File Coverage

inc/matrixssl-3-9-3-open/matrixssl/cipherSuite.c

Criterion	Covered	Total	%
statement	327	555	58.9
branch	223	532	41.9
condition			n/a
subroutine			n/a
pod			n/a
total	550	1087	50.6

line	stmt	bran	code
1			/**
2			* @file cipherSuite.c
3			* @version 950bba4 (HEAD -> master)
4			*
5			* Wrappers for the various cipher suites..
6			* Enable specific suites at compile time in matrixsslConfig.h
7			*/
8			/*
9			* Copyright (c) 2013-2017 INSIDE Secure Corporation
10			* Copyright (c) PeerSec Networks, 2002-2011
11			* All Rights Reserved
12			*
13			* The latest version of this code is available at http://www.matrixssl.org
14			*
15			* This software is open source; you can redistribute it and/or modify
16			* it under the terms of the GNU General Public License as published by
17			* the Free Software Foundation; either version 2 of the License, or
18			* (at your option) any later version.
19			*
20			* This General Public License does NOT permit incorporating this software
21			* into proprietary programs. If you are unable to comply with the GPL, a
22			* commercial license for this software may be purchased from INSIDE at
23			* http://www.insidesecure.com/
24			*
25			* This program is distributed in WITHOUT ANY WARRANTY; without even the
26			* implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
27			* See the GNU General Public License for more details.
28			*
29			* You should have received a copy of the GNU General Public License
30			* along with this program; if not, write to the Free Software
31			* Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
32			* http://www.gnu.org/copyleft/gpl.html
33			*/
34			/******************************************************************************/
35
36			#include "matrixsslImpl.h"
37
38			/******************************************************************************/
39			/* Symmetric cipher initializtion wrappers for cipher suites */
40			/******************************************************************************/
41			/*
42			SSL_NULL_WITH_NULL_NULL cipher functions
43			Used in handshaking before SSL_RECORD_TYPE_CHANGE_CIPHER_SPEC message
44			*/
45	0		static int32 csNullInit(sslSec_t *sec, int32 type, uint32 keysize)
46			{
47	0		return 0;
48			}
49
50			/******************************************************************************/
51			#if defined(USE_ARC4) && defined(USE_ARC4_CIPHER_SUITE)
52			/******************************************************************************/
53			static int32 csArc4Init(sslSec_t *sec, int32 type, uint32 keysize)
54			{
55			if (type == INIT_ENCRYPT_CIPHER)
56			{
57			psArc4Init(&(sec->encryptCtx.arc4), sec->writeKey, keysize);
58			}
59			else
60			{
61			psArc4Init(&(sec->decryptCtx.arc4), sec->readKey, keysize);
62			}
63			return PS_SUCCESS;
64			}
65			int32 csArc4Encrypt(void ssl, unsigned char pt,
66			unsigned char *ct, uint32 len)
67			{
68			ssl_t *lssl = ssl;
69			psArc4_t *ctx = &lssl->sec.encryptCtx.arc4;
70
71			psArc4(ctx, pt, ct, len);
72			return len;
73			}
74			int32 csArc4Decrypt(void ssl, unsigned char ct,
75			unsigned char *pt, uint32 len)
76			{
77			ssl_t *lssl = ssl;
78			psArc4_t *ctx = &lssl->sec.decryptCtx.arc4;
79
80			psArc4(ctx, ct, pt, len);
81			return len;
82			}
83
84			#endif /* USE_ARC4_CIPHER_SUITE */
85			/******************************************************************************/
86
87			/******************************************************************************/
88			#if defined(USE_3DES) && defined (USE_3DES_CIPHER_SUITE)
89			/******************************************************************************/
90			static int32 csDes3Init(sslSec_t *sec, int32 type, uint32 keysize)
91			{
92			int32 err;
93
94			psAssert(keysize == DES3_KEYLEN);
95
96			if (type == INIT_ENCRYPT_CIPHER)
97			{
98			if ((err = psDes3Init(&(sec->encryptCtx.des3), sec->writeIV, sec->writeKey)) < 0)
99			{
100			return err;
101			}
102			}
103			else
104			{
105			if ((err = psDes3Init(&(sec->decryptCtx.des3), sec->readIV, sec->readKey)) < 0)
106			{
107			return err;
108			}
109			}
110			return PS_SUCCESS;
111			}
112
113			int32 csDes3Encrypt(void ssl, unsigned char pt,
114			unsigned char *ct, uint32 len)
115			{
116			ssl_t *lssl = ssl;
117			psDes3_t *ctx = &lssl->sec.encryptCtx.des3;
118
119			psDes3Encrypt(ctx, pt, ct, len);
120			return len;
121			}
122
123			int32 csDes3Decrypt(void ssl, unsigned char ct,
124			unsigned char *pt, uint32 len)
125			{
126			ssl_t *lssl = ssl;
127			psDes3_t *ctx = &lssl->sec.decryptCtx.des3;
128
129			psDes3Decrypt(ctx, ct, pt, len);
130			return len;
131			}
132
133			#endif /* USE_3DES_CIPHER_SUITE */
134			/******************************************************************************/
135
136			#ifdef USE_AES_CIPHER_SUITE
137			# ifdef USE_NATIVE_AES
138			# ifdef USE_TLS_1_2
139			# ifdef USE_AES_GCM
140	4234		int32 csAesGcmInit(sslSec_t *sec, int32 type, uint32 keysize)
141			{
142			int32 err;
143
144	4234	100	if (type == INIT_ENCRYPT_CIPHER)
145			{
146	2117		memset(&sec->encryptCtx.aesgcm, 0, sizeof(psAesGcm_t));
147	2117	50	if ((err = psAesInitGCM(&sec->encryptCtx.aesgcm, sec->writeKey,
148			keysize)) < 0)
149			{
150	0		return err;
151			}
152			}
153			else
154			{
155	2117		memset(&sec->decryptCtx.aesgcm, 0, sizeof(psAesGcm_t));
156	2117	50	if ((err = psAesInitGCM(&sec->decryptCtx.aesgcm, sec->readKey,
157			keysize)) < 0)
158			{
159	0		return err;
160			}
161			}
162	4234		return 0;
163			}
164
165	10411		int32 csAesGcmEncrypt(void ssl, unsigned char pt,
166			unsigned char *ct, uint32 len)
167			{
168	10411		ssl_t *lssl = ssl;
169			psAesGcm_t *ctx;
170			unsigned char nonce[12];
171			unsigned char aad[TLS_GCM_AAD_LEN];
172			int32 i, ptLen, seqNotDone;
173
174	10411	100	if (len == 0)
175			{
176	4123		return PS_SUCCESS;
177			}
178
179	6288	50	if (len < 16 + 1)
180			{
181	0		return PS_LIMIT_FAIL;
182			}
183	6288		ptLen = len - TLS_GCM_TAG_LEN;
184
185	6288		ctx = &lssl->sec.encryptCtx.aesgcm;
186
187	6288		memcpy(nonce, lssl->sec.writeIV, 4);
188
189	6288		seqNotDone = 1;
190			/* Each value of the nonce_explicit MUST be distinct for each distinct
191			invocation of the GCM encrypt function for any fixed key. Failure to
192			meet this uniqueness requirement can significantly degrade security.
