
1513 SSL_HIGH | SSL_FIPS,
1514 SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256,
0f113f3e
MC		 1515 128,
1516 128,
1517 },
0f113f3e
MC		 1518 {
1519 1,
748f2546 1520 TLS1_TXT_DHE_PSK_WITH_AES_256_GCM_SHA384,
bbb4ceb8 1521 TLS1_RFC_DHE_PSK_WITH_AES_256_GCM_SHA384,
748f2546
RS		 1522 TLS1_CK_DHE_PSK_WITH_AES_256_GCM_SHA384,
1523 SSL_kDHEPSK,
1524 SSL_aPSK,
1525 SSL_AES256GCM,
1526 SSL_AEAD,
1527 TLS1_2_VERSION, TLS1_2_VERSION,
1528 DTLS1_2_VERSION, DTLS1_2_VERSION,
1529 SSL_HIGH | SSL_FIPS,
1530 SSL_HANDSHAKE_MAC_SHA384 | TLS1_PRF_SHA384,
0f113f3e
MC		 1531 256,
1532 256,
1533 },
0f113f3e
MC		 1534 {
1535 1,
748f2546 1536 TLS1_TXT_RSA_PSK_WITH_AES_128_GCM_SHA256,
bbb4ceb8 1537 TLS1_RFC_RSA_PSK_WITH_AES_128_GCM_SHA256,
748f2546
RS		 1538 TLS1_CK_RSA_PSK_WITH_AES_128_GCM_SHA256,
1539 SSL_kRSAPSK,
0f113f3e 1540 SSL_aRSA,
748f2546
RS		 1541 SSL_AES128GCM,
1542 SSL_AEAD,
1543 TLS1_2_VERSION, TLS1_2_VERSION,
1544 DTLS1_2_VERSION, DTLS1_2_VERSION,
1545 SSL_HIGH | SSL_FIPS,
1546 SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256,
1547 128,
1548 128,
0f113f3e 1549 },
0f113f3e
MC		 1550 {
1551 1,
748f2546 1552 TLS1_TXT_RSA_PSK_WITH_AES_256_GCM_SHA384,
bbb4ceb8 1553 TLS1_RFC_RSA_PSK_WITH_AES_256_GCM_SHA384,
748f2546
RS		 1554 TLS1_CK_RSA_PSK_WITH_AES_256_GCM_SHA384,
1555 SSL_kRSAPSK,
1556 SSL_aRSA,
1557 SSL_AES256GCM,
1558 SSL_AEAD,
1559 TLS1_2_VERSION, TLS1_2_VERSION,
1560 DTLS1_2_VERSION, DTLS1_2_VERSION,
1561 SSL_HIGH | SSL_FIPS,
1562 SSL_HANDSHAKE_MAC_SHA384 | TLS1_PRF_SHA384,
1563 256,
1564 256,
0f113f3e 1565 },
0f113f3e
MC		 1566 {
1567 1,
748f2546 1568 TLS1_TXT_PSK_WITH_AES_128_CBC_SHA256,
bbb4ceb8 1569 TLS1_RFC_PSK_WITH_AES_128_CBC_SHA256,
748f2546
RS		 1570 TLS1_CK_PSK_WITH_AES_128_CBC_SHA256,
1571 SSL_kPSK,
1572 SSL_aPSK,
0f113f3e 1573 SSL_AES128,
748f2546
RS		 1574 SSL_SHA256,
1575 TLS1_VERSION, TLS1_2_VERSION,
387cf213 1576 DTLS1_BAD_VER, DTLS1_2_VERSION,
748f2546 1577 SSL_HIGH | SSL_FIPS,
0f113f3e
MC		 1578 SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
1579 128,
1580 128,
1581 },
0f113f3e
MC		 1582 {
1583 1,
748f2546 1584 TLS1_TXT_PSK_WITH_AES_256_CBC_SHA384,
bbb4ceb8 1585 TLS1_RFC_PSK_WITH_AES_256_CBC_SHA384,
748f2546
RS		 1586 TLS1_CK_PSK_WITH_AES_256_CBC_SHA384,
1587 SSL_kPSK,
1588 SSL_aPSK,
1589 SSL_AES256,
1590 SSL_SHA384,
1591 TLS1_VERSION, TLS1_2_VERSION,
387cf213 1592 DTLS1_BAD_VER, DTLS1_2_VERSION,
748f2546
RS		 1593 SSL_HIGH | SSL_FIPS,
1594 SSL_HANDSHAKE_MAC_SHA384 | TLS1_PRF_SHA384,
1595 256,
1596 256,
0f113f3e 1597 },
0f113f3e
MC		 1598 {
1599 1,
748f2546 1600 TLS1_TXT_PSK_WITH_NULL_SHA256,
bbb4ceb8 1601 TLS1_RFC_PSK_WITH_NULL_SHA256,
748f2546
RS		 1602 TLS1_CK_PSK_WITH_NULL_SHA256,
1603 SSL_kPSK,
1604 SSL_aPSK,
1605 SSL_eNULL,
1606 SSL_SHA256,
1607 TLS1_VERSION, TLS1_2_VERSION,
387cf213 1608 DTLS1_BAD_VER, DTLS1_2_VERSION,
748f2546 1609 SSL_STRONG_NONE | SSL_FIPS,
0f113f3e 1610 SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
748f2546
RS		 1611 0,
1612 0,
0f113f3e 1613 },
0f113f3e
MC		 1614 {
1615 1,
748f2546 1616 TLS1_TXT_PSK_WITH_NULL_SHA384,
bbb4ceb8 1617 TLS1_RFC_PSK_WITH_NULL_SHA384,
748f2546
RS		 1618 TLS1_CK_PSK_WITH_NULL_SHA384,
1619 SSL_kPSK,
1620 SSL_aPSK,
1621 SSL_eNULL,
1622 SSL_SHA384,
1623 TLS1_VERSION, TLS1_2_VERSION,
387cf213 1624 DTLS1_BAD_VER, DTLS1_2_VERSION,
748f2546
RS		 1625 SSL_STRONG_NONE | SSL_FIPS,
1626 SSL_HANDSHAKE_MAC_SHA384 | TLS1_PRF_SHA384,
1627 0,
1628 0,
0f113f3e 1629 },
0f113f3e
MC		 1630 {
1631 1,
748f2546 1632 TLS1_TXT_DHE_PSK_WITH_AES_128_CBC_SHA256,
bbb4ceb8 1633 TLS1_RFC_DHE_PSK_WITH_AES_128_CBC_SHA256,
748f2546
RS		 1634 TLS1_CK_DHE_PSK_WITH_AES_128_CBC_SHA256,
1635 SSL_kDHEPSK,
1636 SSL_aPSK,
1637 SSL_AES128,
1638 SSL_SHA256,
1639 TLS1_VERSION, TLS1_2_VERSION,
387cf213 1640 DTLS1_BAD_VER, DTLS1_2_VERSION,
748f2546 1641 SSL_HIGH | SSL_FIPS,
0f113f3e 1642 SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
748f2546
RS		 1643 128,
1644 128,
0f113f3e 1645 },
0f113f3e
MC		 1646 {
1647 1,
748f2546 1648 TLS1_TXT_DHE_PSK_WITH_AES_256_CBC_SHA384,
bbb4ceb8 1649 TLS1_RFC_DHE_PSK_WITH_AES_256_CBC_SHA384,
748f2546
RS		 1650 TLS1_CK_DHE_PSK_WITH_AES_256_CBC_SHA384,
1651 SSL_kDHEPSK,
1652 SSL_aPSK,
0f113f3e 1653 SSL_AES256,
748f2546
RS		 1654 SSL_SHA384,
1655 TLS1_VERSION, TLS1_2_VERSION,
387cf213 1656 DTLS1_BAD_VER, DTLS1_2_VERSION,
748f2546
RS		 1657 SSL_HIGH | SSL_FIPS,
1658 SSL_HANDSHAKE_MAC_SHA384 | TLS1_PRF_SHA384,
0f113f3e
MC		 1659 256,
1660 256,
1661 },
0f113f3e
MC		 1662 {
1663 1,
748f2546 1664 TLS1_TXT_DHE_PSK_WITH_NULL_SHA256,
bbb4ceb8 1665 TLS1_RFC_DHE_PSK_WITH_NULL_SHA256,
748f2546
RS		 1666 TLS1_CK_DHE_PSK_WITH_NULL_SHA256,
1667 SSL_kDHEPSK,
1668 SSL_aPSK,
1669 SSL_eNULL,
0f113f3e 1670 SSL_SHA256,
748f2546 1671 TLS1_VERSION, TLS1_2_VERSION,
387cf213 1672 DTLS1_BAD_VER, DTLS1_2_VERSION,
748f2546
RS		 1673 SSL_STRONG_NONE | SSL_FIPS,
1674 SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
1675 0,
1676 0,
0f113f3e 1677 },
0f113f3e
MC		 1678 {
1679 1,
748f2546 1680 TLS1_TXT_DHE_PSK_WITH_NULL_SHA384,
bbb4ceb8 1681 TLS1_RFC_DHE_PSK_WITH_NULL_SHA384,
748f2546
RS		 1682 TLS1_CK_DHE_PSK_WITH_NULL_SHA384,
1683 SSL_kDHEPSK,
1684 SSL_aPSK,
1685 SSL_eNULL,
0f113f3e 1686 SSL_SHA384,
748f2546 1687 TLS1_VERSION, TLS1_2_VERSION,
387cf213 1688 DTLS1_BAD_VER, DTLS1_2_VERSION,
748f2546 1689 SSL_STRONG_NONE | SSL_FIPS,
0f113f3e 1690 SSL_HANDSHAKE_MAC_SHA384 | TLS1_PRF_SHA384,
748f2546
RS		 1691 0,
1692 0,
0f113f3e 1693 },
0f113f3e
MC		 1694 {
1695 1,
748f2546 1696 TLS1_TXT_RSA_PSK_WITH_AES_128_CBC_SHA256,
bbb4ceb8 1697 TLS1_RFC_RSA_PSK_WITH_AES_128_CBC_SHA256,
748f2546
RS		 1698 TLS1_CK_RSA_PSK_WITH_AES_128_CBC_SHA256,
1699 SSL_kRSAPSK,
0f113f3e
MC		 1700 SSL_aRSA,
1701 SSL_AES128,
1702 SSL_SHA256,
748f2546 1703 TLS1_VERSION, TLS1_2_VERSION,
387cf213 1704 DTLS1_BAD_VER, DTLS1_2_VERSION,
361a1191 1705 SSL_HIGH | SSL_FIPS,
748f2546 1706 SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
0f113f3e
MC		 1707 128,
1708 128,
1709 },
0f113f3e
MC		 1710 {
1711 1,
748f2546 1712 TLS1_TXT_RSA_PSK_WITH_AES_256_CBC_SHA384,
bbb4ceb8 1713 TLS1_RFC_RSA_PSK_WITH_AES_256_CBC_SHA384,
748f2546
RS		 1714 TLS1_CK_RSA_PSK_WITH_AES_256_CBC_SHA384,
1715 SSL_kRSAPSK,
0f113f3e
MC		 1716 SSL_aRSA,
1717 SSL_AES256,
1718 SSL_SHA384,
748f2546 1719 TLS1_VERSION, TLS1_2_VERSION,
387cf213 1720 DTLS1_BAD_VER, DTLS1_2_VERSION,
361a1191 1721 SSL_HIGH | SSL_FIPS,
0f113f3e
MC		 1722 SSL_HANDSHAKE_MAC_SHA384 | TLS1_PRF_SHA384,
1723 256,
1724 256,
1725 },
0f113f3e
MC		 1726 {
1727 1,
748f2546 1728 TLS1_TXT_RSA_PSK_WITH_NULL_SHA256,
bbb4ceb8 1729 TLS1_RFC_RSA_PSK_WITH_NULL_SHA256,
748f2546
RS		 1730 TLS1_CK_RSA_PSK_WITH_NULL_SHA256,
1731 SSL_kRSAPSK,
0f113f3e 1732 SSL_aRSA,
748f2546
RS		 1733 SSL_eNULL,
1734 SSL_SHA256,
1735 TLS1_VERSION, TLS1_2_VERSION,
387cf213 1736 DTLS1_BAD_VER, DTLS1_2_VERSION,
748f2546
RS		 1737 SSL_STRONG_NONE | SSL_FIPS,
1738 SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
1739 0,
1740 0,
0f113f3e 1741 },
0f113f3e
MC		 1742 {
1743 1,
748f2546 1744 TLS1_TXT_RSA_PSK_WITH_NULL_SHA384,
bbb4ceb8 1745 TLS1_RFC_RSA_PSK_WITH_NULL_SHA384,
748f2546
RS		 1746 TLS1_CK_RSA_PSK_WITH_NULL_SHA384,
1747 SSL_kRSAPSK,
0f113f3e 1748 SSL_aRSA,
748f2546
RS		 1749 SSL_eNULL,
1750 SSL_SHA384,
1751 TLS1_VERSION, TLS1_2_VERSION,
387cf213 1752 DTLS1_BAD_VER, DTLS1_2_VERSION,
748f2546 1753 SSL_STRONG_NONE | SSL_FIPS,
0f113f3e 1754 SSL_HANDSHAKE_MAC_SHA384 | TLS1_PRF_SHA384,
748f2546
RS		 1755 0,
1756 0,
ea6114c6 1757 },
748f2546 1758# ifndef OPENSSL_NO_EC
d33726b9 1759# ifndef OPENSSL_NO_WEAK_SSL_CIPHERS
ea6114c6
DSH		 1760 {
1761 1,
1762 TLS1_TXT_ECDHE_PSK_WITH_3DES_EDE_CBC_SHA,
bbb4ceb8 1763 TLS1_RFC_ECDHE_PSK_WITH_3DES_EDE_CBC_SHA,
ea6114c6
DSH		 1764 TLS1_CK_ECDHE_PSK_WITH_3DES_EDE_CBC_SHA,
1765 SSL_kECDHEPSK,
1766 SSL_aPSK,
1767 SSL_3DES,
1768 SSL_SHA1,
fe55c4a2 1769 TLS1_VERSION, TLS1_2_VERSION,
387cf213 1770 DTLS1_BAD_VER, DTLS1_2_VERSION,
ef28891b 1771 SSL_NOT_DEFAULT | SSL_MEDIUM | SSL_FIPS,
ea6114c6
DSH		 1772 SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
1773 112,
1774 168,
1775 },
d33726b9 1776# endif
ea6114c6
DSH		 1777 {
1778 1,
1779 TLS1_TXT_ECDHE_PSK_WITH_AES_128_CBC_SHA,
bbb4ceb8 1780 TLS1_RFC_ECDHE_PSK_WITH_AES_128_CBC_SHA,
ea6114c6
DSH		 1781 TLS1_CK_ECDHE_PSK_WITH_AES_128_CBC_SHA,
1782 SSL_kECDHEPSK,
1783 SSL_aPSK,
1784 SSL_AES128,
1785 SSL_SHA1,
fe55c4a2 1786 TLS1_VERSION, TLS1_2_VERSION,
387cf213 1787 DTLS1_BAD_VER, DTLS1_2_VERSION,
361a1191 1788 SSL_HIGH | SSL_FIPS,
ea6114c6
DSH		 1789 SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
1790 128,
1791 128,
1792 },
ea6114c6
DSH		 1793 {
1794 1,
1795 TLS1_TXT_ECDHE_PSK_WITH_AES_256_CBC_SHA,
bbb4ceb8 1796 TLS1_RFC_ECDHE_PSK_WITH_AES_256_CBC_SHA,
ea6114c6
DSH		 1797 TLS1_CK_ECDHE_PSK_WITH_AES_256_CBC_SHA,
1798 SSL_kECDHEPSK,
1799 SSL_aPSK,
1800 SSL_AES256,
1801 SSL_SHA1,
fe55c4a2 1802 TLS1_VERSION, TLS1_2_VERSION,
387cf213 1803 DTLS1_BAD_VER, DTLS1_2_VERSION,
361a1191 1804 SSL_HIGH | SSL_FIPS,
ea6114c6
DSH		 1805 SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
1806 256,
1807 256,
1808 },
ea6114c6
DSH		 1809 {
1810 1,
1811 TLS1_TXT_ECDHE_PSK_WITH_AES_128_CBC_SHA256,
bbb4ceb8 1812 TLS1_RFC_ECDHE_PSK_WITH_AES_128_CBC_SHA256,
ea6114c6
DSH		 1813 TLS1_CK_ECDHE_PSK_WITH_AES_128_CBC_SHA256,
1814 SSL_kECDHEPSK,
1815 SSL_aPSK,
1816 SSL_AES128,
1817 SSL_SHA256,
3eb2aff4 1818 TLS1_VERSION, TLS1_2_VERSION,
387cf213 1819 DTLS1_BAD_VER, DTLS1_2_VERSION,
361a1191 1820 SSL_HIGH | SSL_FIPS,
ea6114c6
DSH		 1821 SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
1822 128,
1823 128,
1824 },
ea6114c6
DSH		 1825 {
1826 1,
1827 TLS1_TXT_ECDHE_PSK_WITH_AES_256_CBC_SHA384,
bbb4ceb8 1828 TLS1_RFC_ECDHE_PSK_WITH_AES_256_CBC_SHA384,
ea6114c6
DSH		 1829 TLS1_CK_ECDHE_PSK_WITH_AES_256_CBC_SHA384,
1830 SSL_kECDHEPSK,
1831 SSL_aPSK,
1832 SSL_AES256,
1833 SSL_SHA384,
3eb2aff4 1834 TLS1_VERSION, TLS1_2_VERSION,
387cf213 1835 DTLS1_BAD_VER, DTLS1_2_VERSION,
361a1191 1836 SSL_HIGH | SSL_FIPS,
ea6114c6
DSH		 1837 SSL_HANDSHAKE_MAC_SHA384 | TLS1_PRF_SHA384,
1838 256,
1839 256,
1840 },
ea6114c6
DSH		 1841 {
1842 1,
1843 TLS1_TXT_ECDHE_PSK_WITH_NULL_SHA,
bbb4ceb8 1844 TLS1_RFC_ECDHE_PSK_WITH_NULL_SHA,
ea6114c6
DSH		 1845 TLS1_CK_ECDHE_PSK_WITH_NULL_SHA,
1846 SSL_kECDHEPSK,
1847 SSL_aPSK,
1848 SSL_eNULL,
1849 SSL_SHA1,
fe55c4a2 1850 TLS1_VERSION, TLS1_2_VERSION,
387cf213 1851 DTLS1_BAD_VER, DTLS1_2_VERSION,
1510b5f7 1852 SSL_STRONG_NONE | SSL_FIPS,
ea6114c6
DSH		 1853 SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
1854 0,
1855 0,
1856 },
ea6114c6
DSH		 1857 {
1858 1,
1859 TLS1_TXT_ECDHE_PSK_WITH_NULL_SHA256,
bbb4ceb8 1860 TLS1_RFC_ECDHE_PSK_WITH_NULL_SHA256,
ea6114c6
DSH		 1861 TLS1_CK_ECDHE_PSK_WITH_NULL_SHA256,
1862 SSL_kECDHEPSK,
1863 SSL_aPSK,
1864 SSL_eNULL,
1865 SSL_SHA256,