193			The nonce_explicit MAY be the 64-bit sequence number. */
194			# ifdef USE_DTLS
195			if (lssl->flags & SSL_FLAGS_DTLS)
196			{
197			memcpy(nonce + 4, lssl->epoch, 2);
198			memcpy(nonce + 4 + 2, lssl->rsn, 6);
199			/* In the case of DTLS the counter is formed from the concatenation of
200			the 16-bit epoch with the 48-bit sequence number.*/
201			memcpy(aad, lssl->epoch, 2);
202			memcpy(aad + 2, lssl->rsn, 6);
203			seqNotDone = 0;
204			}
205			# endif
206
207	6288	50	if (seqNotDone)
208			{
209	6288		memcpy(nonce + 4, lssl->sec.seq, TLS_EXPLICIT_NONCE_LEN);
210	6288		memcpy(aad, lssl->sec.seq, 8);
211			}
212	6288		aad[8] = lssl->outRecType;
213	6288		aad[9] = lssl->majVer;
214	6288		aad[10] = lssl->minVer;
215	6288		aad[11] = ptLen >> 8 & 0xFF;
216	6288		aad[12] = ptLen & 0xFF;
217
218	6288		psAesReadyGCM(ctx, nonce, aad, TLS_GCM_AAD_LEN);
219	6288		psAesEncryptGCM(ctx, pt, ct, ptLen);
220	6288		psAesGetGCMTag(ctx, 16, ct + ptLen);
221
222			# ifdef USE_DTLS
223			if (lssl->flags & SSL_FLAGS_DTLS)
224			{
225			return len;
226			}
227			# endif
228
229			/* Normally HMAC would increment the sequence */
230	6288	50	for (i = 7; i >= 0; i--)
231			{
232	6288		lssl->sec.seq[i]++;
233	6288	50	if (lssl->sec.seq[i] != 0)
234			{
235	6288		break;
236			}
237			}
238	10411		return len;
239			}
240
241	6287		int32 csAesGcmDecrypt(void ssl, unsigned char ct,
242			unsigned char *pt, uint32 len)
243			{
244	6287		ssl_t *lssl = ssl;
245			psAesGcm_t *ctx;
246			int32 i, ctLen, bytes, seqNotDone;
247			unsigned char nonce[12];
248			unsigned char aad[TLS_GCM_AAD_LEN];
249
250	6287		ctx = &lssl->sec.decryptCtx.aesgcm;
251
252	6287		seqNotDone = 1;
253	6287		memcpy(nonce, lssl->sec.readIV, 4);
254	6287		memcpy(nonce + 4, ct, TLS_EXPLICIT_NONCE_LEN);
255	6287		ct += TLS_EXPLICIT_NONCE_LEN;
256	6287		len -= TLS_EXPLICIT_NONCE_LEN;
257
258			# ifdef USE_DTLS
259			if (lssl->flags & SSL_FLAGS_DTLS)
260			{
261			/* In the case of DTLS the counter is formed from the concatenation of
262			the 16-bit epoch with the 48-bit sequence number. */
263			memcpy(aad, lssl->rec.epoch, 2);
264			memcpy(aad + 2, lssl->rec.rsn, 6);
265			seqNotDone = 0;
266			}
267			# endif
268
269	6287	50	if (seqNotDone)
270			{
271	6287		memcpy(aad, lssl->sec.remSeq, 8);
272			}
273	6287		ctLen = len - TLS_GCM_TAG_LEN;
274	6287		aad[8] = lssl->rec.type;
275	6287		aad[9] = lssl->majVer;
276	6287		aad[10] = lssl->minVer;
277	6287		aad[11] = ctLen >> 8 & 0xFF;
278	6287		aad[12] = ctLen & 0xFF;
279
280	6287		psAesReadyGCM(ctx, nonce, aad, TLS_GCM_AAD_LEN);
281
282	6287	50	if ((bytes = psAesDecryptGCM(ctx, ct, len, pt, len - TLS_GCM_TAG_LEN)) < 0)
283			{
284	0		return -1;
285			}
286	6287	50	for (i = 7; i >= 0; i--)
287			{
288	6287		lssl->sec.remSeq[i]++;
289	6287	50	if (lssl->sec.remSeq[i] != 0)
290			{
291	6287		break;
292			}
293			}
294	6287		return bytes;
295			}
296			# endif /* USE_AES_GCM */
297			# endif /* USE_TLS_1_2 */
298
299			# ifdef USE_AES_CBC
300			/******************************************************************************/
301	4		int32 csAesInit(sslSec_t *sec, int32 type, uint32 keysize)
302			{
303			int32 err;
304
305	4	100	if (type == INIT_ENCRYPT_CIPHER)
306			{
307	2		memset(&(sec->encryptCtx), 0, sizeof(psAesCbc_t));
308	2	50	if ((err = psAesInitCBC(&sec->encryptCtx.aes, sec->writeIV, sec->writeKey,
309			keysize, PS_AES_ENCRYPT)) < 0)
310			{
311	0		return err;
312			}
313			}
314			else /* Init for decrypt */
315			{
316	2		memset(&(sec->decryptCtx), 0, sizeof(psAesCbc_t));
317	2	50	if ((err = psAesInitCBC(&sec->decryptCtx.aes, sec->readIV, sec->readKey,
318			keysize, PS_AES_DECRYPT)) < 0)
319			{
320	0		return err;
321			}
322			}
323	4		return PS_SUCCESS;
324			}
325
326	5		int32 csAesEncrypt(void ssl, unsigned char pt,
327			unsigned char *ct, uint32 len)
328			{
329	5		ssl_t *lssl = ssl;
330	5		psAesCbc_t *ctx = &lssl->sec.encryptCtx.aes;
331
332	5		psAesEncryptCBC(ctx, pt, ct, len);
333	5		return len;
334			}
335
336	3		int32 csAesDecrypt(void ssl, unsigned char ct,
337			unsigned char *pt, uint32 len)
338			{
339	3		ssl_t *lssl = ssl;
340	3		psAesCbc_t *ctx = &lssl->sec.decryptCtx.aes;
341
342	3		psAesDecryptCBC(ctx, ct, pt, len);
343	3		return len;
344			}
345			# endif /USE_AES_CBC /
346			# endif /* USE_NATIVE_AES */
347			#endif /* USE_AES_CIPHER_SUITE */
348
349			/******************************************************************************/
350
351			/* #define DEBUG_CHACHA20_POLY1305_CIPHER_SUITE */
352			#ifdef USE_CHACHA20_POLY1305_CIPHER_SUITE
353			int32 csChacha20Poly1305Init(sslSec_t *sec, int32 type, uint32 keysize)
354			{
355			int32 err;
356
357			if (type == INIT_ENCRYPT_CIPHER)
358			{
359			# ifdef DEBUG_CHACHA20_POLY1305_CIPHER_SUITE
360			psTraceInfo("Entering csChacha20Poly1305Init encrypt\n");
361			psTraceBytes("sec->writeKey", sec->writeKey, keysize);
362			# endif
363			memset(&sec->encryptCtx.chacha20poly1305, 0, sizeof(psChacha20Poly1305_t));
364			if ((err = psChacha20Poly1305Init(&sec->encryptCtx.chacha20poly1305, sec->writeKey,
365			keysize)) < 0)
366			{
367			return err;
368			}
369			}
370			else
371			{
372			# ifdef DEBUG_CHACHA20_POLY1305_CIPHER_SUITE
373			psTraceInfo("Entering csChacha20Poly1305Init decrypt\n");
374			psTraceBytes("sec->readKey", sec->readKey, keysize);
375			# endif
376			memset(&sec->decryptCtx.chacha20poly1305, 0, sizeof(psChacha20Poly1305_t));
377			if ((err = psChacha20Poly1305Init(&sec->decryptCtx.chacha20poly1305, sec->readKey,
378			keysize)) < 0)
379			{
380			return err;
381			}
382			}
383			return 0;
384			}
385
386			int32 csChacha20Poly1305Encrypt(void ssl, unsigned char pt,
387			unsigned char *ct, uint32 len)
388			{
389			ssl_t *lssl = ssl;
390			psChacha20Poly1305_t *ctx;
391			unsigned char nonce[TLS_AEAD_NONCE_MAXLEN];
392			unsigned char aad[TLS_CHACHA20_POLY1305_AAD_LEN];
393			int32 i, ptLen;
394
395			if (len == 0)
396			{
397			return PS_SUCCESS;
398			}
399			if (len < 16 + 1)
400			{
401			return PS_LIMIT_FAIL;
402			}
403			ptLen = len - TLS_CHACHA20_POLY1305_TAG_LEN;
404			ctx = &lssl->sec.encryptCtx.chacha20poly1305;
405
406			memset(nonce, 0, TLS_AEAD_NONCE_MAXLEN);
407			memset(aad, 0, TLS_CHACHA20_POLY1305_AAD_LEN);
408
409			# ifdef CHACHA20POLY1305_IETF
410			# ifdef DEBUG_CHACHA20_POLY1305_CIPHER_SUITE
411			psTraceInfo("Entering csChacha20Poly1305Encrypt IETF\n");
412			# endif
413			if (sizeof(lssl->sec.writeIV) < CHACHA20POLY1305_IV_FIXED_LENGTH)
414			{
415			return PS_LIMIT_FAIL;
416			}
417			if (sizeof(nonce) < CHACHA20POLY1305_IV_FIXED_LENGTH)
418			{
419			return PS_LIMIT_FAIL;
420			}
421
422			/* The nonce is built according to: https://tools.ietf.org/html/draft-ietf-tls-chacha20-poly1305 */
423
424			memcpy(nonce + (CHACHA20POLY1305_IV_FIXED_LENGTH - TLS_AEAD_SEQNB_LEN), lssl->sec.seq, TLS_AEAD_SEQNB_LEN);
425
426			for (i = 0; i < CHACHA20POLY1305_IV_FIXED_LENGTH; i++)
427			{
428			nonce[i] ^= lssl->sec.writeIV[i];
429			}
430			# else
431			# ifdef DEBUG_CHACHA20_POLY1305_CIPHER_SUITE
432			psTraceInfo("Entering csChacha20Poly1305Encrypt\n");
433			# endif
434
435			/*
436			The nonce is just the sequence number, as explained in
437			https://tools.ietf.org/html/draft-agl-tls-chacha20poly1305-04#section-5 AEAD construction
438			*/
439			memcpy(nonce, lssl->sec.seq, TLS_AEAD_SEQNB_LEN);
440			# endif
441			/* --- Fill Additional data ---// */
442			memcpy(aad, lssl->sec.seq, TLS_AEAD_SEQNB_LEN);
443			i = TLS_AEAD_SEQNB_LEN;
444
445			aad[i++] = lssl->outRecType;
446			aad[i++] = lssl->majVer;
447			aad[i++] = lssl->minVer;
448			aad[i++] = ptLen >> 8 & 0xFF;
449			aad[i++] = ptLen & 0xFF;
450
451			# ifdef DEBUG_CHACHA20_POLY1305_CIPHER_SUITE
452			psTraceBytes("nonce", nonce, CHACHA20POLY1305_IV_FIXED_LENGTH);
453			psTraceBytes("aad", aad, TLS_CHACHA20_POLY1305_AAD_LEN);
454			psTraceBytes("pt", pt, ptLen);
455			# endif
456
457			/* Perform encryption and authentication tag computation */
458			psChacha20Poly1305Ready(ctx, nonce, aad, TLS_CHACHA20_POLY1305_AAD_LEN);
459			psChacha20Poly1305Encrypt(ctx, pt, ct, ptLen);