3eb2aff4 1866 TLS1_VERSION, TLS1_2_VERSION,
387cf213 1867 DTLS1_BAD_VER, DTLS1_2_VERSION,
1510b5f7 1868 SSL_STRONG_NONE | SSL_FIPS,
ea6114c6
DSH		 1869 SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
1870 0,
1871 0,
1872 },
ea6114c6
DSH		 1873 {
1874 1,
1875 TLS1_TXT_ECDHE_PSK_WITH_NULL_SHA384,
bbb4ceb8 1876 TLS1_RFC_ECDHE_PSK_WITH_NULL_SHA384,
ea6114c6
DSH		 1877 TLS1_CK_ECDHE_PSK_WITH_NULL_SHA384,
1878 SSL_kECDHEPSK,
1879 SSL_aPSK,
1880 SSL_eNULL,
1881 SSL_SHA384,
3eb2aff4 1882 TLS1_VERSION, TLS1_2_VERSION,
387cf213 1883 DTLS1_BAD_VER, DTLS1_2_VERSION,
1510b5f7 1884 SSL_STRONG_NONE | SSL_FIPS,
ea6114c6
DSH		 1885 SSL_HANDSHAKE_MAC_SHA384 | TLS1_PRF_SHA384,
1886 0,
1887 0,
1888 },
a230b26e
EK		 1889# endif /* OPENSSL_NO_EC */
1890#endif /* OPENSSL_NO_PSK */
ea6114c6 1891
748f2546 1892#ifndef OPENSSL_NO_SRP
d33726b9 1893# ifndef OPENSSL_NO_WEAK_SSL_CIPHERS
748f2546
RS		 1894 {
1895 1,
1896 TLS1_TXT_SRP_SHA_WITH_3DES_EDE_CBC_SHA,
bbb4ceb8 1897 TLS1_RFC_SRP_SHA_WITH_3DES_EDE_CBC_SHA,
748f2546
RS		 1898 TLS1_CK_SRP_SHA_WITH_3DES_EDE_CBC_SHA,
1899 SSL_kSRP,
1900 SSL_aSRP,
1901 SSL_3DES,
1902 SSL_SHA1,
1903 SSL3_VERSION, TLS1_2_VERSION,
387cf213 1904 DTLS1_BAD_VER, DTLS1_2_VERSION,
ef28891b 1905 SSL_NOT_DEFAULT | SSL_MEDIUM,
748f2546
RS		 1906 SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
1907 112,
1908 168,
1909 },
1910 {
1911 1,
1912 TLS1_TXT_SRP_SHA_RSA_WITH_3DES_EDE_CBC_SHA,
bbb4ceb8 1913 TLS1_RFC_SRP_SHA_RSA_WITH_3DES_EDE_CBC_SHA,
748f2546
RS		 1914 TLS1_CK_SRP_SHA_RSA_WITH_3DES_EDE_CBC_SHA,
1915 SSL_kSRP,
1916 SSL_aRSA,
1917 SSL_3DES,
1918 SSL_SHA1,
1919 SSL3_VERSION, TLS1_2_VERSION,
387cf213 1920 DTLS1_BAD_VER, DTLS1_2_VERSION,
ef28891b 1921 SSL_NOT_DEFAULT | SSL_MEDIUM,
748f2546
RS		 1922 SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
1923 112,
1924 168,
1925 },
1926 {
1927 1,
1928 TLS1_TXT_SRP_SHA_DSS_WITH_3DES_EDE_CBC_SHA,
bbb4ceb8 1929 TLS1_RFC_SRP_SHA_DSS_WITH_3DES_EDE_CBC_SHA,
748f2546
RS		 1930 TLS1_CK_SRP_SHA_DSS_WITH_3DES_EDE_CBC_SHA,
1931 SSL_kSRP,
1932 SSL_aDSS,
1933 SSL_3DES,
1934 SSL_SHA1,
1935 SSL3_VERSION, TLS1_2_VERSION,
387cf213 1936 DTLS1_BAD_VER, DTLS1_2_VERSION,
4a8e9c22 1937 SSL_NOT_DEFAULT | SSL_MEDIUM,
748f2546
RS		 1938 SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
1939 112,
1940 168,
1941 },
d33726b9 1942# endif
748f2546
RS		 1943 {
1944 1,
1945 TLS1_TXT_SRP_SHA_WITH_AES_128_CBC_SHA,
bbb4ceb8 1946 TLS1_RFC_SRP_SHA_WITH_AES_128_CBC_SHA,
748f2546
RS		 1947 TLS1_CK_SRP_SHA_WITH_AES_128_CBC_SHA,
1948 SSL_kSRP,
1949 SSL_aSRP,
1950 SSL_AES128,
1951 SSL_SHA1,
1952 SSL3_VERSION, TLS1_2_VERSION,
387cf213 1953 DTLS1_BAD_VER, DTLS1_2_VERSION,
748f2546
RS		 1954 SSL_HIGH,
1955 SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
1956 128,
1957 128,
1958 },
1959 {
1960 1,
1961 TLS1_TXT_SRP_SHA_RSA_WITH_AES_128_CBC_SHA,
bbb4ceb8 1962 TLS1_RFC_SRP_SHA_RSA_WITH_AES_128_CBC_SHA,
748f2546
RS		 1963 TLS1_CK_SRP_SHA_RSA_WITH_AES_128_CBC_SHA,
1964 SSL_kSRP,
1965 SSL_aRSA,
1966 SSL_AES128,
1967 SSL_SHA1,
1968 SSL3_VERSION, TLS1_2_VERSION,
387cf213 1969 DTLS1_BAD_VER, DTLS1_2_VERSION,
748f2546
RS		 1970 SSL_HIGH,
1971 SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
1972 128,
1973 128,
1974 },
1975 {
1976 1,
1977 TLS1_TXT_SRP_SHA_DSS_WITH_AES_128_CBC_SHA,
bbb4ceb8 1978 TLS1_RFC_SRP_SHA_DSS_WITH_AES_128_CBC_SHA,
748f2546
RS		 1979 TLS1_CK_SRP_SHA_DSS_WITH_AES_128_CBC_SHA,
1980 SSL_kSRP,
1981 SSL_aDSS,
1982 SSL_AES128,
1983 SSL_SHA1,
1984 SSL3_VERSION, TLS1_2_VERSION,
387cf213 1985 DTLS1_BAD_VER, DTLS1_2_VERSION,
748f2546
RS		 1986 SSL_NOT_DEFAULT | SSL_HIGH,
1987 SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
1988 128,
1989 128,
1990 },
1991 {
1992 1,
1993 TLS1_TXT_SRP_SHA_WITH_AES_256_CBC_SHA,
bbb4ceb8 1994 TLS1_RFC_SRP_SHA_WITH_AES_256_CBC_SHA,
748f2546
RS		 1995 TLS1_CK_SRP_SHA_WITH_AES_256_CBC_SHA,
1996 SSL_kSRP,
1997 SSL_aSRP,
1998 SSL_AES256,
1999 SSL_SHA1,
2000 SSL3_VERSION, TLS1_2_VERSION,
387cf213 2001 DTLS1_BAD_VER, DTLS1_2_VERSION,
748f2546
RS		 2002 SSL_HIGH,
2003 SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
2004 256,
2005 256,
2006 },
2007 {
2008 1,
2009 TLS1_TXT_SRP_SHA_RSA_WITH_AES_256_CBC_SHA,
bbb4ceb8 2010 TLS1_RFC_SRP_SHA_RSA_WITH_AES_256_CBC_SHA,
748f2546
RS		 2011 TLS1_CK_SRP_SHA_RSA_WITH_AES_256_CBC_SHA,
2012 SSL_kSRP,
2013 SSL_aRSA,
2014 SSL_AES256,
2015 SSL_SHA1,
2016 SSL3_VERSION, TLS1_2_VERSION,
387cf213 2017 DTLS1_BAD_VER, DTLS1_2_VERSION,
748f2546
RS		 2018 SSL_HIGH,
2019 SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
2020 256,
2021 256,
2022 },
2023 {
2024 1,
2025 TLS1_TXT_SRP_SHA_DSS_WITH_AES_256_CBC_SHA,
bbb4ceb8 2026 TLS1_RFC_SRP_SHA_DSS_WITH_AES_256_CBC_SHA,
748f2546
RS		 2027 TLS1_CK_SRP_SHA_DSS_WITH_AES_256_CBC_SHA,
2028 SSL_kSRP,
2029 SSL_aDSS,
2030 SSL_AES256,
2031 SSL_SHA1,
2032 SSL3_VERSION, TLS1_2_VERSION,
387cf213 2033 DTLS1_BAD_VER, DTLS1_2_VERSION,
748f2546
RS		 2034 SSL_NOT_DEFAULT | SSL_HIGH,
2035 SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
2036 256,
2037 256,
2038 },
a230b26e 2039#endif /* OPENSSL_NO_SRP */
748f2546
RS		 2040
2041#if !defined(OPENSSL_NO_CHACHA) && !defined(OPENSSL_NO_POLY1305)
2042# ifndef OPENSSL_NO_RSA
2043 {
2044 1,
2045 TLS1_TXT_DHE_RSA_WITH_CHACHA20_POLY1305,
bbb4ceb8 2046 TLS1_RFC_DHE_RSA_WITH_CHACHA20_POLY1305,
748f2546
RS		 2047 TLS1_CK_DHE_RSA_WITH_CHACHA20_POLY1305,
2048 SSL_kDHE,
2049 SSL_aRSA,
2050 SSL_CHACHA20POLY1305,
2051 SSL_AEAD,
2052 TLS1_2_VERSION, TLS1_2_VERSION,
2053 DTLS1_2_VERSION, DTLS1_2_VERSION,
2054 SSL_HIGH,
2055 SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256,
2056 256,
2057 256,
2058 },
a230b26e 2059# endif /* OPENSSL_NO_RSA */
748f2546
RS		 2060
2061# ifndef OPENSSL_NO_EC
2062 {
2063 1,
2064 TLS1_TXT_ECDHE_RSA_WITH_CHACHA20_POLY1305,
bbb4ceb8 2065 TLS1_RFC_ECDHE_RSA_WITH_CHACHA20_POLY1305,
748f2546
RS		 2066 TLS1_CK_ECDHE_RSA_WITH_CHACHA20_POLY1305,
2067 SSL_kECDHE,
2068 SSL_aRSA,
2069 SSL_CHACHA20POLY1305,
2070 SSL_AEAD,
2071 TLS1_2_VERSION, TLS1_2_VERSION,
2072 DTLS1_2_VERSION, DTLS1_2_VERSION,
2073 SSL_HIGH,
2074 SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256,
2075 256,
2076 256,
2077 },
2078 {
2079 1,
2080 TLS1_TXT_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,
bbb4ceb8 2081 TLS1_RFC_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,
748f2546
RS		 2082 TLS1_CK_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,
2083 SSL_kECDHE,
2084 SSL_aECDSA,
2085 SSL_CHACHA20POLY1305,
2086 SSL_AEAD,
2087 TLS1_2_VERSION, TLS1_2_VERSION,
2088 DTLS1_2_VERSION, DTLS1_2_VERSION,
2089 SSL_HIGH,
2090 SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256,
2091 256,
2092 256,
2093 },
a230b26e 2094# endif /* OPENSSL_NO_EC */
748f2546
RS		 2095
2096# ifndef OPENSSL_NO_PSK
2097 {
2098 1,
2099 TLS1_TXT_PSK_WITH_CHACHA20_POLY1305,
bbb4ceb8 2100 TLS1_RFC_PSK_WITH_CHACHA20_POLY1305,
748f2546
RS		 2101 TLS1_CK_PSK_WITH_CHACHA20_POLY1305,
2102 SSL_kPSK,
2103 SSL_aPSK,
2104 SSL_CHACHA20POLY1305,
2105 SSL_AEAD,
2106 TLS1_2_VERSION, TLS1_2_VERSION,
2107 DTLS1_2_VERSION, DTLS1_2_VERSION,
2108 SSL_HIGH,
2109 SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256,
2110 256,
2111 256,
2112 },
2113 {
2114 1,
2115 TLS1_TXT_ECDHE_PSK_WITH_CHACHA20_POLY1305,
bbb4ceb8 2116 TLS1_RFC_ECDHE_PSK_WITH_CHACHA20_POLY1305,
748f2546
RS		 2117 TLS1_CK_ECDHE_PSK_WITH_CHACHA20_POLY1305,
2118 SSL_kECDHEPSK,
2119 SSL_aPSK,
2120 SSL_CHACHA20POLY1305,
2121 SSL_AEAD,
2122 TLS1_2_VERSION, TLS1_2_VERSION,
2123 DTLS1_2_VERSION, DTLS1_2_VERSION,
2124 SSL_HIGH,
2125 SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256,
2126 256,
2127 256,
2128 },
2129 {
2130 1,
2131 TLS1_TXT_DHE_PSK_WITH_CHACHA20_POLY1305,
bbb4ceb8 2132 TLS1_RFC_DHE_PSK_WITH_CHACHA20_POLY1305,
748f2546
RS		 2133 TLS1_CK_DHE_PSK_WITH_CHACHA20_POLY1305,
2134 SSL_kDHEPSK,
2135 SSL_aPSK,
2136 SSL_CHACHA20POLY1305,
2137 SSL_AEAD,
2138 TLS1_2_VERSION, TLS1_2_VERSION,
2139 DTLS1_2_VERSION, DTLS1_2_VERSION,
2140 SSL_HIGH,
2141 SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256,
2142 256,
2143 256,
2144 },
2145 {
2146 1,
2147 TLS1_TXT_RSA_PSK_WITH_CHACHA20_POLY1305,
bbb4ceb8 2148 TLS1_RFC_RSA_PSK_WITH_CHACHA20_POLY1305,
748f2546
RS		 2149 TLS1_CK_RSA_PSK_WITH_CHACHA20_POLY1305,
2150 SSL_kRSAPSK,
2151 SSL_aRSA,
2152 SSL_CHACHA20POLY1305,
2153 SSL_AEAD,
2154 TLS1_2_VERSION, TLS1_2_VERSION,
2155 DTLS1_2_VERSION, DTLS1_2_VERSION,
2156 SSL_HIGH,
2157 SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256,
2158 256,
2159 256,
2160 },
a230b26e
EK		 2161# endif /* OPENSSL_NO_PSK */
2162#endif /* !defined(OPENSSL_NO_CHACHA) &&
2163 * !defined(OPENSSL_NO_POLY1305) */
748f2546
RS		 2164
2165#ifndef OPENSSL_NO_CAMELLIA
2166 {
2167 1,
2168 TLS1_TXT_RSA_WITH_CAMELLIA_128_CBC_SHA256,
bbb4ceb8 2169 TLS1_RFC_RSA_WITH_CAMELLIA_128_CBC_SHA256,
748f2546
RS		 2170 TLS1_CK_RSA_WITH_CAMELLIA_128_CBC_SHA256,
2171 SSL_kRSA,
2172 SSL_aRSA,
2173 SSL_CAMELLIA128,
2174 SSL_SHA256,
2175 TLS1_2_VERSION, TLS1_2_VERSION,
2176 DTLS1_2_VERSION, DTLS1_2_VERSION,
2177 SSL_NOT_DEFAULT | SSL_HIGH,
2178 SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256,
2179 128,
2180 128,
2181 },
2182 {
2183 1,
2184 TLS1_TXT_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA256,
bbb4ceb8 2185 TLS1_RFC_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA256,
748f2546
RS		 2186 TLS1_CK_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA256,
2187 SSL_kEDH,
2188 SSL_aDSS,
2189 SSL_CAMELLIA128,
2190 SSL_SHA256,
2191 TLS1_2_VERSION, TLS1_2_VERSION,
2192 DTLS1_2_VERSION, DTLS1_2_VERSION,
2193 SSL_NOT_DEFAULT | SSL_HIGH,
2194 SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256,
2195 128,
2196 128,
2197 },
2198 {
2199 1,
2200 TLS1_TXT_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA256,
bbb4ceb8 2201 TLS1_RFC_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA256,
748f2546
RS		 2202 TLS1_CK_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA256,
2203 SSL_kEDH,
2204 SSL_aRSA,
2205 SSL_CAMELLIA128,
2206 SSL_SHA256,
2207 TLS1_2_VERSION, TLS1_2_VERSION,
2208 DTLS1_2_VERSION, DTLS1_2_VERSION,
2209 SSL_NOT_DEFAULT | SSL_HIGH,
2210 SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256,
2211 128,
2212 128,
2213 },
2214 {
2215 1,
2216 TLS1_TXT_ADH_WITH_CAMELLIA_128_CBC_SHA256,
bbb4ceb8 2217 TLS1_RFC_ADH_WITH_CAMELLIA_128_CBC_SHA256,
748f2546
RS		 2218 TLS1_CK_ADH_WITH_CAMELLIA_128_CBC_SHA256,
2219 SSL_kEDH,
2220 SSL_aNULL,
2221 SSL_CAMELLIA128,
2222 SSL_SHA256,
2223 TLS1_2_VERSION, TLS1_2_VERSION,
2224 DTLS1_2_VERSION, DTLS1_2_VERSION,
2225 SSL_NOT_DEFAULT | SSL_HIGH,
2226 SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256,
2227 128,
2228 128,
2229 },
2230 {
2231 1,
2232 TLS1_TXT_RSA_WITH_CAMELLIA_256_CBC_SHA256,
bbb4ceb8 2233 TLS1_RFC_RSA_WITH_CAMELLIA_256_CBC_SHA256,
748f2546
RS		 2234 TLS1_CK_RSA_WITH_CAMELLIA_256_CBC_SHA256,