460			psChacha20Poly1305GetTag(ctx, TLS_CHACHA20_POLY1305_TAG_LEN, ct + ptLen);
461
462			# ifdef DEBUG_CHACHA20_POLY1305_CIPHER_SUITE
463			psTraceBytes("ct", ct, ptLen);
464			psTraceBytes("tag", ct + ptLen, TLS_CHACHA20_POLY1305_TAG_LEN);
465			# endif
466
467			/* Normally HMAC would increment the sequence */
468			for (i = (TLS_AEAD_SEQNB_LEN - 1); i >= 0; i--)
469			{
470			lssl->sec.seq[i]++;
471			if (lssl->sec.seq[i] != 0)
472			{
473			break;
474			}
475			}
476			return len;
477			}
478
479			int32 csChacha20Poly1305Decrypt(void ssl, unsigned char ct,
480			unsigned char *pt, uint32 len)
481			{
482			ssl_t *lssl = ssl;
483			psChacha20Poly1305_t *ctx;
484			int32 i, ctLen, bytes;
485
486			unsigned char nonce[TLS_AEAD_NONCE_MAXLEN];
487			unsigned char aad[TLS_CHACHA20_POLY1305_AAD_LEN];
488
489			ctx = &lssl->sec.decryptCtx.chacha20poly1305;
490
491			memset(nonce, 0, TLS_AEAD_NONCE_MAXLEN);
492			memset(aad, 0, TLS_CHACHA20_POLY1305_AAD_LEN);
493
494			# ifdef CHACHA20POLY1305_IETF
495			/* Check https://tools.ietf.org/html/draft-nir-cfrg-chacha20-poly1305-06 */
496
497			# ifdef DEBUG_CHACHA20_POLY1305_CIPHER_SUITE
498			psTraceInfo("Entering csChacha20Poly1305Decrypt IETF\n");
499			# endif
500
501			if (sizeof(lssl->sec.readIV) < CHACHA20POLY1305_IV_FIXED_LENGTH)
502			{
503			return PS_LIMIT_FAIL;
504			}
505			if (sizeof(nonce) < CHACHA20POLY1305_IV_FIXED_LENGTH)
506			{
507			return PS_LIMIT_FAIL;
508			}
509
510			/* The nonce is built according to: https://tools.ietf.org/html/draft-ietf-tls-chacha20-poly1305 */
511
512			memcpy(nonce + (CHACHA20POLY1305_IV_FIXED_LENGTH - TLS_AEAD_SEQNB_LEN), lssl->sec.remSeq, TLS_AEAD_SEQNB_LEN);
513
514			for (i = 0; i < CHACHA20POLY1305_IV_FIXED_LENGTH; i++)
515			{
516			nonce[i] ^= lssl->sec.readIV[i];
517			}
518
519			# else
520			# ifdef DEBUG_CHACHA20_POLY1305_CIPHER_SUITE
521			psTraceInfo("Entering csChacha20Poly1305Decrypt\n");
522			# endif
523			memcpy(nonce, lssl->sec.remSeq, TLS_AEAD_SEQNB_LEN);
524			# endif
525
526			/* --- Fill Additional data ---// */
527			memcpy(aad, lssl->sec.remSeq, TLS_AEAD_SEQNB_LEN);
528			i = TLS_AEAD_SEQNB_LEN;
529
530			/* Update length of encrypted data: we have to remove tag's length */
531			if (len < TLS_CHACHA20_POLY1305_TAG_LEN)
532			{
533			return PS_LIMIT_FAIL;
534			}
535			ctLen = len - TLS_CHACHA20_POLY1305_TAG_LEN;
536
537			aad[i++] = lssl->rec.type;
538			aad[i++] = lssl->majVer;
539			aad[i++] = lssl->minVer;
540			aad[i++] = ctLen >> 8 & 0xFF;
541			aad[i++] = ctLen & 0xFF;
542
543			# ifdef DEBUG_CHACHA20_POLY1305_CIPHER_SUITE
544			psTraceBytes("nonce", nonce, CHACHA20POLY1305_IV_FIXED_LENGTH);
545			psTraceBytes("aad", aad, TLS_CHACHA20_POLY1305_AAD_LEN);
546			psTraceBytes("ct", ct, ctLen);
547			psTraceBytes("tag", ct + ctLen, TLS_CHACHA20_POLY1305_TAG_LEN);
548			# endif
549
550			/* --- Check authentication tag and decrypt data ---// */
551			psChacha20Poly1305Ready(ctx, nonce, aad, TLS_CHACHA20_POLY1305_AAD_LEN);
552
553			if ((bytes = psChacha20Poly1305Decrypt(ctx, ct, len, pt, ctLen)) < 0)
554			{
555			# ifdef DEBUG_CHACHA20_POLY1305_CIPHER_SUITE
556			psTraceInfo("Decrypt NOK\n");
557			# endif
558			return -1;
559			}
560
561			for (i = (TLS_AEAD_SEQNB_LEN - 1); i >= 0; i--)
562			{
563			lssl->sec.remSeq[i]++;
564			if (lssl->sec.remSeq[i] != 0)
565			{
566			break;
567			}
568			}
569
570			return bytes;
571			}
572			#endif /* USE_CHACHA20_POLY1305_CIPHER_SUITE */
573
574			/******************************************************************************/
575
576			#if defined(USE_IDEA) && defined(USE_IDEA_CIPHER_SUITE)
577			int32 csIdeaInit(sslSec_t *sec, int32 type, uint32 keysize)
578			{
579			int32 err;
580
581			if (type == INIT_ENCRYPT_CIPHER)
582			{
583			memset(&(sec->encryptCtx), 0, sizeof(psCipherContext_t));
584			if ((err = psIdeaInit(&(sec->encryptCtx.idea), sec->writeIV, sec->writeKey)) < 0)
585			{
586			return err;
587			}
588			}
589			else /* Init for decrypt */
590			{
591			memset(&(sec->decryptCtx), 0, sizeof(psCipherContext_t));