2235 SSL_kRSA,
2236 SSL_aRSA,
2237 SSL_CAMELLIA256,
2238 SSL_SHA256,
2239 TLS1_2_VERSION, TLS1_2_VERSION,
2240 DTLS1_2_VERSION, DTLS1_2_VERSION,
2241 SSL_NOT_DEFAULT | SSL_HIGH,
2242 SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256,
2243 256,
2244 256,
2245 },
2246 {
2247 1,
2248 TLS1_TXT_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA256,
bbb4ceb8 2249 TLS1_RFC_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA256,
748f2546
RS		 2250 TLS1_CK_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA256,
2251 SSL_kEDH,
2252 SSL_aDSS,
2253 SSL_CAMELLIA256,
2254 SSL_SHA256,
2255 TLS1_2_VERSION, TLS1_2_VERSION,
2256 DTLS1_2_VERSION, DTLS1_2_VERSION,
2257 SSL_NOT_DEFAULT | SSL_HIGH,
2258 SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256,
2259 256,
2260 256,
2261 },
2262 {
2263 1,
2264 TLS1_TXT_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA256,
bbb4ceb8 2265 TLS1_RFC_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA256,
748f2546
RS		 2266 TLS1_CK_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA256,
2267 SSL_kEDH,
2268 SSL_aRSA,
2269 SSL_CAMELLIA256,
2270 SSL_SHA256,
2271 TLS1_2_VERSION, TLS1_2_VERSION,
2272 DTLS1_2_VERSION, DTLS1_2_VERSION,
2273 SSL_NOT_DEFAULT | SSL_HIGH,
2274 SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256,
2275 256,
2276 256,
2277 },
2278 {
2279 1,
2280 TLS1_TXT_ADH_WITH_CAMELLIA_256_CBC_SHA256,
bbb4ceb8 2281 TLS1_RFC_ADH_WITH_CAMELLIA_256_CBC_SHA256,
748f2546
RS		 2282 TLS1_CK_ADH_WITH_CAMELLIA_256_CBC_SHA256,
2283 SSL_kEDH,
2284 SSL_aNULL,
2285 SSL_CAMELLIA256,
2286 SSL_SHA256,
2287 TLS1_2_VERSION, TLS1_2_VERSION,
2288 DTLS1_2_VERSION, DTLS1_2_VERSION,
2289 SSL_NOT_DEFAULT | SSL_HIGH,
2290 SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256,
2291 256,
2292 256,
2293 },
2294 {
2295 1,
2296 TLS1_TXT_RSA_WITH_CAMELLIA_256_CBC_SHA,
bbb4ceb8 2297 TLS1_RFC_RSA_WITH_CAMELLIA_256_CBC_SHA,
748f2546
RS		 2298 TLS1_CK_RSA_WITH_CAMELLIA_256_CBC_SHA,
2299 SSL_kRSA,
2300 SSL_aRSA,
2301 SSL_CAMELLIA256,
2302 SSL_SHA1,
2303 SSL3_VERSION, TLS1_2_VERSION,
387cf213 2304 DTLS1_BAD_VER, DTLS1_2_VERSION,
748f2546
RS		 2305 SSL_NOT_DEFAULT | SSL_HIGH,
2306 SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
2307 256,
2308 256,
2309 },
2310 {
2311 1,
2312 TLS1_TXT_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA,
bbb4ceb8 2313 TLS1_RFC_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA,
748f2546
RS		 2314 TLS1_CK_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA,
2315 SSL_kDHE,
2316 SSL_aDSS,
2317 SSL_CAMELLIA256,
2318 SSL_SHA1,
2319 SSL3_VERSION, TLS1_2_VERSION,
387cf213 2320 DTLS1_BAD_VER, DTLS1_2_VERSION,
748f2546
RS		 2321 SSL_NOT_DEFAULT | SSL_HIGH,
2322 SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
2323 256,
2324 256,
2325 },
2326 {
2327 1,
2328 TLS1_TXT_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA,
bbb4ceb8 2329 TLS1_RFC_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA,
748f2546
RS		 2330 TLS1_CK_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA,
2331 SSL_kDHE,
2332 SSL_aRSA,
2333 SSL_CAMELLIA256,
2334 SSL_SHA1,
2335 SSL3_VERSION, TLS1_2_VERSION,
387cf213 2336 DTLS1_BAD_VER, DTLS1_2_VERSION,
748f2546
RS		 2337 SSL_NOT_DEFAULT | SSL_HIGH,
2338 SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
2339 256,
2340 256,
2341 },
2342 {
2343 1,
2344 TLS1_TXT_ADH_WITH_CAMELLIA_256_CBC_SHA,
bbb4ceb8 2345 TLS1_RFC_ADH_WITH_CAMELLIA_256_CBC_SHA,
748f2546
RS		 2346 TLS1_CK_ADH_WITH_CAMELLIA_256_CBC_SHA,
2347 SSL_kDHE,
2348 SSL_aNULL,
2349 SSL_CAMELLIA256,
2350 SSL_SHA1,
2351 SSL3_VERSION, TLS1_2_VERSION,
387cf213 2352 DTLS1_BAD_VER, DTLS1_2_VERSION,
748f2546
RS		 2353 SSL_NOT_DEFAULT | SSL_HIGH,
2354 SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
2355 256,
2356 256,
2357 },
2358 {
2359 1,
2360 TLS1_TXT_RSA_WITH_CAMELLIA_128_CBC_SHA,
bbb4ceb8 2361 TLS1_RFC_RSA_WITH_CAMELLIA_128_CBC_SHA,
748f2546
RS		 2362 TLS1_CK_RSA_WITH_CAMELLIA_128_CBC_SHA,
2363 SSL_kRSA,
2364 SSL_aRSA,
2365 SSL_CAMELLIA128,
2366 SSL_SHA1,
2367 SSL3_VERSION, TLS1_2_VERSION,
387cf213 2368 DTLS1_BAD_VER, DTLS1_2_VERSION,
748f2546
RS		 2369 SSL_NOT_DEFAULT | SSL_HIGH,
2370 SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
2371 128,
2372 128,
2373 },
2374 {
2375 1,
2376 TLS1_TXT_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA,
bbb4ceb8 2377 TLS1_RFC_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA,
748f2546
RS		 2378 TLS1_CK_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA,
2379 SSL_kDHE,
2380 SSL_aDSS,
2381 SSL_CAMELLIA128,
2382 SSL_SHA1,
2383 SSL3_VERSION, TLS1_2_VERSION,
387cf213 2384 DTLS1_BAD_VER, DTLS1_2_VERSION,
748f2546
RS		 2385 SSL_NOT_DEFAULT | SSL_HIGH,
2386 SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
2387 128,
2388 128,
2389 },
2390 {
2391 1,
2392 TLS1_TXT_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA,
bbb4ceb8 2393 TLS1_RFC_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA,
748f2546
RS		 2394 TLS1_CK_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA,
2395 SSL_kDHE,
2396 SSL_aRSA,
2397 SSL_CAMELLIA128,
2398 SSL_SHA1,
2399 SSL3_VERSION, TLS1_2_VERSION,
387cf213 2400 DTLS1_BAD_VER, DTLS1_2_VERSION,
748f2546
RS		 2401 SSL_NOT_DEFAULT | SSL_HIGH,
2402 SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
2403 128,
2404 128,
2405 },
2406 {
2407 1,
2408 TLS1_TXT_ADH_WITH_CAMELLIA_128_CBC_SHA,
bbb4ceb8 2409 TLS1_RFC_ADH_WITH_CAMELLIA_128_CBC_SHA,
748f2546
RS		 2410 TLS1_CK_ADH_WITH_CAMELLIA_128_CBC_SHA,
2411 SSL_kDHE,
2412 SSL_aNULL,
2413 SSL_CAMELLIA128,
2414 SSL_SHA1,
2415 SSL3_VERSION, TLS1_2_VERSION,
387cf213 2416 DTLS1_BAD_VER, DTLS1_2_VERSION,
748f2546
RS		 2417 SSL_NOT_DEFAULT | SSL_HIGH,
2418 SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
2419 128,
2420 128,
2421 },
2422
2423# ifndef OPENSSL_NO_EC
2424 {
0f113f3e
MC		 2425 1,
2426 TLS1_TXT_ECDHE_ECDSA_WITH_CAMELLIA_128_CBC_SHA256,
bbb4ceb8 2427 TLS1_RFC_ECDHE_ECDSA_WITH_CAMELLIA_128_CBC_SHA256,
0f113f3e
MC		 2428 TLS1_CK_ECDHE_ECDSA_WITH_CAMELLIA_128_CBC_SHA256,
2429 SSL_kECDHE,
2430 SSL_aECDSA,
2431 SSL_CAMELLIA128,
2432 SSL_SHA256,
3eb2aff4
KR		 2433 TLS1_2_VERSION, TLS1_2_VERSION,
2434 DTLS1_2_VERSION, DTLS1_2_VERSION,
a556f342 2435 SSL_NOT_DEFAULT | SSL_HIGH,
0f113f3e
MC		 2436 SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256,
2437 128,
a230b26e
EK		 2438 128,
2439 },
748f2546 2440 {
0f113f3e
MC		 2441 1,
2442 TLS1_TXT_ECDHE_ECDSA_WITH_CAMELLIA_256_CBC_SHA384,
bbb4ceb8 2443 TLS1_RFC_ECDHE_ECDSA_WITH_CAMELLIA_256_CBC_SHA384,
0f113f3e
MC		 2444 TLS1_CK_ECDHE_ECDSA_WITH_CAMELLIA_256_CBC_SHA384,
2445 SSL_kECDHE,
2446 SSL_aECDSA,
2447 SSL_CAMELLIA256,
2448 SSL_SHA384,
3eb2aff4
KR		 2449 TLS1_2_VERSION, TLS1_2_VERSION,
2450 DTLS1_2_VERSION, DTLS1_2_VERSION,
a556f342 2451 SSL_NOT_DEFAULT | SSL_HIGH,
0f113f3e
MC		 2452 SSL_HANDSHAKE_MAC_SHA384 | TLS1_PRF_SHA384,
2453 256,
a230b26e
EK		 2454 256,
2455 },
748f2546 2456 {
0f113f3e
MC		 2457 1,
2458 TLS1_TXT_ECDHE_RSA_WITH_CAMELLIA_128_CBC_SHA256,
bbb4ceb8 2459 TLS1_RFC_ECDHE_RSA_WITH_CAMELLIA_128_CBC_SHA256,
0f113f3e
MC		 2460 TLS1_CK_ECDHE_RSA_WITH_CAMELLIA_128_CBC_SHA256,
2461 SSL_kECDHE,
2462 SSL_aRSA,
2463 SSL_CAMELLIA128,
2464 SSL_SHA256,
3eb2aff4
KR		 2465 TLS1_2_VERSION, TLS1_2_VERSION,
2466 DTLS1_2_VERSION, DTLS1_2_VERSION,
a556f342 2467 SSL_NOT_DEFAULT | SSL_HIGH,
0f113f3e
MC		 2468 SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256,
2469 128,
a230b26e
EK		 2470 128,
2471 },
748f2546 2472 {
0f113f3e
MC		 2473 1,
2474 TLS1_TXT_ECDHE_RSA_WITH_CAMELLIA_256_CBC_SHA384,
bbb4ceb8 2475 TLS1_RFC_ECDHE_RSA_WITH_CAMELLIA_256_CBC_SHA384,
0f113f3e
MC		 2476 TLS1_CK_ECDHE_RSA_WITH_CAMELLIA_256_CBC_SHA384,
2477 SSL_kECDHE,
2478 SSL_aRSA,
2479 SSL_CAMELLIA256,
2480 SSL_SHA384,
3eb2aff4
KR		 2481 TLS1_2_VERSION, TLS1_2_VERSION,
2482 DTLS1_2_VERSION, DTLS1_2_VERSION,
a556f342 2483 SSL_NOT_DEFAULT | SSL_HIGH,
0f113f3e
MC		 2484 SSL_HANDSHAKE_MAC_SHA384 | TLS1_PRF_SHA384,
2485 256,
a230b26e
EK		 2486 256,
2487 },
2488# endif /* OPENSSL_NO_EC */
edc032b5 2489
748f2546
RS		 2490# ifndef OPENSSL_NO_PSK
2491 {
69a3a9f5
DSH		 2492 1,
2493 TLS1_TXT_PSK_WITH_CAMELLIA_128_CBC_SHA256,
bbb4ceb8 2494 TLS1_RFC_PSK_WITH_CAMELLIA_128_CBC_SHA256,
69a3a9f5
DSH		 2495 TLS1_CK_PSK_WITH_CAMELLIA_128_CBC_SHA256,
2496 SSL_kPSK,
2497 SSL_aPSK,
2498 SSL_CAMELLIA128,
2499 SSL_SHA256,
3eb2aff4 2500 TLS1_VERSION, TLS1_2_VERSION,
387cf213 2501 DTLS1_BAD_VER, DTLS1_2_VERSION,
a556f342 2502 SSL_NOT_DEFAULT | SSL_HIGH,
69a3a9f5
DSH		 2503 SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
2504 128,
a230b26e
EK		 2505 128,
2506 },
748f2546 2507 {
69a3a9f5
DSH		 2508 1,
2509 TLS1_TXT_PSK_WITH_CAMELLIA_256_CBC_SHA384,
bbb4ceb8 2510 TLS1_RFC_PSK_WITH_CAMELLIA_256_CBC_SHA384,
69a3a9f5
DSH		 2511 TLS1_CK_PSK_WITH_CAMELLIA_256_CBC_SHA384,
2512 SSL_kPSK,
2513 SSL_aPSK,
2514 SSL_CAMELLIA256,
2515 SSL_SHA384,
3eb2aff4 2516 TLS1_VERSION, TLS1_2_VERSION,
387cf213 2517 DTLS1_BAD_VER, DTLS1_2_VERSION,
a556f342 2518 SSL_NOT_DEFAULT | SSL_HIGH,
69a3a9f5
DSH		 2519 SSL_HANDSHAKE_MAC_SHA384 | TLS1_PRF_SHA384,
2520 256,
a230b26e
EK		 2521 256,
2522 },
748f2546 2523 {
69a3a9f5
DSH		 2524 1,
2525 TLS1_TXT_DHE_PSK_WITH_CAMELLIA_128_CBC_SHA256,
bbb4ceb8 2526 TLS1_RFC_DHE_PSK_WITH_CAMELLIA_128_CBC_SHA256,
69a3a9f5
DSH		 2527 TLS1_CK_DHE_PSK_WITH_CAMELLIA_128_CBC_SHA256,
2528 SSL_kDHEPSK,
2529 SSL_aPSK,
2530 SSL_CAMELLIA128,
2531 SSL_SHA256,
3eb2aff4 2532 TLS1_VERSION, TLS1_2_VERSION,
387cf213 2533 DTLS1_BAD_VER, DTLS1_2_VERSION,
a556f342 2534 SSL_NOT_DEFAULT | SSL_HIGH,
69a3a9f5
DSH		 2535 SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
2536 128,
a230b26e
EK		 2537 128,
2538 },
748f2546 2539 {
69a3a9f5
DSH		 2540 1,
2541 TLS1_TXT_DHE_PSK_WITH_CAMELLIA_256_CBC_SHA384,
bbb4ceb8 2542 TLS1_RFC_DHE_PSK_WITH_CAMELLIA_256_CBC_SHA384,
69a3a9f5
DSH		 2543 TLS1_CK_DHE_PSK_WITH_CAMELLIA_256_CBC_SHA384,
2544 SSL_kDHEPSK,
2545 SSL_aPSK,
2546 SSL_CAMELLIA256,
2547 SSL_SHA384,
3eb2aff4 2548 TLS1_VERSION, TLS1_2_VERSION,
387cf213 2549 DTLS1_BAD_VER, DTLS1_2_VERSION,
a556f342 2550 SSL_NOT_DEFAULT | SSL_HIGH,
69a3a9f5
DSH		 2551 SSL_HANDSHAKE_MAC_SHA384 | TLS1_PRF_SHA384,
2552 256,
a230b26e
EK		 2553 256,
2554 },
748f2546 2555 {
69a3a9f5
DSH		 2556 1,
2557 TLS1_TXT_RSA_PSK_WITH_CAMELLIA_128_CBC_SHA256,
bbb4ceb8 2558 TLS1_RFC_RSA_PSK_WITH_CAMELLIA_128_CBC_SHA256,
69a3a9f5
DSH		 2559 TLS1_CK_RSA_PSK_WITH_CAMELLIA_128_CBC_SHA256,
2560 SSL_kRSAPSK,
2561 SSL_aRSA,
2562 SSL_CAMELLIA128,
2563 SSL_SHA256,
3eb2aff4 2564 TLS1_VERSION, TLS1_2_VERSION,
387cf213 2565 DTLS1_BAD_VER, DTLS1_2_VERSION,
a556f342 2566 SSL_NOT_DEFAULT | SSL_HIGH,
69a3a9f5
DSH		 2567 SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
2568 128,
a230b26e
EK		 2569 128,
2570 },
748f2546 2571 {
69a3a9f5
DSH		 2572 1,
2573 TLS1_TXT_RSA_PSK_WITH_CAMELLIA_256_CBC_SHA384,
bbb4ceb8 2574 TLS1_RFC_RSA_PSK_WITH_CAMELLIA_256_CBC_SHA384,
69a3a9f5
DSH		 2575 TLS1_CK_RSA_PSK_WITH_CAMELLIA_256_CBC_SHA384,
2576 SSL_kRSAPSK,
2577 SSL_aRSA,
2578 SSL_CAMELLIA256,
2579 SSL_SHA384,
3eb2aff4 2580 TLS1_VERSION, TLS1_2_VERSION,
387cf213 2581 DTLS1_BAD_VER, DTLS1_2_VERSION,
a556f342 2582 SSL_NOT_DEFAULT | SSL_HIGH,
69a3a9f5
DSH		 2583 SSL_HANDSHAKE_MAC_SHA384 | TLS1_PRF_SHA384,
2584 256,
a230b26e
EK		 2585 256,
2586 },
176f85a2
DSH		 2587 {
2588 1,
748f2546 2589 TLS1_TXT_ECDHE_PSK_WITH_CAMELLIA_128_CBC_SHA256,
bbb4ceb8 2590 TLS1_RFC_ECDHE_PSK_WITH_CAMELLIA_128_CBC_SHA256,
748f2546
RS		 2591 TLS1_CK_ECDHE_PSK_WITH_CAMELLIA_128_CBC_SHA256,
2592 SSL_kECDHEPSK,
176f85a2 2593 SSL_aPSK,
748f2546
RS		 2594 SSL_CAMELLIA128,
2595 SSL_SHA256,
2596 TLS1_VERSION, TLS1_2_VERSION,
387cf213 2597 DTLS1_BAD_VER, DTLS1_2_VERSION,
a556f342 2598 SSL_NOT_DEFAULT | SSL_HIGH,
748f2546 2599 SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
176f85a2 2600 128,
a230b26e
EK		 2601 128,
2602 },
176f85a2
DSH		 2603 {
2604 1,
748f2546 2605 TLS1_TXT_ECDHE_PSK_WITH_CAMELLIA_256_CBC_SHA384,
bbb4ceb8 2606 TLS1_RFC_ECDHE_PSK_WITH_CAMELLIA_256_CBC_SHA384,
748f2546
RS		 2607 TLS1_CK_ECDHE_PSK_WITH_CAMELLIA_256_CBC_SHA384,
2608 SSL_kECDHEPSK,
176f85a2 2609 SSL_aPSK,
748f2546
RS		 2610 SSL_CAMELLIA256,
2611 SSL_SHA384,
2612 TLS1_VERSION, TLS1_2_VERSION,
387cf213 2613 DTLS1_BAD_VER, DTLS1_2_VERSION,
a556f342 2614 SSL_NOT_DEFAULT | SSL_HIGH,
748f2546 2615 SSL_HANDSHAKE_MAC_SHA384 | TLS1_PRF_SHA384,
176f85a2 2616 256,
a230b26e
EK		 2617 256,
2618 },
2619# endif /* OPENSSL_NO_PSK */
176f85a2 2620
a230b26e 2621#endif /* OPENSSL_NO_CAMELLIA */
176f85a2 2622
580731af 2623#ifndef OPENSSL_NO_GOST
176f85a2
DSH		 2624 {
2625 1,
748f2546 2626 "GOST2001-GOST89-GOST89",
bbb4ceb8 2627 "TLS_GOSTR341001_WITH_28147_CNT_IMIT",
748f2546
RS		 2628 0x3000081,
2629 SSL_kGOST,
2630 SSL_aGOST01,
2631 SSL_eGOST2814789CNT,
2632 SSL_GOST89MAC,
2633 TLS1_VERSION, TLS1_2_VERSION,
48c16012 2634 0, 0,
748f2546
RS		 2635 SSL_HIGH,
2636 SSL_HANDSHAKE_MAC_GOST94 | TLS1_PRF_GOST94 | TLS1_STREAM_MAC,
176f85a2 2637 256,
a230b26e
EK		 2638 256,
2639 },
748f2546
RS		 2640 {
2641 1,
2642 "GOST2001-NULL-GOST94",
bbb4ceb8 2643 "TLS_GOSTR341001_WITH_NULL_GOSTR3411",
748f2546
RS		 2644 0x3000083,
2645 SSL_kGOST,
2646 SSL_aGOST01,
2647 SSL_eNULL,
2648 SSL_GOST94,
2649 TLS1_VERSION, TLS1_2_VERSION,
48c16012 2650 0, 0,
748f2546
RS		 2651 SSL_STRONG_NONE,
2652 SSL_HANDSHAKE_MAC_GOST94 | TLS1_PRF_GOST94,
2653 0,
a230b26e
EK		 2654 0,
2655 },
748f2546
RS		 2656 {
2657 1,
2658 "GOST2012-GOST8912-GOST8912",
bbb4ceb8 2659 NULL,
748f2546
RS		 2660 0x0300ff85,
2661 SSL_kGOST,
2662 SSL_aGOST12 | SSL_aGOST01,
2663 SSL_eGOST2814789CNT12,
2664 SSL_GOST89MAC12,
2665 TLS1_VERSION, TLS1_2_VERSION,
48c16012 2666 0, 0,
748f2546
RS		 2667 SSL_HIGH,
2668 SSL_HANDSHAKE_MAC_GOST12_256 | TLS1_PRF_GOST12_256 | TLS1_STREAM_MAC,
176f85a2 2669 256,
a230b26e
EK		 2670 256,
2671 },
748f2546
RS		 2672 {
2673 1,
2674 "GOST2012-NULL-GOST12",
bbb4ceb8 2675 NULL,
748f2546
RS		 2676 0x0300ff87,
2677 SSL_kGOST,
2678 SSL_aGOST12 | SSL_aGOST01,
2679 SSL_eNULL,
2680 SSL_GOST12_256,
2681 TLS1_VERSION, TLS1_2_VERSION,
48c16012 2682 0, 0,
748f2546
RS		 2683 SSL_STRONG_NONE,
2684 SSL_HANDSHAKE_MAC_GOST12_256 | TLS1_PRF_GOST12_256 | TLS1_STREAM_MAC,
2685 0,
a230b26e
EK		 2686 0,
2687 },
2688#endif /* OPENSSL_NO_GOST */
176f85a2 2689
748f2546 2690#ifndef OPENSSL_NO_IDEA
176f85a2
DSH		 2691 {
2692 1,
748f2546 2693 SSL3_TXT_RSA_IDEA_128_SHA,
bbb4ceb8 2694 SSL3_RFC_RSA_IDEA_128_SHA,
748f2546
RS		 2695 SSL3_CK_RSA_IDEA_128_SHA,
2696 SSL_kRSA,
2697 SSL_aRSA,
2698 SSL_IDEA,
2699 SSL_SHA1,
2700 SSL3_VERSION, TLS1_1_VERSION,
387cf213 2701 DTLS1_BAD_VER, DTLS1_VERSION,
748f2546
RS		 2702 SSL_NOT_DEFAULT | SSL_MEDIUM,
2703 SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
176f85a2
DSH		 2704 128,
2705 128,
2706 },
748f2546 2707#endif
176f85a2 2708
748f2546 2709#ifndef OPENSSL_NO_SEED
176f85a2
DSH		 2710 {
2711 1,
748f2546 2712 TLS1_TXT_RSA_WITH_SEED_SHA,
bbb4ceb8 2713 TLS1_RFC_RSA_WITH_SEED_SHA,
748f2546
RS		 2714 TLS1_CK_RSA_WITH_SEED_SHA,
2715 SSL_kRSA,
2716 SSL_aRSA,
2717 SSL_SEED,
2718 SSL_SHA1,
2719 SSL3_VERSION, TLS1_2_VERSION,
387cf213 2720 DTLS1_BAD_VER, DTLS1_2_VERSION,
748f2546
RS		 2721 SSL_NOT_DEFAULT | SSL_MEDIUM,
2722 SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
2723 128,
2724 128,
176f85a2 2725 },
176f85a2
DSH		 2726 {
2727 1,
748f2546 2728 TLS1_TXT_DHE_DSS_WITH_SEED_SHA,
bbb4ceb8 2729 TLS1_RFC_DHE_DSS_WITH_SEED_SHA,
748f2546
RS		 2730 TLS1_CK_DHE_DSS_WITH_SEED_SHA,
2731 SSL_kDHE,
2732 SSL_aDSS,
2733 SSL_SEED,
2734 SSL_SHA1,
2735 SSL3_VERSION, TLS1_2_VERSION,
387cf213 2736 DTLS1_BAD_VER, DTLS1_2_VERSION,
748f2546
RS		 2737 SSL_NOT_DEFAULT | SSL_MEDIUM,
2738 SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
176f85a2
DSH		 2739 128,
2740 128,
2741 },
176f85a2
DSH		 2742 {
2743 1,
748f2546 2744 TLS1_TXT_DHE_RSA_WITH_SEED_SHA,
bbb4ceb8 2745 TLS1_RFC_DHE_RSA_WITH_SEED_SHA,
748f2546
RS		 2746 TLS1_CK_DHE_RSA_WITH_SEED_SHA,
2747 SSL_kDHE,
2748 SSL_aRSA,
2749 SSL_SEED,
2750 SSL_SHA1,
2751 SSL3_VERSION, TLS1_2_VERSION,
387cf213 2752 DTLS1_BAD_VER, DTLS1_2_VERSION,
748f2546
RS		 2753 SSL_NOT_DEFAULT | SSL_MEDIUM,
2754 SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
2755 128,
2756 128,
176f85a2 2757 },
176f85a2
DSH		 2758 {
2759 1,
748f2546 2760 TLS1_TXT_ADH_WITH_SEED_SHA,
bbb4ceb8 2761 TLS1_RFC_ADH_WITH_SEED_SHA,
748f2546
RS		 2762 TLS1_CK_ADH_WITH_SEED_SHA,
2763 SSL_kDHE,
2764 SSL_aNULL,
2765 SSL_SEED,
2766 SSL_SHA1,
2767 SSL3_VERSION, TLS1_2_VERSION,
387cf213 2768 DTLS1_BAD_VER, DTLS1_2_VERSION,
748f2546
RS		 2769 SSL_NOT_DEFAULT | SSL_MEDIUM,
2770 SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
176f85a2
DSH		 2771 128,
2772 128,
2773 },
a230b26e 2774#endif /* OPENSSL_NO_SEED */
176f85a2 2775
748f2546
RS		 2776#ifndef OPENSSL_NO_WEAK_SSL_CIPHERS
2777 {
2778 1,
2779 SSL3_TXT_RSA_RC4_128_MD5,
bbb4ceb8 2780 SSL3_RFC_RSA_RC4_128_MD5,
748f2546
RS		 2781 SSL3_CK_RSA_RC4_128_MD5,
2782 SSL_kRSA,
2783 SSL_aRSA,
2784 SSL_RC4,
2785 SSL_MD5,
2786 SSL3_VERSION, TLS1_2_VERSION,
2787 0, 0,
2788 SSL_NOT_DEFAULT | SSL_MEDIUM,
2789 SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
2790 128,
2791 128,
2792 },
176f85a2
DSH		 2793 {
2794 1,
748f2546 2795 SSL3_TXT_RSA_RC4_128_SHA,
bbb4ceb8 2796 SSL3_RFC_RSA_RC4_128_SHA,
748f2546
RS		 2797 SSL3_CK_RSA_RC4_128_SHA,
2798 SSL_kRSA,
2799 SSL_aRSA,
2800 SSL_RC4,
2801 SSL_SHA1,
2802 SSL3_VERSION, TLS1_2_VERSION,
2803 0, 0,
2804 SSL_NOT_DEFAULT | SSL_MEDIUM,
2805 SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
2806 128,
2807 128,
176f85a2 2808 },
176f85a2
DSH		 2809 {
2810 1,
748f2546 2811 SSL3_TXT_ADH_RC4_128_MD5,
bbb4ceb8 2812 SSL3_RFC_ADH_RC4_128_MD5,
748f2546
RS		 2813 SSL3_CK_ADH_RC4_128_MD5,
2814 SSL_kDHE,
2815 SSL_aNULL,
2816 SSL_RC4,
2817 SSL_MD5,
2818 SSL3_VERSION, TLS1_2_VERSION,
2819 0, 0,
2820 SSL_NOT_DEFAULT | SSL_MEDIUM,
2821 SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
176f85a2
DSH		 2822 128,
2823 128,
2824 },
2825
748f2546 2826# ifndef OPENSSL_NO_EC
176f85a2
DSH		 2827 {
2828 1,
748f2546 2829 TLS1_TXT_ECDHE_PSK_WITH_RC4_128_SHA,
bbb4ceb8 2830 TLS1_RFC_ECDHE_PSK_WITH_RC4_128_SHA,
748f2546
RS		 2831 TLS1_CK_ECDHE_PSK_WITH_RC4_128_SHA,
2832 SSL_kECDHEPSK,
2833 SSL_aPSK,
2834 SSL_RC4,
2835 SSL_SHA1,
fe55c4a2 2836 TLS1_VERSION, TLS1_2_VERSION,
748f2546
RS		 2837 0, 0,
2838 SSL_NOT_DEFAULT | SSL_MEDIUM,
2839 SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
2840 128,
2841 128,
176f85a2 2842 },
a76ba82c
AP		 2843 {
2844 1,
748f2546 2845 TLS1_TXT_ECDH_anon_WITH_RC4_128_SHA,
bbb4ceb8 2846 TLS1_RFC_ECDH_anon_WITH_RC4_128_SHA,
748f2546 2847 TLS1_CK_ECDH_anon_WITH_RC4_128_SHA,
a76ba82c 2848 SSL_kECDHE,
748f2546
RS		 2849 SSL_aNULL,
2850 SSL_RC4,
2851 SSL_SHA1,
fe55c4a2 2852 TLS1_VERSION, TLS1_2_VERSION,
748f2546
RS		 2853 0, 0,
2854 SSL_NOT_DEFAULT | SSL_MEDIUM,
2855 SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
2856 128,
2857 128,
a76ba82c 2858 },
a76ba82c
AP		 2859 {
2860 1,
748f2546 2861 TLS1_TXT_ECDHE_ECDSA_WITH_RC4_128_SHA,
bbb4ceb8 2862 TLS1_RFC_ECDHE_ECDSA_WITH_RC4_128_SHA,
748f2546 2863 TLS1_CK_ECDHE_ECDSA_WITH_RC4_128_SHA,
a76ba82c
AP		 2864 SSL_kECDHE,
2865 SSL_aECDSA,
748f2546
RS		 2866 SSL_RC4,
2867 SSL_SHA1,
fe55c4a2 2868 TLS1_VERSION, TLS1_2_VERSION,
748f2546
RS		 2869 0, 0,
2870 SSL_NOT_DEFAULT | SSL_MEDIUM,
2871 SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
2872 128,
2873 128,
a76ba82c 2874 },
a76ba82c
AP		 2875 {
2876 1,
748f2546 2877 TLS1_TXT_ECDHE_RSA_WITH_RC4_128_SHA,
bbb4ceb8 2878 TLS1_RFC_ECDHE_RSA_WITH_RC4_128_SHA,
748f2546
RS		 2879 TLS1_CK_ECDHE_RSA_WITH_RC4_128_SHA,
2880 SSL_kECDHE,
a76ba82c 2881 SSL_aRSA,
748f2546
RS		 2882 SSL_RC4,
2883 SSL_SHA1,
fe55c4a2 2884 TLS1_VERSION, TLS1_2_VERSION,
748f2546
RS		 2885 0, 0,
2886 SSL_NOT_DEFAULT | SSL_MEDIUM,
2887 SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
2888 128,
2889 128,
a76ba82c 2890 },
a230b26e 2891# endif /* OPENSSL_NO_EC */
748f2546 2892
a76ba82c 2893# ifndef OPENSSL_NO_PSK
a76ba82c
AP		 2894 {
2895 1,
748f2546 2896 TLS1_TXT_PSK_WITH_RC4_128_SHA,
bbb4ceb8 2897 TLS1_RFC_PSK_WITH_RC4_128_SHA,
748f2546 2898 TLS1_CK_PSK_WITH_RC4_128_SHA,
a76ba82c
AP		 2899 SSL_kPSK,
2900 SSL_aPSK,
748f2546
RS		 2901 SSL_RC4,
2902 SSL_SHA1,
2903 SSL3_VERSION, TLS1_2_VERSION,
2904 0, 0,
2905 SSL_NOT_DEFAULT | SSL_MEDIUM,
2906 SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
2907 128,
2908 128,
a76ba82c 2909 },
a76ba82c
AP		 2910 {
2911 1,
748f2546 2912 TLS1_TXT_RSA_PSK_WITH_RC4_128_SHA,
bbb4ceb8 2913 TLS1_RFC_RSA_PSK_WITH_RC4_128_SHA,
748f2546
RS		 2914 TLS1_CK_RSA_PSK_WITH_RC4_128_SHA,
2915 SSL_kRSAPSK,
2916 SSL_aRSA,
2917 SSL_RC4,
2918 SSL_SHA1,
2919 SSL3_VERSION, TLS1_2_VERSION,
2920 0, 0,
2921 SSL_NOT_DEFAULT | SSL_MEDIUM,
2922 SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
2923 128,
2924 128,
a76ba82c 2925 },
a76ba82c
AP		 2926 {
2927 1,
748f2546 2928 TLS1_TXT_DHE_PSK_WITH_RC4_128_SHA,
bbb4ceb8 2929 TLS1_RFC_DHE_PSK_WITH_RC4_128_SHA,
748f2546 2930 TLS1_CK_DHE_PSK_WITH_RC4_128_SHA,
a76ba82c
AP		 2931 SSL_kDHEPSK,
2932 SSL_aPSK,
748f2546
RS		 2933 SSL_RC4,
2934 SSL_SHA1,
2935 SSL3_VERSION, TLS1_2_VERSION,
2936 0, 0,
2937 SSL_NOT_DEFAULT | SSL_MEDIUM,
2938 SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
2939 128,
2940 128,
a76ba82c 2941 },
a230b26e 2942# endif /* OPENSSL_NO_PSK */
748f2546 2943
a230b26e 2944#endif /* OPENSSL_NO_WEAK_SSL_CIPHERS */
e44380a9 2945
0f113f3e
MC		 2946};
2947
650c6e41
BK		 2948/*
2949 * The list of known Signalling Cipher-Suite Value "ciphers", non-valid
2950 * values stuffed into the ciphers field of the wire protocol for signalling
2951 * purposes.