592			if ((err = psIdeaInit(&(sec->decryptCtx.idea), sec->readIV, sec->readKey)) < 0)
593			{
594			return err;
595			}
596			}
597			return PS_SUCCESS;
598			}
599
600			int32 csIdeaEncrypt(void ssl, unsigned char pt,
601			unsigned char *ct, uint32 len)
602			{
603			ssl_t *lssl = ssl;
604			psIdea_t *ctx = &lssl->sec.encryptCtx.idea;
605
606			psIdeaEncrypt(ctx, pt, ct, len);
607			return len;
608			}
609
610			int32 csIdeaDecrypt(void ssl, unsigned char ct,
611			unsigned char *pt, uint32 len)
612			{
613			ssl_t *lssl = ssl;
614			psIdea_t *ctx = &lssl->sec.encryptCtx.idea;
615
616			psIdeaDecrypt(ctx, ct, pt, len);
617			return len;
618			}
619			#endif /* USE_IDEA_CIPHER_SUITE */
620
621			/******************************************************************************/
622			#if defined(USE_SEED) && defined(USE_SEED_CIPHER_SUITE)
623			/******************************************************************************/
624			static int32 csSeedInit(sslSec_t *sec, int32 type, uint32 keysize)
625			{
626			int32 err;
627
628			psAssert(keysize == SEED_KEYLEN);
629
630			if (type == INIT_ENCRYPT_CIPHER)
631			{
632			memset(&(sec->encryptCtx), 0, sizeof(psSeed_t));
633			if ((err = psSeedInit(&(sec->encryptCtx.seed), sec->writeIV, sec->writeKey)) < 0)
634			{
635			return err;
636			}
637			}
638			else
639			{
640			memset(&(sec->decryptCtx), 0, sizeof(psSeed_t));
641			if ((err = psSeedInit(&(sec->decryptCtx.seed), sec->readIV, sec->readKey)) < 0)
642			{
643			return err;
644			}
645			}
646			return 0;
647			}
648			int32 csSeedEncrypt(void ssl, unsigned char pt,
649			unsigned char *ct, uint32 len)
650			{
651			ssl_t *lssl = ssl;
652			psSeed_t *ctx = &lssl->sec.encryptCtx.seed;
653
654			psSeedEncrypt(ctx, pt, ct, len);
655			return len;
656			}
657
658			int32 csSeedDecrypt(void ssl, unsigned char ct,
659			unsigned char *pt, uint32 len)
660			{
661			ssl_t *lssl = ssl;
662			psSeed_t *ctx = &lssl->sec.encryptCtx.seed;
663
664			psSeedDecrypt(ctx, ct, pt, len);
665			return len;
666			}
667
668			#endif /* USE_SEED_CIPHER_SUITE */
669			/******************************************************************************/
670
671
672			/******************************************************************************/
673			/* Null cipher crypto */
674			/******************************************************************************/
675	18972		static int32 csNullEncrypt(void ctx, unsigned char in,
676			unsigned char *out, uint32 len)
677			{
678	18972	50	if (out != in)
679			{
680	0		memcpy(out, in, len);
681			}
682	18972		return len;
683			}
684
685	8781		static int32 csNullDecrypt(void ctx, unsigned char in,
686			unsigned char *out, uint32 len)
687			{
688	8781	50	if (out != in)
689			{
690	8781		memmove(out, in, len);
691			}
692	8781		return len;
693			}
694
695			/******************************************************************************/
696			/* HMAC wrappers for cipher suites */
697			/******************************************************************************/
698	18972		static int32 csNullGenerateMac(void *ssl, unsigned char type,
699			unsigned char data, uint32 len, unsigned char mac)
700			{
701	18972		return 0;
702			}
703
704	0		static int32 csNullVerifyMac(void *ssl, unsigned char type,
705			unsigned char data, uint32 len, unsigned char mac)
706			{
707	0		return 0;
708			}
709
710			#ifdef USE_SHA_MAC
711			/******************************************************************************/
712	3		static int32 csShaGenerateMac(void *sslv, unsigned char type,
713			unsigned char data, uint32 len, unsigned char macOut)
714			{
715	3		ssl_t ssl = (ssl_t ) sslv;
716			unsigned char mac[MAX_HASH_SIZE];
717
718			# ifdef USE_TLS
719	3	50	if (ssl->flags & SSL_FLAGS_TLS)
720			{
721			# ifdef USE_SHA256
722	3	50	if (ssl->nativeEnMacSize == SHA256_HASH_SIZE \|\|
		50
723	3		ssl->nativeEnMacSize == SHA384_HASH_SIZE)
724			{
725	0		tlsHMACSha2(ssl, HMAC_CREATE, type, data, len, mac,
726	0		ssl->nativeEnMacSize);
727			}
728			else
729			{
730			# endif