2952 */
2953static SSL_CIPHER ssl3_scsvs[] = {
2954 {
2955 0,
2956 "TLS_EMPTY_RENEGOTIATION_INFO_SCSV",
bbb4ceb8 2957 "TLS_EMPTY_RENEGOTIATION_INFO_SCSV",
650c6e41
BK		 2958 SSL3_CK_SCSV,
2959 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
2960 },
2961 {
2962 0,
2963 "TLS_FALLBACK_SCSV",
bbb4ceb8 2964 "TLS_FALLBACK_SCSV",
650c6e41
BK		 2965 SSL3_CK_FALLBACK_SCSV,
2966 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
2967 },
2968};
2969
748f2546
RS		 2970static int cipher_compare(const void *a, const void *b)
2971{
2972 const SSL_CIPHER *ap = (const SSL_CIPHER *)a;
2973 const SSL_CIPHER *bp = (const SSL_CIPHER *)b;
2974
a7ff5796
RL		 2975 if (ap->id == bp->id)
2976 return 0;
2977 return ap->id < bp->id ? -1 : 1;
748f2546
RS		 2978}
2979
2980void ssl_sort_cipher_list(void)
2981{
650c6e41 2982 qsort(ssl3_ciphers, SSL3_NUM_CIPHERS, sizeof ssl3_ciphers[0],
748f2546 2983 cipher_compare);
650c6e41 2984 qsort(ssl3_scsvs, SSL3_NUM_SCSVS, sizeof ssl3_scsvs[0], cipher_compare);
748f2546
RS		 2985}
2986
0f113f3e
MC		 2987const SSL3_ENC_METHOD SSLv3_enc_data = {
2988 ssl3_enc,
2989 n_ssl3_mac,
2990 ssl3_setup_key_block,
2991 ssl3_generate_master_secret,
2992 ssl3_change_cipher_state,
2993 ssl3_final_finish_mac,
0f113f3e
MC		 2994 SSL3_MD_CLIENT_FINISHED_CONST, 4,
2995 SSL3_MD_SERVER_FINISHED_CONST, 4,
2996 ssl3_alert_code,
2997 (int (*)(SSL *, unsigned char *, size_t, const char *,
2998 size_t, const unsigned char *, size_t,
2999 int use_context))ssl_undefined_function,
3000 0,
a29fa98c 3001 ssl3_set_handshake_header,
2c7b4dbc 3002 tls_close_construct_packet,
0f113f3e
MC		 3003 ssl3_handshake_write
3004};
58964a49 3005
f3b656b2 3006long ssl3_default_timeout(void)
0f113f3e
MC		 3007{
3008 /*
3009 * 2 hours, the 24 hours mentioned in the SSLv3 spec is way too long for
3010 * http, the cache would over fill
3011 */
3012 return (60 * 60 * 2);
3013}
d02b48c6 3014
6b691a5c 3015int ssl3_num_ciphers(void)
0f113f3e
MC		 3016{
3017 return (SSL3_NUM_CIPHERS);
3018}
d02b48c6 3019
babb3798 3020const SSL_CIPHER *ssl3_get_cipher(unsigned int u)
0f113f3e
MC		 3021{
3022 if (u < SSL3_NUM_CIPHERS)
3023 return (&(ssl3_ciphers[SSL3_NUM_CIPHERS - 1 - u]));
3024 else
3025 return (NULL);
3026}
d02b48c6 3027
a29fa98c 3028int ssl3_set_handshake_header(SSL *s, WPACKET *pkt, int htype)
2c7b4dbc 3029{
4a01c59f
MC		 3030 /* No header in the event of a CCS */
3031 if (htype == SSL3_MT_CHANGE_CIPHER_SPEC)
3032 return 1;
3033
2c7b4dbc 3034 /* Set the content type and 3 bytes for the message len */
08029dfa 3035 if (!WPACKET_put_bytes_u8(pkt, htype)
de451856 3036 || !WPACKET_start_sub_packet_u24(pkt))
2c7b4dbc
MC		 3037 return 0;
3038
3039 return 1;
3040}
3041
173e72e6 3042int ssl3_handshake_write(SSL *s)
0f113f3e
MC		 3043{
3044 return ssl3_do_write(s, SSL3_RT_HANDSHAKE);
3045}
173e72e6 3046
6b691a5c 3047int ssl3_new(SSL *s)
0f113f3e
MC		 3048{
3049 SSL3_STATE *s3;
d02b48c6 3050
b51bce94 3051 if ((s3 = OPENSSL_zalloc(sizeof(*s3))) == NULL)
0f113f3e 3052 goto err;
0f113f3e 3053 s->s3 = s3;
1e0784ff 3054
edc032b5 3055#ifndef OPENSSL_NO_SRP
61986d32 3056 if (!SSL_SRP_CTX_init(s))
a230b26e 3057 goto err;
edc032b5 3058#endif
b77f3ed1
MC		 3059
3060 if (!s->method->ssl_clear(s))
3061 return 0;
3062
a89325e4 3063 return 1;
0f113f3e 3064 err:
a89325e4 3065 return 0;
0f113f3e 3066}
d02b48c6 3067
6b691a5c 3068void ssl3_free(SSL *s)
0f113f3e 3069{
a60c151a 3070 if (s == NULL || s->s3 == NULL)
0f113f3e 3071 return;
e03ddfae 3072
0f113f3e 3073 ssl3_cleanup_key_block(s);
8d92c1f8 3074
fb79abe3 3075#if !defined(OPENSSL_NO_EC) || !defined(OPENSSL_NO_DH)
61dd9f7a
DSH		 3076 EVP_PKEY_free(s->s3->peer_tmp);
3077 s->s3->peer_tmp = NULL;
b22d7113
DSH		 3078 EVP_PKEY_free(s->s3->tmp.pkey);
3079 s->s3->tmp.pkey = NULL;
ea262260
BM		 3080#endif
3081
75c13e78 3082 OPENSSL_free(s->s3->tmp.ctype);
fa7c2637 3083 sk_X509_NAME_pop_free(s->s3->tmp.peer_ca_names, X509_NAME_free);
76106e60
DSH		 3084 OPENSSL_free(s->s3->tmp.ciphers_raw);
3085 OPENSSL_clear_free(s->s3->tmp.pms, s->s3->tmp.pmslen);
3086 OPENSSL_free(s->s3->tmp.peer_sigalgs);
85fb6fda 3087 ssl3_free_digest_list(s);
25aaa98a 3088 OPENSSL_free(s->s3->alpn_selected);
817cd0d5 3089 OPENSSL_free(s->s3->alpn_proposed);
6f017a8f 3090
edc032b5 3091#ifndef OPENSSL_NO_SRP
0f113f3e 3092 SSL_SRP_CTX_free(s);
edc032b5 3093#endif
b4faea50 3094 OPENSSL_clear_free(s->s3, sizeof(*s->s3));
0f113f3e
MC		 3095 s->s3 = NULL;
3096}
d02b48c6 3097
b77f3ed1 3098int ssl3_clear(SSL *s)
0f113f3e 3099{
0f113f3e 3100 ssl3_cleanup_key_block(s);
75c13e78 3101 OPENSSL_free(s->s3->tmp.ctype);
fa7c2637 3102 sk_X509_NAME_pop_free(s->s3->tmp.peer_ca_names, X509_NAME_free);
76106e60 3103 OPENSSL_free(s->s3->tmp.ciphers_raw);
76106e60 3104 OPENSSL_clear_free(s->s3->tmp.pms, s->s3->tmp.pmslen);
76106e60 3105 OPENSSL_free(s->s3->tmp.peer_sigalgs);
d02b48c6 3106
fb79abe3 3107#if !defined(OPENSSL_NO_EC) || !defined(OPENSSL_NO_DH)
b22d7113 3108 EVP_PKEY_free(s->s3->tmp.pkey);
61dd9f7a 3109 EVP_PKEY_free(s->s3->peer_tmp);
a230b26e 3110#endif /* !OPENSSL_NO_EC */
0f113f3e 3111
85fb6fda 3112 ssl3_free_digest_list(s);
e481f9b9 3113
817cd0d5
TS		 3114 OPENSSL_free(s->s3->alpn_selected);
3115 OPENSSL_free(s->s3->alpn_proposed);
e481f9b9 3116
817cd0d5 3117 /* NULL/zero-out everything in the s3 struct */
b4faea50 3118 memset(s->s3, 0, sizeof(*s->s3));
0f113f3e 3119
b77f3ed1
MC		 3120 if (!ssl_free_wbio_buffer(s))
3121 return 0;
0f113f3e 3122
0f113f3e 3123 s->version = SSL3_VERSION;
ee2ffc27 3124
e481f9b9 3125#if !defined(OPENSSL_NO_NEXTPROTONEG)
aff8c126
RS		 3126 OPENSSL_free(s->ext.npn);
3127 s->ext.npn = NULL;
3128 s->ext.npn_len = 0;
ee2ffc27 3129#endif
b77f3ed1
MC		 3130
3131 return 1;
0f113f3e 3132}
d02b48c6 3133
edc032b5 3134#ifndef OPENSSL_NO_SRP
0f113f3e
MC		 3135static char *srp_password_from_info_cb(SSL *s, void *arg)
3136{
7644a9ae 3137 return OPENSSL_strdup(s->srp_ctx.info);
0f113f3e 3138}
edc032b5
BL		 3139#endif
3140
a230b26e 3141static int ssl3_set_req_cert_type(CERT *c, const unsigned char *p, size_t len);
9f27b1ee 3142
a661b653 3143long ssl3_ctrl(SSL *s, int cmd, long larg, void *parg)
0f113f3e
MC		 3144{
3145 int ret = 0;
58964a49 3146
0f113f3e 3147 switch (cmd) {
0f113f3e
MC		 3148 case SSL_CTRL_GET_CLIENT_CERT_REQUEST:
3149 break;
3150 case SSL_CTRL_GET_NUM_RENEGOTIATIONS:
3151 ret = s->s3->num_renegotiations;
3152 break;
3153 case SSL_CTRL_CLEAR_NUM_RENEGOTIATIONS:
3154 ret = s->s3->num_renegotiations;
3155 s->s3->num_renegotiations = 0;
3156 break;
3157 case SSL_CTRL_GET_TOTAL_RENEGOTIATIONS:
3158 ret = s->s3->total_renegotiations;
3159 break;
3160 case SSL_CTRL_GET_FLAGS:
3161 ret = (int)(s->s3->flags);
3162 break;
bc36ee62 3163#ifndef OPENSSL_NO_DH
0f113f3e
MC		 3164 case SSL_CTRL_SET_TMP_DH:
3165 {
3166 DH *dh = (DH *)parg;
e2b420fd 3167 EVP_PKEY *pkdh = NULL;
0f113f3e
MC		 3168 if (dh == NULL) {
3169 SSLerr(SSL_F_SSL3_CTRL, ERR_R_PASSED_NULL_PARAMETER);
3170 return (ret);
3171 }
e2b420fd
DSH		 3172 pkdh = ssl_dh_to_pkey(dh);
3173 if (pkdh == NULL) {
3174 SSLerr(SSL_F_SSL3_CTRL, ERR_R_MALLOC_FAILURE);
3175 return 0;
3176 }
0f113f3e 3177 if (!ssl_security(s, SSL_SECOP_TMP_DH,
e2b420fd 3178 EVP_PKEY_security_bits(pkdh), 0, pkdh)) {
0f113f3e 3179 SSLerr(SSL_F_SSL3_CTRL, SSL_R_DH_KEY_TOO_SMALL);
e2b420fd
DSH		 3180 EVP_PKEY_free(pkdh);
3181 return ret;
0f113f3e 3182 }
e2b420fd
DSH		 3183 EVP_PKEY_free(s->cert->dh_tmp);
3184 s->cert->dh_tmp = pkdh;
0f113f3e
MC		 3185 ret = 1;
3186 }
3187 break;
3188 case SSL_CTRL_SET_TMP_DH_CB:
3189 {
3190 SSLerr(SSL_F_SSL3_CTRL, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
3191 return (ret);
3192 }
0f113f3e
MC		 3193 case SSL_CTRL_SET_DH_AUTO:
3194 s->cert->dh_tmp_auto = larg;
3195 return 1;
d3442bc7 3196#endif
10bf4fc2 3197#ifndef OPENSSL_NO_EC
0f113f3e
MC		 3198 case SSL_CTRL_SET_TMP_ECDH:
3199 {
6977e8ee
KR		 3200 const EC_GROUP *group = NULL;
3201 int nid;
0f113f3e
MC		 3202
3203 if (parg == NULL) {
3204 SSLerr(SSL_F_SSL3_CTRL, ERR_R_PASSED_NULL_PARAMETER);
6977e8ee 3205 return 0;
0f113f3e 3206 }
6977e8ee
KR		 3207 group = EC_KEY_get0_group((const EC_KEY *)parg);
3208 if (group == NULL) {
3209 SSLerr(SSL_F_SSL3_CTRL, EC_R_MISSING_PARAMETERS);
3210 return 0;
0f113f3e 3211 }
6977e8ee
KR		 3212 nid = EC_GROUP_get_curve_name(group);
3213 if (nid == NID_undef)
3214 return 0;
aff8c126
RS		 3215 return tls1_set_groups(&s->ext.supportedgroups,
3216 &s->ext.supportedgroups_len,
6977e8ee 3217 &nid, 1);
0f113f3e
MC		 3218 }
3219 break;
10bf4fc2 3220#endif /* !OPENSSL_NO_EC */
0f113f3e
MC		 3221 case SSL_CTRL_SET_TLSEXT_HOSTNAME:
3222 if (larg == TLSEXT_NAMETYPE_host_name) {
0982ecaa
VD		 3223 size_t len;
3224
aff8c126
RS		 3225 OPENSSL_free(s->ext.hostname);
3226 s->ext.hostname = NULL;
0f113f3e
MC		 3227
3228 ret = 1;
3229 if (parg == NULL)
3230 break;
0982ecaa
VD		 3231 len = strlen((char *)parg);
3232 if (len == 0 || len > TLSEXT_MAXLEN_host_name) {
0f113f3e
MC		 3233 SSLerr(SSL_F_SSL3_CTRL, SSL_R_SSL3_EXT_INVALID_SERVERNAME);
3234 return 0;
3235 }
aff8c126 3236 if ((s->ext.hostname = OPENSSL_strdup((char *)parg)) == NULL) {
0f113f3e
MC		 3237 SSLerr(SSL_F_SSL3_CTRL, ERR_R_INTERNAL_ERROR);
3238 return 0;
3239 }
3240 } else {
3241 SSLerr(SSL_F_SSL3_CTRL, SSL_R_SSL3_EXT_INVALID_SERVERNAME_TYPE);
3242 return 0;
3243 }
3244 break;
3245 case SSL_CTRL_SET_TLSEXT_DEBUG_ARG:
aff8c126 3246 s->ext.debug_arg = parg;
0f113f3e
MC		 3247 ret = 1;
3248 break;
3249
4300aaf3 3250 case SSL_CTRL_GET_TLSEXT_STATUS_REQ_TYPE:
aff8c126 3251 ret = s->ext.status_type;
4300aaf3
AG		 3252 break;
3253
0f113f3e 3254 case SSL_CTRL_SET_TLSEXT_STATUS_REQ_TYPE:
aff8c126 3255 s->ext.status_type = larg;
0f113f3e
MC		 3256 ret = 1;
3257 break;
3258
3259 case SSL_CTRL_GET_TLSEXT_STATUS_REQ_EXTS:
aff8c126 3260 *(STACK_OF(X509_EXTENSION) **)parg = s->ext.ocsp.exts;
0f113f3e
MC		 3261 ret = 1;
3262 break;
3263
3264 case SSL_CTRL_SET_TLSEXT_STATUS_REQ_EXTS:
aff8c126 3265 s->ext.ocsp.exts = parg;
0f113f3e
MC		 3266 ret = 1;
3267 break;
3268
3269 case SSL_CTRL_GET_TLSEXT_STATUS_REQ_IDS:
aff8c126 3270 *(STACK_OF(OCSP_RESPID) **)parg = s->ext.ocsp.ids;
0f113f3e
MC		 3271 ret = 1;
3272 break;
3273
3274 case SSL_CTRL_SET_TLSEXT_STATUS_REQ_IDS:
aff8c126 3275 s->ext.ocsp.ids = parg;
0f113f3e
MC		 3276 ret = 1;
3277 break;
3278
3279 case SSL_CTRL_GET_TLSEXT_STATUS_REQ_OCSP_RESP:
aff8c126
RS		 3280 *(unsigned char **)parg = s->ext.ocsp.resp;
3281 if (s->ext.ocsp.resp_len == 0
3282 || s->ext.ocsp.resp_len > LONG_MAX)
8b0e934a 3283 return -1;
aff8c126 3284 return (long)s->ext.ocsp.resp_len;
0f113f3e
MC		 3285
3286 case SSL_CTRL_SET_TLSEXT_STATUS_REQ_OCSP_RESP:
aff8c126
RS		 3287 OPENSSL_free(s->ext.ocsp.resp);
3288 s->ext.ocsp.resp = parg;
3289 s->ext.ocsp.resp_len = larg;
0f113f3e
MC		 3290 ret = 1;
3291 break;
3292
b612799a
RL		 3293#ifndef OPENSSL_NO_HEARTBEATS
3294 case SSL_CTRL_DTLS_EXT_SEND_HEARTBEAT:
3295 case SSL_CTRL_GET_DTLS_EXT_HEARTBEAT_PENDING:
3296 case SSL_CTRL_SET_DTLS_EXT_HEARTBEAT_NO_REQUESTS:
3297 break;
3298#endif
3299
0f113f3e
MC		 3300 case SSL_CTRL_CHAIN:
3301 if (larg)
3302 return ssl_cert_set1_chain(s, NULL, (STACK_OF(X509) *)parg);
3303 else
3304 return ssl_cert_set0_chain(s, NULL, (STACK_OF(X509) *)parg);
3305
3306 case SSL_CTRL_CHAIN_CERT:
3307 if (larg)
3308 return ssl_cert_add1_chain_cert(s, NULL, (X509 *)parg);
3309 else
3310 return ssl_cert_add0_chain_cert(s, NULL, (X509 *)parg);
3311
3312 case SSL_CTRL_GET_CHAIN_CERTS:
3313 *(STACK_OF(X509) **)parg = s->cert->key->chain;
3314 break;
3315
3316 case SSL_CTRL_SELECT_CURRENT_CERT:
3317 return ssl_cert_select_current(s->cert, (X509 *)parg);
3318
3319 case SSL_CTRL_SET_CURRENT_CERT:
3320 if (larg == SSL_CERT_SET_SERVER) {
0f113f3e
MC		 3321 const SSL_CIPHER *cipher;
3322 if (!s->server)
3323 return 0;
3324 cipher = s->s3->tmp.new_cipher;
f365a3e2 3325 if (cipher == NULL)
0f113f3e
MC		 3326 return 0;
3327 /*
3328 * No certificate for unauthenticated ciphersuites or using SRP
3329 * authentication
3330 */
3331 if (cipher->algorithm_auth & (SSL_aNULL | SSL_aSRP))
3332 return 2;
a497cf25 3333 if (s->s3->tmp.cert == NULL)
0f113f3e 3334 return 0;
a497cf25 3335 s->cert->key = s->s3->tmp.cert;
0f113f3e
MC		 3336 return 1;
3337 }
3338 return ssl_cert_set_current(s->cert, larg);
0f78819c 3339
14536c8c 3340#ifndef OPENSSL_NO_EC
de4d764e 3341 case SSL_CTRL_GET_GROUPS:
0f113f3e
MC		 3342 {
3343 unsigned char *clist;
3344 size_t clistlen;
aff8c126 3345
0f113f3e
MC		 3346 if (!s->session)
3347 return 0;
aff8c126
RS		 3348 clist = s->session->ext.supportedgroups;
3349 clistlen = s->session->ext.supportedgroups_len / 2;
0f113f3e
MC		 3350 if (parg) {
3351 size_t i;
3352 int *cptr = parg;
3353 unsigned int cid, nid;
3354 for (i = 0; i < clistlen; i++) {
3355 n2s(clist, cid);
de4d764e 3356 /* TODO(TLS1.3): Handle DH groups here */
ec24630a 3357 nid = tls1_ec_curve_id2nid(cid, NULL);
0f113f3e
MC		 3358 if (nid != 0)
3359 cptr[i] = nid;
3360 else
3361 cptr[i] = TLSEXT_nid_unknown | cid;
3362 }
3363 }
3364 return (int)clistlen;
3365 }
3366
de4d764e 3367 case SSL_CTRL_SET_GROUPS:
aff8c126
RS		 3368 return tls1_set_groups(&s->ext.supportedgroups,
3369 &s->ext.supportedgroups_len, parg, larg);
0f113f3e 3370
de4d764e 3371 case SSL_CTRL_SET_GROUPS_LIST:
aff8c126
RS		 3372 return tls1_set_groups_list(&s->ext.supportedgroups,
3373 &s->ext.supportedgroups_len, parg);
0f113f3e 3374
de4d764e
MC		 3375 case SSL_CTRL_GET_SHARED_GROUP:
3376 return tls1_shared_group(s, larg);
0f113f3e 3377
14536c8c 3378#endif
0f113f3e
MC		 3379 case SSL_CTRL_SET_SIGALGS:
3380 return tls1_set_sigalgs(s->cert, parg, larg, 0);
3381
3382 case SSL_CTRL_SET_SIGALGS_LIST:
3383 return tls1_set_sigalgs_list(s->cert, parg, 0);
3384
3385 case SSL_CTRL_SET_CLIENT_SIGALGS:
3386 return tls1_set_sigalgs(s->cert, parg, larg, 1);
3387
3388 case SSL_CTRL_SET_CLIENT_SIGALGS_LIST:
3389 return tls1_set_sigalgs_list(s->cert, parg, 1);
3390
3391 case SSL_CTRL_GET_CLIENT_CERT_TYPES:
3392 {
3393 const unsigned char **pctype = parg;
3394 if (s->server || !s->s3->tmp.cert_req)
3395 return 0;
0f113f3e 3396 if (pctype)
75c13e78
DSH		 3397 *pctype = s->s3->tmp.ctype;
3398 return s->s3->tmp.ctype_len;
0f113f3e
MC		 3399 }
3400
3401 case SSL_CTRL_SET_CLIENT_CERT_TYPES:
3402 if (!s->server)
3403 return 0;
3404 return ssl3_set_req_cert_type(s->cert, parg, larg);
3405
3406 case SSL_CTRL_BUILD_CERT_CHAIN:
3407 return ssl_build_cert_chain(s, NULL, larg);
3408
3409 case SSL_CTRL_SET_VERIFY_CERT_STORE:
3410 return ssl_cert_set_cert_store(s->cert, parg, 0, larg);
3411
3412 case SSL_CTRL_SET_CHAIN_CERT_STORE:
3413 return ssl_cert_set_cert_store(s->cert, parg, 1, larg);
3414
3415 case SSL_CTRL_GET_PEER_SIGNATURE_NID:
f742cda8 3416 if (s->s3->tmp.peer_sigalg == NULL)
0f113f3e 3417 return 0;
f742cda8
DSH		 3418 *(int *)parg = s->s3->tmp.peer_sigalg->hash;
3419 return 1;
0f113f3e
MC		 3420
3421 case SSL_CTRL_GET_SERVER_TMP_KEY:
fb79abe3
DSH		 3422#if !defined(OPENSSL_NO_DH) || !defined(OPENSSL_NO_EC)
3423 if (s->server || s->session == NULL || s->s3->peer_tmp == NULL) {
0f113f3e 3424 return 0;
fb79abe3
DSH		 3425 } else {
3426 EVP_PKEY_up_ref(s->s3->peer_tmp);
3427 *(EVP_PKEY **)parg = s->s3->peer_tmp;
3428 return 1;
0f113f3e 3429 }
fb79abe3
DSH		 3430#else
3431 return 0;
3432#endif
14536c8c 3433#ifndef OPENSSL_NO_EC
0f113f3e
MC		 3434 case SSL_CTRL_GET_EC_POINT_FORMATS:
3435 {
3436 SSL_SESSION *sess = s->session;
3437 const unsigned char **pformat = parg;
aff8c126
RS		 3438
3439 if (sess == NULL || sess->ext.ecpointformats == NULL)
0f113f3e 3440 return 0;
aff8c126
RS		 3441 *pformat = sess->ext.ecpointformats;
3442 return (int)sess->ext.ecpointformats_len;
0f113f3e 3443 }
14536c8c 3444#endif
cf6da053 3445
0f113f3e
MC		 3446 default:
3447 break;
3448 }
3449 return (ret);
3450}
3451
3452long ssl3_callback_ctrl(SSL *s, int cmd, void (*fp) (void))
3453{
3454 int ret = 0;
d3442bc7 3455
0f113f3e 3456 switch (cmd) {
bc36ee62 3457#ifndef OPENSSL_NO_DH
0f113f3e
MC		 3458 case SSL_CTRL_SET_TMP_DH_CB:
3459 {
3460 s->cert->dh_tmp_cb = (DH *(*)(SSL *, int, int))fp;
3461 }
3462 break;
6434abbf 3463#endif
0f113f3e 3464 case SSL_CTRL_SET_TLSEXT_DEBUG_CB:
aff8c126 3465 s->ext.debug_cb = (void (*)(SSL *, int, int,
1ed327f7 3466 const unsigned char *, int, void *))fp;
0f113f3e 3467 break;
e481f9b9 3468
0f113f3e
MC		 3469 case SSL_CTRL_SET_NOT_RESUMABLE_SESS_CB:
3470 {
3471 s->not_resumable_session_cb = (int (*)(SSL *, int))fp;
3472 }
3473 break;
3474 default:
3475 break;
3476 }
3477 return (ret);
3478}
d02b48c6 3479
a661b653 3480long ssl3_ctx_ctrl(SSL_CTX *ctx, int cmd, long larg, void *parg)
0f113f3e 3481{
0f113f3e 3482 switch (cmd) {
bc36ee62 3483#ifndef OPENSSL_NO_DH
0f113f3e
MC		 3484 case SSL_CTRL_SET_TMP_DH:
3485 {
e2b420fd
DSH		 3486 DH *dh = (DH *)parg;
3487 EVP_PKEY *pkdh = NULL;
3488 if (dh == NULL) {
3489 SSLerr(SSL_F_SSL3_CTX_CTRL, ERR_R_PASSED_NULL_PARAMETER);
0f113f3e
MC		 3490 return 0;
3491 }
e2b420fd
DSH		 3492 pkdh = ssl_dh_to_pkey(dh);
3493 if (pkdh == NULL) {
3494 SSLerr(SSL_F_SSL3_CTX_CTRL, ERR_R_MALLOC_FAILURE);
0f113f3e
MC		 3495 return 0;
3496 }
e2b420fd
DSH		 3497 if (!ssl_ctx_security(ctx, SSL_SECOP_TMP_DH,
3498 EVP_PKEY_security_bits(pkdh), 0, pkdh)) {
3499 SSLerr(SSL_F_SSL3_CTX_CTRL, SSL_R_DH_KEY_TOO_SMALL);
3500 EVP_PKEY_free(pkdh);
3501 return 1;
0f113f3e 3502 }
e2b420fd
DSH		 3503 EVP_PKEY_free(ctx->cert->dh_tmp);
3504 ctx->cert->dh_tmp = pkdh;
0f113f3e
MC		 3505 return 1;
3506 }
0f113f3e
MC		 3507 case SSL_CTRL_SET_TMP_DH_CB:
3508 {
3509 SSLerr(SSL_F_SSL3_CTX_CTRL, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
3510 return (0);
3511 }
0f113f3e
MC		 3512 case SSL_CTRL_SET_DH_AUTO:
3513 ctx->cert->dh_tmp_auto = larg;
3514 return 1;
d02b48c6 3515#endif
10bf4fc2 3516#ifndef OPENSSL_NO_EC
0f113f3e
MC		 3517 case SSL_CTRL_SET_TMP_ECDH:
3518 {
6977e8ee
KR		 3519 const EC_GROUP *group = NULL;
3520 int nid;
0f113f3e
MC		 3521
3522 if (parg == NULL) {
6977e8ee 3523 SSLerr(SSL_F_SSL3_CTX_CTRL, ERR_R_PASSED_NULL_PARAMETER);
0f113f3e
MC		 3524 return 0;
3525 }
6977e8ee
KR		 3526 group = EC_KEY_get0_group((const EC_KEY *)parg);
3527 if (group == NULL) {
3528 SSLerr(SSL_F_SSL3_CTX_CTRL, EC_R_MISSING_PARAMETERS);
0f113f3e
MC		 3529 return 0;
3530 }
6977e8ee
KR		 3531 nid = EC_GROUP_get_curve_name(group);
3532 if (nid == NID_undef)
3533 return 0;
aff8c126
RS		 3534 return tls1_set_groups(&ctx->ext.supportedgroups,
3535 &ctx->ext.supportedgroups_len,
6977e8ee 3536 &nid, 1);
0f113f3e 3537 }
10bf4fc2 3538#endif /* !OPENSSL_NO_EC */
0f113f3e 3539 case SSL_CTRL_SET_TLSEXT_SERVERNAME_ARG:
aff8c126 3540 ctx->ext.servername_arg = parg;
0f113f3e
MC		 3541 break;
3542 case SSL_CTRL_SET_TLSEXT_TICKET_KEYS:
3543 case SSL_CTRL_GET_TLSEXT_TICKET_KEYS:
3544 {
3545 unsigned char *keys = parg;
aff8c126
RS		 3546 long tick_keylen = (sizeof(ctx->ext.tick_key_name) +
3547 sizeof(ctx->ext.tick_hmac_key) +
3548 sizeof(ctx->ext.tick_aes_key));
d139723b 3549 if (keys == NULL)
aff8c126
RS		 3550 return tick_keylen;
3551 if (larg != tick_keylen) {
0f113f3e
MC		 3552 SSLerr(SSL_F_SSL3_CTX_CTRL, SSL_R_INVALID_TICKET_KEYS_LENGTH);
3553 return 0;
3554 }
3555 if (cmd == SSL_CTRL_SET_TLSEXT_TICKET_KEYS) {
aff8c126
RS		 3556 memcpy(ctx->ext.tick_key_name, keys,
3557 sizeof(ctx->ext.tick_key_name));
3558 memcpy(ctx->ext.tick_hmac_key,
3559 keys + sizeof(ctx->ext.tick_key_name),
3560 sizeof(ctx->ext.tick_hmac_key));
3561 memcpy(ctx->ext.tick_aes_key,
3562 keys + sizeof(ctx->ext.tick_key_name) +
3563 sizeof(ctx->ext.tick_hmac_key),
3564 sizeof(ctx->ext.tick_aes_key));
0f113f3e 3565 } else {
aff8c126
RS		 3566 memcpy(keys, ctx->ext.tick_key_name,
3567 sizeof(ctx->ext.tick_key_name));
3568 memcpy(keys + sizeof(ctx->ext.tick_key_name),
3569 ctx->ext.tick_hmac_key,
3570 sizeof(ctx->ext.tick_hmac_key));
3571 memcpy(keys + sizeof(ctx->ext.tick_key_name) +
3572 sizeof(ctx->ext.tick_hmac_key),
3573 ctx->ext.tick_aes_key,
3574 sizeof(ctx->ext.tick_aes_key));
0f113f3e
MC		 3575 }
3576 return 1;
3577 }
3578
30b96765 3579 case SSL_CTRL_GET_TLSEXT_STATUS_REQ_TYPE:
aff8c126 3580 return ctx->ext.status_type;
30b96765 3581
ba261f71 3582 case SSL_CTRL_SET_TLSEXT_STATUS_REQ_TYPE:
aff8c126 3583 ctx->ext.status_type = larg;
ba261f71 3584 break;
3585
0f113f3e 3586 case SSL_CTRL_SET_TLSEXT_STATUS_REQ_CB_ARG:
aff8c126 3587 ctx->ext.status_arg = parg;
0f113f3e 3588 return 1;
0f113f3e 3589
fddfc0af 3590 case SSL_CTRL_GET_TLSEXT_STATUS_REQ_CB_ARG:
aff8c126 3591 *(void**)parg = ctx->ext.status_arg;
fddfc0af
RG		 3592 break;
3593
3594 case SSL_CTRL_GET_TLSEXT_STATUS_REQ_CB:
aff8c126 3595 *(int (**)(SSL*, void*))parg = ctx->ext.status_cb;
fddfc0af
RG		 3596 break;
3597
e481f9b9 3598#ifndef OPENSSL_NO_SRP
0f113f3e
MC		 3599 case SSL_CTRL_SET_TLS_EXT_SRP_USERNAME:
3600 ctx->srp_ctx.srp_Mask |= SSL_kSRP;
b548a1f1 3601 OPENSSL_free(ctx->srp_ctx.login);
0f113f3e
MC		 3602 ctx->srp_ctx.login = NULL;
3603 if (parg == NULL)
3604 break;
a230b26e 3605 if (strlen((const char *)parg) > 255 || strlen((const char *)parg) < 1) {
0f113f3e
MC		 3606 SSLerr(SSL_F_SSL3_CTX_CTRL, SSL_R_INVALID_SRP_USERNAME);
3607 return 0;
3608 }
7644a9ae 3609 if ((ctx->srp_ctx.login = OPENSSL_strdup((char *)parg)) == NULL) {
0f113f3e
MC		 3610 SSLerr(SSL_F_SSL3_CTX_CTRL, ERR_R_INTERNAL_ERROR);
3611 return 0;
3612 }
3613 break;
3614 case SSL_CTRL_SET_TLS_EXT_SRP_PASSWORD:
3615 ctx->srp_ctx.SRP_give_srp_client_pwd_callback =
3616 srp_password_from_info_cb;
e655f549
DSC		 3617 if (ctx->srp_ctx.info != NULL)
3618 OPENSSL_free(ctx->srp_ctx.info);
3619 if ((ctx->srp_ctx.info = BUF_strdup((char *)parg)) == NULL) {
3620 SSLerr(SSL_F_SSL3_CTX_CTRL, ERR_R_INTERNAL_ERROR);
3621 return 0;
3622 }
0f113f3e
MC		 3623 break;
3624 case SSL_CTRL_SET_SRP_ARG:
3625 ctx->srp_ctx.srp_Mask |= SSL_kSRP;
3626 ctx->srp_ctx.SRP_cb_arg = parg;
3627 break;
3628
3629 case SSL_CTRL_SET_TLS_EXT_SRP_STRENGTH:
3630 ctx->srp_ctx.strength = larg;
3631 break;
e481f9b9 3632#endif
0f113f3e 3633
e481f9b9 3634#ifndef OPENSSL_NO_EC
de4d764e 3635 case SSL_CTRL_SET_GROUPS:
aff8c126
RS		 3636 return tls1_set_groups(&ctx->ext.supportedgroups,
3637 &ctx->ext.supportedgroups_len,
0f113f3e
MC		 3638 parg, larg);
3639
de4d764e 3640 case SSL_CTRL_SET_GROUPS_LIST:
aff8c126
RS		 3641 return tls1_set_groups_list(&ctx->ext.supportedgroups,
3642 &ctx->ext.supportedgroups_len,
0f113f3e 3643 parg);
e481f9b9 3644#endif
0f113f3e
MC		 3645 case SSL_CTRL_SET_SIGALGS:
3646 return tls1_set_sigalgs(ctx->cert, parg, larg, 0);
3647
3648 case SSL_CTRL_SET_SIGALGS_LIST:
3649 return tls1_set_sigalgs_list(ctx->cert, parg, 0);
3650
3651 case SSL_CTRL_SET_CLIENT_SIGALGS:
3652 return tls1_set_sigalgs(ctx->cert, parg, larg, 1);
3653
3654 case SSL_CTRL_SET_CLIENT_SIGALGS_LIST:
3655 return tls1_set_sigalgs_list(ctx->cert, parg, 1);
3656
3657 case SSL_CTRL_SET_CLIENT_CERT_TYPES:
3658 return ssl3_set_req_cert_type(ctx->cert, parg, larg);
3659
3660 case SSL_CTRL_BUILD_CERT_CHAIN:
3661 return ssl_build_cert_chain(NULL, ctx, larg);
3662
3663 case SSL_CTRL_SET_VERIFY_CERT_STORE:
3664 return ssl_cert_set_cert_store(ctx->cert, parg, 0, larg);
3665
3666 case SSL_CTRL_SET_CHAIN_CERT_STORE:
3667 return ssl_cert_set_cert_store(ctx->cert, parg, 1, larg);
3668
0f113f3e
MC		 3669 /* A Thawte special :-) */
3670 case SSL_CTRL_EXTRA_CHAIN_CERT:
3671 if (ctx->extra_certs == NULL) {
3c82e437
F		 3672 if ((ctx->extra_certs = sk_X509_new_null()) == NULL) {
3673 SSLerr(SSL_F_SSL3_CTX_CTRL, ERR_R_MALLOC_FAILURE);
3674 return 0;
3675 }
3676 }
3677 if (!sk_X509_push(ctx->extra_certs, (X509 *)parg)) {
3678 SSLerr(SSL_F_SSL3_CTX_CTRL, ERR_R_MALLOC_FAILURE);
3679 return 0;
0f113f3e 3680 }
0f113f3e
MC		 3681 break;
3682
3683 case SSL_CTRL_GET_EXTRA_CHAIN_CERTS:
3684 if (ctx->extra_certs == NULL && larg == 0)
3685 *(STACK_OF(X509) **)parg = ctx->cert->key->chain;
3686 else
3687 *(STACK_OF(X509) **)parg = ctx->extra_certs;
3688 break;
3689
3690 case SSL_CTRL_CLEAR_EXTRA_CHAIN_CERTS:
222561fe
RS		 3691 sk_X509_pop_free(ctx->extra_certs, X509_free);
3692 ctx->extra_certs = NULL;
0f113f3e
MC		 3693 break;
3694
3695 case SSL_CTRL_CHAIN:
3696 if (larg)
3697 return ssl_cert_set1_chain(NULL, ctx, (STACK_OF(X509) *)parg);
3698 else
3699 return ssl_cert_set0_chain(NULL, ctx, (STACK_OF(X509) *)parg);
3700
3701 case SSL_CTRL_CHAIN_CERT:
3702 if (larg)
3703 return ssl_cert_add1_chain_cert(NULL, ctx, (X509 *)parg);
3704 else
3705 return ssl_cert_add0_chain_cert(NULL, ctx, (X509 *)parg);
3706
3707 case SSL_CTRL_GET_CHAIN_CERTS:
3708 *(STACK_OF(X509) **)parg = ctx->cert->key->chain;
3709 break;
3710
3711 case SSL_CTRL_SELECT_CURRENT_CERT:
3712 return ssl_cert_select_current(ctx->cert, (X509 *)parg);
3713
3714 case SSL_CTRL_SET_CURRENT_CERT:
3715 return ssl_cert_set_current(ctx->cert, larg);
3716
3717 default:
3718 return (0);
3719 }
3720 return (1);
3721}
3722
3723long ssl3_ctx_callback_ctrl(SSL_CTX *ctx, int cmd, void (*fp) (void))
3724{
0f113f3e 3725 switch (cmd) {
bc36ee62 3726#ifndef OPENSSL_NO_DH
0f113f3e
MC		 3727 case SSL_CTRL_SET_TMP_DH_CB:
3728 {
8ca8fc48 3729 ctx->cert->dh_tmp_cb = (DH *(*)(SSL *, int, int))fp;
0f113f3e
MC		 3730 }
3731 break;
ed3883d2 3732#endif
0f113f3e 3733 case SSL_CTRL_SET_TLSEXT_SERVERNAME_CB:
aff8c126 3734 ctx->ext.servername_cb = (int (*)(SSL *, int *, void *))fp;
0f113f3e
MC		 3735 break;
3736
0f113f3e 3737 case SSL_CTRL_SET_TLSEXT_STATUS_REQ_CB:
aff8c126 3738 ctx->ext.status_cb = (int (*)(SSL *, void *))fp;
0f113f3e
MC		 3739 break;
3740
3741 case SSL_CTRL_SET_TLSEXT_TICKET_KEY_CB:
aff8c126 3742 ctx->ext.ticket_key_cb = (int (*)(SSL *, unsigned char *,
0f113f3e
MC		 3743 unsigned char *,
3744 EVP_CIPHER_CTX *,
3745 HMAC_CTX *, int))fp;
3746 break;
3747
e481f9b9 3748#ifndef OPENSSL_NO_SRP
0f113f3e
MC		 3749 case SSL_CTRL_SET_SRP_VERIFY_PARAM_CB:
3750 ctx->srp_ctx.srp_Mask |= SSL_kSRP;
3751 ctx->srp_ctx.SRP_verify_param_callback = (int (*)(SSL *, void *))fp;
3752 break;
3753 case SSL_CTRL_SET_TLS_EXT_SRP_USERNAME_CB:
3754 ctx->srp_ctx.srp_Mask |= SSL_kSRP;
3755 ctx->srp_ctx.TLS_ext_srp_username_callback =
3756 (int (*)(SSL *, int *, void *))fp;
3757 break;
3758 case SSL_CTRL_SET_SRP_GIVE_CLIENT_PWD_CB:
3759 ctx->srp_ctx.srp_Mask |= SSL_kSRP;
3760 ctx->srp_ctx.SRP_give_srp_client_pwd_callback =
3761 (char *(*)(SSL *, void *))fp;
3762 break;
761772d7 3763#endif
0f113f3e
MC		 3764 case SSL_CTRL_SET_NOT_RESUMABLE_SESS_CB:
3765 {
3766 ctx->not_resumable_session_cb = (int (*)(SSL *, int))fp;
3767 }
3768 break;
3769 default:
3770 return (0);
3771 }
3772 return (1);
3773}
761772d7 3774
ec15acb6
MC		 3775const SSL_CIPHER *ssl3_get_cipher_by_id(uint32_t id)
3776{
3777 SSL_CIPHER c;
650c6e41 3778 const SSL_CIPHER *cp;
ec15acb6
MC		 3779
3780 c.id = id;
650c6e41
BK		 3781 cp = OBJ_bsearch_ssl_cipher_id(&c, ssl3_ciphers, SSL3_NUM_CIPHERS);
3782 if (cp != NULL)
3783 return cp;
3784 return OBJ_bsearch_ssl_cipher_id(&c, ssl3_scsvs, SSL3_NUM_SCSVS);
ec15acb6
MC		 3785}
3786
bbb4ceb8
PY		 3787const SSL_CIPHER *ssl3_get_cipher_by_std_name(const char *stdname)
3788{
3789 SSL_CIPHER *c = NULL;
3790 SSL_CIPHER *tbl = ssl3_ciphers;
3791 size_t i;
3792
3793 /* this is not efficient, necessary to optimze this? */
3794 for (i = 0; i < SSL3_NUM_CIPHERS; i++, tbl++) {
3795 if (tbl->stdname == NULL)
3796 continue;
3797 if (strcmp(stdname, tbl->stdname) == 0) {
3798 c = tbl;
3799 break;
3800 }
3801 }
3802 if (c == NULL) {
3803 tbl = ssl3_scsvs;
3804 for (i = 0; i < SSL3_NUM_SCSVS; i++, tbl++) {
3805 if (strcmp(stdname, tbl->stdname) == 0) {
3806 c = tbl;
3807 break;
3808 }
3809 }
3810 }
3811 return c;
3812}
3813
0f113f3e
MC		 3814/*
3815 * This function needs to check if the ciphers required are actually
3816 * available
3817 */
babb3798 3818const SSL_CIPHER *ssl3_get_cipher_by_char(const unsigned char *p)
0f113f3e 3819{
1f5b44e9 3820 return ssl3_get_cipher_by_id(SSL3_CK_CIPHERSUITE_FLAG
ec15acb6
MC		 3821 | ((uint32_t)p[0] << 8L)
3822 | (uint32_t)p[1]);
0f113f3e 3823}
d02b48c6 3824
ae2f7b37 3825int ssl3_put_cipher_by_char(const SSL_CIPHER *c, WPACKET *pkt, size_t *len)
2c7b4dbc 3826{
34f7245b 3827 if ((c->id & 0xff000000) != SSL3_CK_CIPHERSUITE_FLAG) {
2c7b4dbc
MC		 3828 *len = 0;
3829 return 1;
3830 }
3831
08029dfa 3832 if (!WPACKET_put_bytes_u16(pkt, c->id & 0xffff))
2c7b4dbc
MC		 3833 return 0;
3834
3835 *len = 2;
3836 return 1;
3837}
3838
3eb2aff4
KR		 3839/*
3840 * ssl3_choose_cipher - choose a cipher from those offered by the client
3841 * @s: SSL connection
3842 * @clnt: ciphers offered by the client
3843 * @srvr: ciphers enabled on the server?
3844 *
3845 * Returns the selected cipher or NULL when no common ciphers.
3846 */
4a640fb6 3847const SSL_CIPHER *ssl3_choose_cipher(SSL *s, STACK_OF(SSL_CIPHER) *clnt,
a230b26e 3848 STACK_OF(SSL_CIPHER) *srvr)
0f113f3e 3849{
4a640fb6 3850 const SSL_CIPHER *c, *ret = NULL;
0f113f3e
MC		 3851 STACK_OF(SSL_CIPHER) *prio, *allow;
3852 int i, ii, ok;
0de6d66d 3853 unsigned long alg_k = 0, alg_a = 0, mask_k = 0, mask_a = 0;
d02b48c6 3854
0f113f3e 3855 /* Let's see which ciphers we can support */
d02b48c6 3856
0f113f3e
MC		 3857 /*
3858 * Do not set the compare functions, because this may lead to a
3859 * reordering by "id". We want to keep the original ordering. We may pay
3860 * a price in performance during sk_SSL_CIPHER_find(), but would have to
3861 * pay with the price of sk_SSL_CIPHER_dup().
3862 */
d02b48c6 3863
f415fa32 3864#ifdef CIPHER_DEBUG
0f113f3e
MC		 3865 fprintf(stderr, "Server has %d from %p:\n", sk_SSL_CIPHER_num(srvr),
3866 (void *)srvr);
3867 for (i = 0; i < sk_SSL_CIPHER_num(srvr); ++i) {
3868 c = sk_SSL_CIPHER_value(srvr, i);
3869 fprintf(stderr, "%p:%s\n", (void *)c, c->name);
3870 }
3871 fprintf(stderr, "Client sent %d from %p:\n", sk_SSL_CIPHER_num(clnt),
3872 (void *)clnt);
3873 for (i = 0; i < sk_SSL_CIPHER_num(clnt); ++i) {
3874 c = sk_SSL_CIPHER_value(clnt, i);
3875 fprintf(stderr, "%p:%s\n", (void *)c, c->name);
3876 }
f415fa32
BL		 3877#endif
3878
0f113f3e
MC		 3879 if (s->options & SSL_OP_CIPHER_SERVER_PREFERENCE || tls1_suiteb(s)) {
3880 prio = srvr;
3881 allow = clnt;
3882 } else {
3883 prio = clnt;
3884 allow = srvr;
3885 }
3886
0de6d66d
MC		 3887 if (!SSL_IS_TLS13(s)) {
3888 tls1_set_cert_validity(s);
3889 ssl_set_masks(s);
3890 }
0f113f3e
MC		 3891
3892 for (i = 0; i < sk_SSL_CIPHER_num(prio); i++) {
3893 c = sk_SSL_CIPHER_value(prio, i);
3894
3eb2aff4
KR		 3895 /* Skip ciphers not supported by the protocol version */
3896 if (!SSL_IS_DTLS(s) &&
a230b26e 3897 ((s->version < c->min_tls) || (s->version > c->max_tls)))
0f113f3e 3898 continue;
3eb2aff4 3899 if (SSL_IS_DTLS(s) &&
a230b26e
EK		 3900 (DTLS_VERSION_LT(s->version, c->min_dtls) ||
3901 DTLS_VERSION_GT(s->version, c->max_dtls)))
2b573382 3902 continue;
a055a881 3903
0de6d66d
MC		 3904 /*
3905 * Since TLS 1.3 ciphersuites can be used with any auth or
3906 * key exchange scheme skip tests.
3907 */
3908 if (!SSL_IS_TLS13(s)) {
612ca806
DSH		 3909 mask_k = s->s3->tmp.mask_k;
3910 mask_a = s->s3->tmp.mask_a;
edc032b5 3911#ifndef OPENSSL_NO_SRP
612ca806
DSH		 3912 if (s->srp_ctx.srp_Mask & SSL_kSRP) {
3913 mask_k |= SSL_kSRP;
3914 mask_a |= SSL_aSRP;
3915 }
edc032b5 3916#endif
0f113f3e 3917
612ca806
DSH		 3918 alg_k = c->algorithm_mkey;
3919 alg_a = c->algorithm_auth;
52b8dad8 3920
ddac1974 3921#ifndef OPENSSL_NO_PSK
612ca806
DSH		 3922 /* with PSK there must be server callback set */
3923 if ((alg_k & SSL_PSK) && s->psk_server_callback == NULL)
3924 continue;
0f113f3e
MC		 3925#endif /* OPENSSL_NO_PSK */
3926
612ca806 3927 ok = (alg_k & mask_k) && (alg_a & mask_a);
d02b48c6 3928#ifdef CIPHER_DEBUG
612ca806
DSH		 3929 fprintf(stderr, "%d:[%08lX:%08lX:%08lX:%08lX]%p:%s\n", ok, alg_k,
3930 alg_a, mask_k, mask_a, (void *)c, c->name);
d02b48c6 3931#endif
d02b48c6 3932
a230b26e 3933#ifndef OPENSSL_NO_EC
612ca806
DSH		 3934 /*
3935 * if we are considering an ECC cipher suite that uses an ephemeral
3936 * EC key check it
3937 */
3938 if (alg_k & SSL_kECDHE)
3939 ok = ok && tls1_check_ec_tmp_key(s, c->id);
a230b26e 3940#endif /* OPENSSL_NO_EC */
0f113f3e 3941
612ca806
DSH		 3942 if (!ok)
3943 continue;
3944 }
0f113f3e
MC		 3945 ii = sk_SSL_CIPHER_find(allow, c);
3946 if (ii >= 0) {
3947 /* Check security callback permits this cipher */
3948 if (!ssl_security(s, SSL_SECOP_CIPHER_SHARED,
4a640fb6 3949 c->strength_bits, 0, (void *)c))
0f113f3e 3950 continue;
e481f9b9 3951#if !defined(OPENSSL_NO_EC)
0f113f3e
MC		 3952 if ((alg_k & SSL_kECDHE) && (alg_a & SSL_aECDSA)
3953 && s->s3->is_probably_safari) {
3954 if (!ret)
3955 ret = sk_SSL_CIPHER_value(allow, ii);
3956 continue;
3957 }
d89cd382 3958#endif
0f113f3e
MC		 3959 ret = sk_SSL_CIPHER_value(allow, ii);
3960 break;
3961 }
3962 }
3963 return (ret);
3964}
d02b48c6 3965
28ff8ef3 3966int ssl3_get_req_cert_type(SSL *s, WPACKET *pkt)
0f113f3e 3967{
90d9e49a 3968 uint32_t alg_k, alg_a = 0;
0f113f3e
MC		 3969
3970 /* If we have custom certificate types set, use them */
75c13e78
DSH		 3971 if (s->cert->ctype)
3972 return WPACKET_memcpy(pkt, s->cert->ctype, s->cert->ctype_len);
0f113f3e
MC		 3973 /* Get mask of algorithms disabled by signature list */
3974 ssl_set_sig_mask(&alg_a, s, SSL_SECOP_SIGALG_MASK);
0f113f3e
MC		 3975
3976 alg_k = s->s3->tmp.new_cipher->algorithm_mkey;
d02b48c6 3977
caa97ef1 3978#ifndef OPENSSL_NO_GOST
28ff8ef3
MC		 3979 if (s->version >= TLS1_VERSION && (alg_k & SSL_kGOST))
3980 return WPACKET_put_bytes_u8(pkt, TLS_CT_GOST01_SIGN)
3981 && WPACKET_put_bytes_u8(pkt, TLS_CT_GOST12_SIGN)
3982 && WPACKET_put_bytes_u8(pkt, TLS_CT_GOST12_512_SIGN);
caa97ef1
DSH		 3983#endif
3984
bc71f910 3985 if ((s->version == SSL3_VERSION) && (alg_k & SSL_kDHE)) {
bc36ee62 3986#ifndef OPENSSL_NO_DH
0f113f3e 3987# ifndef OPENSSL_NO_RSA
28ff8ef3
MC		 3988 if (!WPACKET_put_bytes_u8(pkt, SSL3_CT_RSA_EPHEMERAL_DH))
3989 return 0;
0f113f3e
MC		 3990# endif
3991# ifndef OPENSSL_NO_DSA
28ff8ef3
MC		 3992 if (!WPACKET_put_bytes_u8(pkt, SSL3_CT_DSS_EPHEMERAL_DH))
3993 return 0;
0f113f3e 3994# endif
0f113f3e 3995#endif /* !OPENSSL_NO_DH */
1e0784ff 3996 }
bc36ee62 3997#ifndef OPENSSL_NO_RSA
28ff8ef3
MC		 3998 if (!(alg_a & SSL_aRSA) && !WPACKET_put_bytes_u8(pkt, SSL3_CT_RSA_SIGN))
3999 return 0;
d02b48c6 4000#endif
bc36ee62 4001#ifndef OPENSSL_NO_DSA
28ff8ef3
MC		 4002 if (!(alg_a & SSL_aDSS) && !WPACKET_put_bytes_u8(pkt, SSL3_CT_DSS_SIGN))
4003 return 0;
dfeab068 4004#endif
10bf4fc2 4005#ifndef OPENSSL_NO_EC
0f113f3e 4006 /*
c66ce5eb 4007 * ECDSA certs can be used with RSA cipher suites too so we don't
0f113f3e
MC		 4008 * need to check for SSL_kECDH or SSL_kECDHE
4009 */
28ff8ef3
MC		 4010 if (s->version >= TLS1_VERSION
4011 && !(alg_a & SSL_aECDSA)
4012 && !WPACKET_put_bytes_u8(pkt, TLS_CT_ECDSA_SIGN))
4013 return 0;
0f113f3e 4014#endif
28ff8ef3 4015 return 1;
0f113f3e 4016}
d02b48c6 4017
9f27b1ee 4018static int ssl3_set_req_cert_type(CERT *c, const unsigned char *p, size_t len)
0f113f3e 4019{
75c13e78
DSH		 4020 OPENSSL_free(c->ctype);
4021 c->ctype = NULL;
4022 c->ctype_len = 0;
4023 if (p == NULL || len == 0)
0f113f3e
MC		 4024 return 1;
4025 if (len > 0xff)
4026 return 0;
75c13e78
DSH		 4027 c->ctype = OPENSSL_memdup(p, len);
4028 if (c->ctype == NULL)
0f113f3e 4029 return 0;
75c13e78 4030 c->ctype_len = len;
0f113f3e
MC		 4031 return 1;
4032}
9f27b1ee 4033
6b691a5c 4034int ssl3_shutdown(SSL *s)
0f113f3e
MC		 4035{
4036 int ret;
4037
4038 /*
4039 * Don't do anything much if we have not done the handshake or we don't
4040 * want to send messages :-)
4041 */
c874def6 4042 if (s->quiet_shutdown || SSL_in_before(s)) {
0f113f3e
MC		 4043 s->shutdown = (SSL_SENT_SHUTDOWN | SSL_RECEIVED_SHUTDOWN);
4044 return (1);
4045 }
4046
4047 if (!(s->shutdown & SSL_SENT_SHUTDOWN)) {
4048 s->shutdown |= SSL_SENT_SHUTDOWN;
0f113f3e 4049 ssl3_send_alert(s, SSL3_AL_WARNING, SSL_AD_CLOSE_NOTIFY);
0f113f3e
MC		 4050 /*
4051 * our shutdown alert has been sent now, and if it still needs to be
4052 * written, s->s3->alert_dispatch will be true
4053 */
4054 if (s->s3->alert_dispatch)
4055 return (-1); /* return WANT_WRITE */
4056 } else if (s->s3->alert_dispatch) {
4057 /* resend it if not sent */
0f113f3e
MC		 4058 ret = s->method->ssl_dispatch_alert(s);
4059 if (ret == -1) {
4060 /*
4061 * we only get to return -1 here the 2nd/Nth invocation, we must
8483a003 4062 * have already signalled return 0 upon a previous invocation,
0f113f3e
MC		 4063 * return WANT_WRITE
4064 */
4065 return (ret);
4066 }
0f113f3e 4067 } else if (!(s->shutdown & SSL_RECEIVED_SHUTDOWN)) {
54105ddd 4068 size_t readbytes;
0f113f3e
MC		 4069 /*
4070 * If we are waiting for a close from our peer, we are closed
4071 */
54105ddd 4072 s->method->ssl_read_bytes(s, 0, NULL, NULL, 0, 0, &readbytes);
0f113f3e 4073 if (!(s->shutdown & SSL_RECEIVED_SHUTDOWN)) {
eda75751 4074 return -1; /* return WANT_READ */
0f113f3e
MC		 4075 }
4076 }
4077
4078 if ((s->shutdown == (SSL_SENT_SHUTDOWN | SSL_RECEIVED_SHUTDOWN)) &&
4079 !s->s3->alert_dispatch)
4080 return (1);
4081 else
4082 return (0);
4083}
d02b48c6 4084
7ee8627f 4085int ssl3_write(SSL *s, const void *buf, size_t len, size_t *written)
0f113f3e 4086{
0f113f3e
MC		 4087 clear_sys_error();
4088 if (s->s3->renegotiate)
c7f47786 4089 ssl3_renegotiate_check(s, 0);
0f113f3e 4090
7ee8627f
MC		 4091 return s->method->ssl_write_bytes(s, SSL3_RT_APPLICATION_DATA, buf, len,
4092 written);
0f113f3e 4093}
d02b48c6 4094
eda75751 4095static int ssl3_read_internal(SSL *s, void *buf, size_t len, int peek,
54105ddd 4096 size_t *readbytes)
0f113f3e
MC		 4097{
4098 int ret;
4099
4100 clear_sys_error();
4101 if (s->s3->renegotiate)
c7f47786 4102 ssl3_renegotiate_check(s, 0);
0f113f3e
MC		 4103 s->s3->in_read_app_data = 1;
4104 ret =
657da85e 4105 s->method->ssl_read_bytes(s, SSL3_RT_APPLICATION_DATA, NULL, buf, len,
54105ddd 4106 peek, readbytes);
0f113f3e
MC		 4107 if ((ret == -1) && (s->s3->in_read_app_data == 2)) {
4108 /*
4109 * ssl3_read_bytes decided to call s->handshake_func, which called
4110 * ssl3_read_bytes to read handshake data. However, ssl3_read_bytes
4111 * actually found application data and thinks that application data
4112 * makes sense here; so disable handshake processing and try to read
4113 * application data again.