731			# ifdef USE_SHA1
732	3		tlsHMACSha1(ssl, HMAC_CREATE, type, data, len, mac);
733			# endif
734			# ifdef USE_SHA256
735			}
736			# endif
737			}
738			else
739			{
740			# endif /* USE_TLS */
741			# ifndef DISABLE_SSLV3
742			ssl3HMACSha1(ssl->sec.writeMAC, ssl->sec.seq, type, data,
743			len, mac);
744			# else
745	0		return PS_ARG_FAIL;
746			# endif /* DISABLE_SSLV3 */
747			# ifdef USE_TLS
748			}
749			# endif /* USE_TLS */
750
751	3		memcpy(macOut, mac, ssl->enMacSize);
752	3		return ssl->enMacSize;
753			}
754
755	3		static int32 csShaVerifyMac(void *sslv, unsigned char type,
756			unsigned char data, uint32 len, unsigned char mac)
757			{
758			unsigned char buf[MAX_HASH_SIZE];
759	3		ssl_t ssl = (ssl_t ) sslv;
760
761	3	50	if (ssl->flags & SSL_FLAGS_TLS)
762			{
763	3		switch (ssl->nativeDeMacSize)
764			{
765			# ifdef USE_SHA256
766			case SHA256_HASH_SIZE:
767			case SHA384_HASH_SIZE:
768	0		tlsHMACSha2(ssl, HMAC_VERIFY, type, data, len, buf,
769	0		ssl->nativeDeMacSize);
770	0		break;
771			# endif
772			# ifdef USE_SHA1
773			case SHA1_HASH_SIZE:
774	3		tlsHMACSha1(ssl, HMAC_VERIFY, type, data, len, buf);
775	3		break;
776			# endif
777			default:
778	0		memzero_s(buf, ssl->nativeDeMacSize); /* Will fail below */
779	3		break;
780			}
781			}
782			else
783			{
784			# ifndef DISABLE_SSLV3
785			ssl3HMACSha1(ssl->sec.readMAC, ssl->sec.remSeq, type, data, len, buf);
786			# else
787	0		memzero_s(buf, SHA1_HASH_SIZE); /* Will fail below */
788			# endif /* DISABLE_SSLV3 */
789			}
790	3	50	if (memcmpct(buf, mac, ssl->deMacSize) == 0)
791			{
792	3		return PS_SUCCESS;
793			}
794	3		return PS_FAILURE;
795			}
796			#endif /* USE_SHA_MAC */
797			/******************************************************************************/
798
799			/******************************************************************************/
800			#if defined(USE_MD5) && defined(USE_MD5_MAC)
801			/******************************************************************************/
802			static int32 csMd5GenerateMac(void *sslv, unsigned char type,
803			unsigned char data, uint32 len, unsigned char macOut)
804			{
805			unsigned char mac[MD5_HASH_SIZE];
806			ssl_t ssl = (ssl_t ) sslv;
807
808			# ifdef USE_TLS
809			if (ssl->flags & SSL_FLAGS_TLS)
810			{
811			tlsHMACMd5(ssl, HMAC_CREATE, type, data, len, mac);
812			}
813			else
814			{
815			# endif /* USE_TLS */
816			# ifndef DISABLE_SSLV3
817			ssl3HMACMd5(ssl->sec.writeMAC, ssl->sec.seq, type, data,
818			len, mac);
819			# else
820			return PS_ARG_FAIL;
821			# endif /* DISABLE_SSLV3 */
822			# ifdef USE_TLS
823			}
824			# endif /* USE_TLS */
825			memcpy(macOut, mac, ssl->enMacSize);
826			return ssl->enMacSize;
827			}
828
829			static int32 csMd5VerifyMac(void sslv, unsigned char type, unsigned char data,
830			uint32 len, unsigned char *mac)
831			{
832			unsigned char buf[MD5_HASH_SIZE];
833			ssl_t ssl = (ssl_t ) sslv;
834
835			# ifdef USE_TLS
836			if (ssl->flags & SSL_FLAGS_TLS)
837			{
838			tlsHMACMd5(ssl, HMAC_VERIFY, type, data, len, buf);
839			}
840			else
841			{
842			# endif /* USE_TLS */
843			# ifndef DISABLE_SSLV3
844			ssl3HMACMd5(ssl->sec.readMAC, ssl->sec.remSeq, type, data, len, buf);
845			# endif /* DISABLE_SSLV3 */
846			# ifdef USE_TLS
847			}
848			# endif /* USE_TLS */
849			if (memcmpct(buf, mac, ssl->deMacSize) == 0)
850			{
851			return PS_SUCCESS;
852			}
853			return PS_FAILURE;
854			}
855			#endif /* USE_MD5_MAC */
856
857			/******************************************************************************/
858
859			/* Set of bits corresponding to supported cipher ordinal. If set, it is
860			globally disabled */
861			static uint32_t disabledCipherFlags[8] = { 0 }; /* Supports up to 256 ciphers */
862
863			const static sslCipherSpec_t supportedCiphers[] = {
864			/*
865			New ciphers should be added here, similar to the ones below
866
867			Ciphers are listed in order of greater security at top... this generally
868			means the slower ones are on top as well.
869
870			256 ciphers max.