4114 */
024f543c 4115 ossl_statem_set_in_handshake(s, 1);
0f113f3e 4116 ret =
657da85e 4117 s->method->ssl_read_bytes(s, SSL3_RT_APPLICATION_DATA, NULL, buf,
54105ddd 4118 len, peek, readbytes);
024f543c 4119 ossl_statem_set_in_handshake(s, 0);
0f113f3e
MC		 4120 } else
4121 s->s3->in_read_app_data = 0;
4122
eda75751 4123 return ret;
0f113f3e 4124}
d02b48c6 4125
54105ddd 4126int ssl3_read(SSL *s, void *buf, size_t len, size_t *readbytes)
0f113f3e 4127{
54105ddd 4128 return ssl3_read_internal(s, buf, len, 0, readbytes);
0f113f3e 4129}
d02b48c6 4130
54105ddd 4131int ssl3_peek(SSL *s, void *buf, size_t len, size_t *readbytes)
0f113f3e 4132{
54105ddd 4133 return ssl3_read_internal(s, buf, len, 1, readbytes);
0f113f3e 4134}
d02b48c6 4135
6b691a5c 4136int ssl3_renegotiate(SSL *s)
0f113f3e
MC		 4137{
4138 if (s->handshake_func == NULL)
4139 return (1);
d02b48c6 4140
0f113f3e
MC		 4141 s->s3->renegotiate = 1;
4142 return (1);
4143}
d02b48c6 4144
c7f47786
MC		 4145/*
4146 * Check if we are waiting to do a renegotiation and if so whether now is a
4147 * good time to do it. If |initok| is true then we are being called from inside
4148 * the state machine so ignore the result of SSL_in_init(s). Otherwise we
4149 * should not do a renegotiation if SSL_in_init(s) is true. Returns 1 if we
4150 * should do a renegotiation now and sets up the state machine for it. Otherwise
4151 * returns 0.
4152 */
4153int ssl3_renegotiate_check(SSL *s, int initok)
0f113f3e
MC		 4154{
4155 int ret = 0;
4156
4157 if (s->s3->renegotiate) {
f161995e
MC		 4158 if (!RECORD_LAYER_read_pending(&s->rlayer)
4159 && !RECORD_LAYER_write_pending(&s->rlayer)
c7f47786 4160 && (initok || !SSL_in_init(s))) {
0f113f3e
MC		 4161 /*
4162 * if we are the server, and we have sent a 'RENEGOTIATE'
49ae7423
MC		 4163 * message, we need to set the state machine into the renegotiate
4164 * state.
0f113f3e 4165 */
fe3a3291 4166 ossl_statem_set_renegotiate(s);
0f113f3e
MC		 4167 s->s3->renegotiate = 0;
4168 s->s3->num_renegotiations++;
4169 s->s3->total_renegotiations++;
4170 ret = 1;
4171 }
4172 }
c7f47786 4173 return ret;
0f113f3e
MC		 4174}
4175
58964a49 4176/*
0f113f3e
MC		 4177 * If we are using default SHA1+MD5 algorithms switch to new SHA256 PRF and
4178 * handshake macs if required.
12053a81
DSH		 4179 *
4180 * If PSK and using SHA384 for TLS < 1.2 switch to default.
7409d7ad
DSH		 4181 */
4182long ssl_get_algorithm2(SSL *s)
0f113f3e 4183{
52eede5a
DSH		 4184 long alg2;
4185 if (s->s3 == NULL || s->s3->tmp.new_cipher == NULL)
4186 return -1;
4187 alg2 = s->s3->tmp.new_cipher->algorithm2;
12053a81
DSH		 4188 if (s->method->ssl3_enc->enc_flags & SSL_ENC_FLAG_SHA256_PRF) {
4189 if (alg2 == (SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF))
4190 return SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256;
4191 } else if (s->s3->tmp.new_cipher->algorithm_mkey & SSL_PSK) {
4192 if (alg2 == (SSL_HANDSHAKE_MAC_SHA384 | TLS1_PRF_SHA384))
4193 return SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF;
4194 }
0f113f3e
MC		 4195 return alg2;
4196}
a3680c8f
MC		 4197
4198/*
4199 * Fill a ClientRandom or ServerRandom field of length len. Returns <= 0 on
4200 * failure, 1 on success.
4201 */
f7f2a01d
MC		 4202int ssl_fill_hello_random(SSL *s, int server, unsigned char *result, size_t len,
4203 DOWNGRADE dgrd)
a3680c8f 4204{
f7f2a01d 4205 int send_time = 0, ret;
a3680c8f
MC		 4206
4207 if (len < 4)
4208 return 0;
4209 if (server)
4210 send_time = (s->mode & SSL_MODE_SEND_SERVERHELLO_TIME) != 0;
4211 else
4212 send_time = (s->mode & SSL_MODE_SEND_CLIENTHELLO_TIME) != 0;
4213 if (send_time) {
4214 unsigned long Time = (unsigned long)time(NULL);
4215 unsigned char *p = result;
4216 l2n(Time, p);
348240c6 4217 /* TODO(size_t): Convert this */
f7f2a01d
MC		 4218 ret = RAND_bytes(p, (int)(len - 4));
4219 } else {
4220 ret = RAND_bytes(result, (int)len);
4221 }
4222#ifndef OPENSSL_NO_TLS13DOWNGRADE
4223 if (ret) {
b77f3ed1
MC		 4224 if (!ossl_assert(sizeof(tls11downgrade) < len)
4225 || !ossl_assert(sizeof(tls12downgrade) < len))
4226 return 0;
f7f2a01d
MC		 4227 if (dgrd == DOWNGRADE_TO_1_2)
4228 memcpy(result + len - sizeof(tls12downgrade), tls12downgrade,
4229 sizeof(tls12downgrade));
4230 else if (dgrd == DOWNGRADE_TO_1_1)
4231 memcpy(result + len - sizeof(tls11downgrade), tls11downgrade,
4232 sizeof(tls11downgrade));
4233 }
4234#endif
4235 return ret;
a3680c8f 4236}
57b272b0
DSH		 4237
4238int ssl_generate_master_secret(SSL *s, unsigned char *pms, size_t pmslen,
4239 int free_pms)
4240{
8a0a12e5 4241 unsigned long alg_k = s->s3->tmp.new_cipher->algorithm_mkey;
8c1a5343
MC		 4242 int ret = 0;
4243
8a0a12e5 4244 if (alg_k & SSL_PSK) {
0907d710 4245#ifndef OPENSSL_NO_PSK
8a0a12e5
DSH		 4246 unsigned char *pskpms, *t;
4247 size_t psklen = s->s3->tmp.psklen;
4248 size_t pskpmslen;
4249
4250 /* create PSK premaster_secret */
4251
4252 /* For plain PSK "other_secret" is psklen zeroes */
4253 if (alg_k & SSL_kPSK)
4254 pmslen = psklen;
4255
4256 pskpmslen = 4 + pmslen + psklen;
4257 pskpms = OPENSSL_malloc(pskpmslen);
8c1a5343 4258 if (pskpms == NULL)
a784665e 4259 goto err;
8a0a12e5
DSH		 4260 t = pskpms;
4261 s2n(pmslen, t);
4262 if (alg_k & SSL_kPSK)
4263 memset(t, 0, pmslen);
4264 else
4265 memcpy(t, pms, pmslen);
4266 t += pmslen;
4267 s2n(psklen, t);
4268 memcpy(t, s->s3->tmp.psk, psklen);
4269
4270 OPENSSL_clear_free(s->s3->tmp.psk, psklen);
4271 s->s3->tmp.psk = NULL;
8c1a5343
MC		 4272 if (!s->method->ssl3_enc->generate_master_secret(s,
4273 s->session->master_key,pskpms, pskpmslen,
4274 &s->session->master_key_length))
4275 goto err;
8a0a12e5 4276 OPENSSL_clear_free(pskpms, pskpmslen);
0907d710
MC		 4277#else
4278 /* Should never happen */
0907d710 4279 goto err;
8a0a12e5 4280#endif
0907d710 4281 } else {
8c1a5343
MC		 4282 if (!s->method->ssl3_enc->generate_master_secret(s,
4283 s->session->master_key, pms, pmslen,
4284 &s->session->master_key_length))
4285 goto err;
0907d710
MC		 4286 }
4287
8c1a5343 4288 ret = 1;
0907d710 4289 err:
8a0a12e5
DSH		 4290 if (pms) {
4291 if (free_pms)
4292 OPENSSL_clear_free(pms, pmslen);
4293 else
4294 OPENSSL_cleanse(pms, pmslen);
4295 }
57b272b0
DSH		 4296 if (s->server == 0)
4297 s->s3->tmp.pms = NULL;
8c1a5343 4298 return ret;
57b272b0 4299}
3f3504bd 4300
0a699a07
DSH		 4301/* Generate a private key from parameters */
4302EVP_PKEY *ssl_generate_pkey(EVP_PKEY *pm)
3f3504bd
DSH		 4303{
4304 EVP_PKEY_CTX *pctx = NULL;
4305 EVP_PKEY *pkey = NULL;
0a699a07
DSH		 4306
4307 if (pm == NULL)
4308 return NULL;
4309 pctx = EVP_PKEY_CTX_new(pm, NULL);
4310 if (pctx == NULL)
4311 goto err;
4312 if (EVP_PKEY_keygen_init(pctx) <= 0)
4313 goto err;
4314 if (EVP_PKEY_keygen(pctx, &pkey) <= 0) {
4315 EVP_PKEY_free(pkey);
4316 pkey = NULL;
4317 }
4318
4319 err:
4320 EVP_PKEY_CTX_free(pctx);
4321 return pkey;
4322}
4323#ifndef OPENSSL_NO_EC
4324/* Generate a private key a curve ID */
4325EVP_PKEY *ssl_generate_pkey_curve(int id)
4326{
4327 EVP_PKEY_CTX *pctx = NULL;
4328 EVP_PKEY *pkey = NULL;
4329 unsigned int curve_flags;
4330 int nid = tls1_ec_curve_id2nid(id, &curve_flags);
4331
4332 if (nid == 0)
4333 goto err;
4334 if ((curve_flags & TLS_CURVE_TYPE) == TLS_CURVE_CUSTOM) {
4335 pctx = EVP_PKEY_CTX_new_id(nid, NULL);
ec24630a 4336 nid = 0;
3f3504bd 4337 } else {
0a699a07 4338 pctx = EVP_PKEY_CTX_new_id(EVP_PKEY_EC, NULL);
3f3504bd
DSH		 4339 }
4340 if (pctx == NULL)
4341 goto err;
4342 if (EVP_PKEY_keygen_init(pctx) <= 0)
4343 goto err;
ec24630a 4344 if (nid != 0 && EVP_PKEY_CTX_set_ec_paramgen_curve_nid(pctx, nid) <= 0)
3f3504bd 4345 goto err;
3f3504bd
DSH		 4346 if (EVP_PKEY_keygen(pctx, &pkey) <= 0) {
4347 EVP_PKEY_free(pkey);
4348 pkey = NULL;
4349 }
4350
a230b26e 4351 err:
3f3504bd
DSH		 4352 EVP_PKEY_CTX_free(pctx);
4353 return pkey;
4354}
0a699a07 4355#endif
a230b26e 4356
92760c21
MC		 4357/* Derive secrets for ECDH/DH */
4358int ssl_derive(SSL *s, EVP_PKEY *privkey, EVP_PKEY *pubkey, int gensecret)
3f3504bd
DSH		 4359{
4360 int rv = 0;
4361 unsigned char *pms = NULL;
4362 size_t pmslen = 0;
4363 EVP_PKEY_CTX *pctx;
4364
4365 if (privkey == NULL || pubkey == NULL)
4366 return 0;
4367
4368 pctx = EVP_PKEY_CTX_new(privkey, NULL);
4369
4370 if (EVP_PKEY_derive_init(pctx) <= 0
4371 || EVP_PKEY_derive_set_peer(pctx, pubkey) <= 0
4372 || EVP_PKEY_derive(pctx, NULL, &pmslen) <= 0) {
4373 goto err;
4374 }
4375
4376 pms = OPENSSL_malloc(pmslen);
4377 if (pms == NULL)
4378 goto err;
4379
4380 if (EVP_PKEY_derive(pctx, pms, &pmslen) <= 0)
4381 goto err;
4382
92760c21
MC		 4383 if (gensecret) {
4384 if (SSL_IS_TLS13(s)) {
4385 /*
ec15acb6
MC		 4386 * If we are resuming then we already generated the early secret
4387 * when we created the ClientHello, so don't recreate it.
92760c21 4388 */
ec15acb6
MC		 4389 if (!s->hit)
4390 rv = tls13_generate_secret(s, ssl_handshake_md(s), NULL, NULL,
4391 0,
4392 (unsigned char *)&s->early_secret);
0247086d
MC		 4393 else
4394 rv = 1;
4395
ec15acb6 4396 rv = rv && tls13_generate_handshake_secret(s, pms, pmslen);
92760c21 4397 } else {
c8ab3a46 4398 rv = ssl_generate_master_secret(s, pms, pmslen, 0);
92760c21 4399 }
3f3504bd 4400 } else {
0f1e51ea 4401 /* Save premaster secret */
3f3504bd
DSH		 4402 s->s3->tmp.pms = pms;
4403 s->s3->tmp.pmslen = pmslen;
4404 pms = NULL;
4405 rv = 1;
4406 }
4407
a230b26e 4408 err:
3f3504bd
DSH		 4409 OPENSSL_clear_free(pms, pmslen);
4410 EVP_PKEY_CTX_free(pctx);
4411 return rv;
4412}
6c4e6670 4413
1e0784ff 4414#ifndef OPENSSL_NO_DH
6c4e6670
DSH		 4415EVP_PKEY *ssl_dh_to_pkey(DH *dh)
4416{
4417 EVP_PKEY *ret;
4418 if (dh == NULL)
4419 return NULL;
4420 ret = EVP_PKEY_new();
4421 if (EVP_PKEY_set1_DH(ret, dh) <= 0) {
4422 EVP_PKEY_free(ret);
4423 return NULL;
4424 }
4425 return ret;
4426}
1e0784ff 4427#endif
A mirror of the official openssl repository