871
872			The ordering of the ciphers is grouped and sub-grouped by the following:
873			1. Non-deprecated
874			2. Ephemeral
875			3. Authentication Method (PKI > PSK > anon)
876			4. Hash Strength (SHA384 > SHA256 > SHA > MD5)
877			5. Cipher Strength (AES256 > AES128 > 3DES > ARC4 > SEED > IDEA > NULL)
878			6. PKI Key Exchange (DHE > ECDHE > ECDH > RSA > PSK)
879			7. Cipher Mode (GCM > CBC)
880			8. PKI Authentication Method (ECDSA > RSA > PSK)
881			*/
882
883			/* Ephemeral ciphersuites */
884			#ifdef USE_TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
885			{ TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, /* ident */
886			CS_ECDHE_ECDSA, /* type */
887			CRYPTO_FLAGS_AES256 \| CRYPTO_FLAGS_GCM \| CRYPTO_FLAGS_SHA3, /* flags */
888			0, /* macSize */
889			32, /* keySize */
890			4, /* ivSize */
891			0, /* blocksize */
892			csAesGcmInit, /* init */
893			csAesGcmEncrypt, /* encrypt */
894			csAesGcmDecrypt, /* decrypt */
895			NULL, /* generateMac */
896			NULL }, /* verifyMac */
897			#endif /* USE_TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 */
898
899			#ifdef USE_TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
900			{ TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
901			CS_ECDHE_RSA,
902			CRYPTO_FLAGS_AES256 \| CRYPTO_FLAGS_GCM \| CRYPTO_FLAGS_SHA3,
903			0, /* macSize */
904			32, /* keySize */
905			4, /* ivSize */
906			0, /* blocksize */
907			csAesGcmInit,
908			csAesGcmEncrypt,
909			csAesGcmDecrypt,
910			NULL,
911			NULL },
912			#endif /* USE_TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 */
913
914			#ifdef USE_TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256
915			{ TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256,
916			CS_ECDHE_ECDSA,
917			CRYPTO_FLAGS_CHACHA \| CRYPTO_FLAGS_SHA2,
918			0, /* macSize */
919			32, /* keySize */
920			CHACHA20POLY1305_IV_FIXED_LENGTH, /* ivSize */
921			0, /* blocksize */
922			csChacha20Poly1305Init,
923			csChacha20Poly1305Encrypt,
924			csChacha20Poly1305Decrypt,
925			NULL,
926			NULL },
927			#endif /* USE_TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 */
928
929			#ifdef USE_TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256
930			{ TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256,
931			CS_ECDHE_RSA,
932			CRYPTO_FLAGS_CHACHA \| CRYPTO_FLAGS_SHA2,
933			0, /* macSize */
934			32, /* keySize */
935			CHACHA20POLY1305_IV_FIXED_LENGTH, /* ivSize */
936			0, /* blocksize */
937			csChacha20Poly1305Init,
938			csChacha20Poly1305Encrypt,
939			csChacha20Poly1305Decrypt,
940			NULL,
941			NULL },
942			#endif /* USE_TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 */
943
944			#ifdef USE_TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
945			{ TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384,
946			CS_ECDHE_ECDSA,
947			CRYPTO_FLAGS_AES256 \| CRYPTO_FLAGS_SHA3,
948			48, /* macSize */
949			32, /* keySize */
950			16, /* ivSize */
951			16, /* blocksize */
952			csAesInit,
953			csAesEncrypt,
954			csAesDecrypt,
955			csShaGenerateMac,
956			csShaVerifyMac },
957			#endif /* USE_TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 */
958
959			#ifdef USE_TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
960			{ TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,
961			CS_ECDHE_RSA,
962			CRYPTO_FLAGS_AES256 \| CRYPTO_FLAGS_SHA3,
963			48, /* macSize */
964			32, /* keySize */
965			16, /* ivSize */
966			16, /* blocksize */
967			csAesInit,
968			csAesEncrypt,
969			csAesDecrypt,
970			csShaGenerateMac,
971			csShaVerifyMac },
972			#endif /* USE_TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 */
973
974			#ifdef USE_TLS_DHE_RSA_WITH_AES_256_CBC_SHA256
975			{ TLS_DHE_RSA_WITH_AES_256_CBC_SHA256,
976			CS_DHE_RSA,
977			CRYPTO_FLAGS_AES256 \| CRYPTO_FLAGS_SHA2,
978			32, /* macSize */
979			32, /* keySize */
980			16, /* ivSize */
981			16, /* blocksize */
982			csAesInit,
983			csAesEncrypt,
984			csAesDecrypt,
985			csShaGenerateMac,
986			csShaVerifyMac },
987			#endif /* USE_TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 */
988
989			#ifdef USE_TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
990			{ TLS_DHE_RSA_WITH_AES_128_CBC_SHA256,
991			CS_DHE_RSA,
992			CRYPTO_FLAGS_AES \| CRYPTO_FLAGS_SHA2,
993			32, /* macSize */
994			16, /* keySize */
995			16, /* ivSize */
996			16, /* blocksize */
997			csAesInit,
998			csAesEncrypt,
999			csAesDecrypt,
1000			csShaGenerateMac,
1001			csShaVerifyMac },
1002			#endif /* USE_TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 */
1003
1004			#ifdef USE_TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
1005			{ TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
1006			CS_ECDHE_ECDSA,
1007			CRYPTO_FLAGS_AES \| CRYPTO_FLAGS_GCM \| CRYPTO_FLAGS_SHA2,
1008			0, /* macSize */
1009			16, /* keySize */
1010			4, /* ivSize */
1011			0, /* blocksize */
1012			csAesGcmInit,
1013			csAesGcmEncrypt,
1014			csAesGcmDecrypt,
1015			NULL,
1016			NULL },
1017			#endif /* USE_TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 */
1018
1019			#ifdef USE_TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
1020			{ TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
1021			CS_ECDHE_RSA,
1022			CRYPTO_FLAGS_AES \| CRYPTO_FLAGS_GCM \| CRYPTO_FLAGS_SHA2,
1023			0, /* macSize */
1024			16, /* keySize */
1025			4, /* ivSize */
1026			0, /* blocksize */
1027			csAesGcmInit,
1028			csAesGcmEncrypt,
1029			csAesGcmDecrypt,
1030			NULL,
1031			NULL },
1032			#endif /* USE_TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 */
1033
1034			#ifdef USE_TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
1035			{ TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,
1036			CS_ECDHE_ECDSA,
1037			CRYPTO_FLAGS_AES \| CRYPTO_FLAGS_SHA2,
1038			32, /* macSize */
1039			16, /* keySize */
1040			16, /* ivSize */
1041			16, /* blocksize */
1042			csAesInit,
1043			csAesEncrypt,
1044			csAesDecrypt,
1045			csShaGenerateMac,
1046			csShaVerifyMac },
1047			#endif /* USE_TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 */
1048
1049			#ifdef USE_TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
1050			{ TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,
1051			CS_ECDHE_RSA,
1052			CRYPTO_FLAGS_AES \| CRYPTO_FLAGS_SHA2,
1053			32, /* macSize */
1054			16, /* keySize */
1055			16, /* ivSize */
1056			16, /* blocksize */
1057			csAesInit,
1058			csAesEncrypt,
1059			csAesDecrypt,
1060			csShaGenerateMac,
1061			csShaVerifyMac },
1062			#endif /* USE_TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 */
1063
1064			#ifdef USE_TLS_DHE_RSA_WITH_AES_256_CBC_SHA
1065			{ TLS_DHE_RSA_WITH_AES_256_CBC_SHA,
1066			CS_DHE_RSA,
1067			CRYPTO_FLAGS_AES256 \| CRYPTO_FLAGS_SHA1,
1068			20, /* macSize */
1069			32, /* keySize */
1070			16, /* ivSize */
1071			16, /* blocksize */
1072			csAesInit,
1073			csAesEncrypt,
1074			csAesDecrypt,
1075			csShaGenerateMac,
1076			csShaVerifyMac },
1077			#endif /* USE_TLS_DHE_RSA_WITH_AES_256_CBC_SHA */
1078
1079			#ifdef USE_TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
1080			{ TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,
1081			CS_ECDHE_ECDSA,
1082			CRYPTO_FLAGS_AES256 \| CRYPTO_FLAGS_SHA1,
1083			20, /* macSize */
1084			32, /* keySize */
1085			16, /* ivSize */
1086			16, /* blocksize */
1087			csAesInit,
1088			csAesEncrypt,
1089			csAesDecrypt,
1090			csShaGenerateMac,
1091			csShaVerifyMac },
1092			#endif /* USE_TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA */
1093
1094			#ifdef USE_TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
1095			{ TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,
1096			CS_ECDHE_RSA,
1097			CRYPTO_FLAGS_AES256 \| CRYPTO_FLAGS_SHA1,
1098			20, /* macSize */
1099			32, /* keySize */
1100			16, /* ivSize */
1101			16, /* blocksize */
1102			csAesInit,
1103			csAesEncrypt,
1104			csAesDecrypt,
1105			csShaGenerateMac,
1106			csShaVerifyMac },
1107			#endif /* USE_TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA */
1108
1109			#ifdef USE_TLS_DHE_RSA_WITH_AES_128_CBC_SHA
1110			{ TLS_DHE_RSA_WITH_AES_128_CBC_SHA,
1111			CS_DHE_RSA,
1112			CRYPTO_FLAGS_AES \| CRYPTO_FLAGS_SHA1,
1113			20, /* macSize */
1114			16, /* keySize */
1115			16, /* ivSize */
1116			16, /* blocksize */
1117			csAesInit,
1118			csAesEncrypt,
1119			csAesDecrypt,
1120			csShaGenerateMac,
1121			csShaVerifyMac },
1122			#endif /* USE_TLS_DHE_RSA_WITH_AES_128_CBC_SHA */
1123
1124			#ifdef USE_TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
1125			{ TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,
1126			CS_ECDHE_ECDSA,
1127			CRYPTO_FLAGS_AES \| CRYPTO_FLAGS_SHA1,
1128			20, /* macSize */
1129			16, /* keySize */
1130			16, /* ivSize */
1131			16, /* blocksize */
1132			csAesInit,
1133			csAesEncrypt,
1134			csAesDecrypt,
1135			csShaGenerateMac,
1136			csShaVerifyMac },
1137			#endif /* USE_TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA */
1138
1139			#ifdef USE_TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
1140			{ TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
1141			CS_ECDHE_RSA,
1142			CRYPTO_FLAGS_AES \| CRYPTO_FLAGS_SHA1,
1143			20, /* macSize */
1144			16, /* keySize */
1145			16, /* ivSize */
1146			16, /* blocksize */
1147			csAesInit,
1148			csAesEncrypt,
1149			csAesDecrypt,
1150			csShaGenerateMac,
1151			csShaVerifyMac },
1152			#endif /* USE_TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA */
1153
1154			#ifdef USE_SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA
1155			{ SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA,
1156			CS_DHE_RSA,
1157			CRYPTO_FLAGS_3DES \| CRYPTO_FLAGS_SHA1,
1158			20, /* macSize */
1159			24, /* keySize */
1160			8, /* ivSize */
1161			8, /* blocksize */
1162			csDes3Init,
1163			csDes3Encrypt,
1164			csDes3Decrypt,
1165			csShaGenerateMac,
1166			csShaVerifyMac },
1167			#endif /* USE_SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA */
1168
1169			#ifdef USE_TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA
1170			{ TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,
1171			CS_ECDHE_RSA,
1172			CRYPTO_FLAGS_3DES \| CRYPTO_FLAGS_SHA1,
1173			20, /* macSize */
1174			24, /* keySize */
1175			8, /* ivSize */
1176			8, /* blocksize */
1177			csDes3Init,
1178			csDes3Encrypt,
1179			csDes3Decrypt,
1180			csShaGenerateMac,
1181			csShaVerifyMac },
1182			#endif /* USE_TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA */
1183
1184			#ifdef USE_TLS_DHE_PSK_WITH_AES_256_CBC_SHA
1185			{ TLS_DHE_PSK_WITH_AES_256_CBC_SHA,
1186			CS_DHE_PSK,
1187			CRYPTO_FLAGS_AES256 \| CRYPTO_FLAGS_SHA1,
1188			20, /* macSize */
1189			32, /* keySize */
1190			16, /* ivSize */
1191			16, /* blocksize */
1192			csAesInit,
1193			csAesEncrypt,
1194			csAesDecrypt,
1195			csShaGenerateMac,
1196			csShaVerifyMac },
1197			#endif /* USE_TLS_DHE_PSK_WITH_AES_256_CBC_SHA */
1198
1199			#ifdef USE_TLS_DHE_PSK_WITH_AES_128_CBC_SHA
1200			{ TLS_DHE_PSK_WITH_AES_128_CBC_SHA,
1201			CS_DHE_PSK,
1202			CRYPTO_FLAGS_AES \| CRYPTO_FLAGS_SHA1,
1203			20, /* macSize */
1204			16, /* keySize */
1205			16, /* ivSize */
1206			16, /* blocksize */
1207			csAesInit,
1208			csAesEncrypt,
1209			csAesDecrypt,
1210			csShaGenerateMac,
1211			csShaVerifyMac },
1212			#endif /* USE_TLS_DHE_PSK_WITH_AES_128_CBC_SHA */
1213
1214			/* Non-ephemeral ciphersuites */
1215
1216			#ifdef USE_TLS_RSA_WITH_AES_256_GCM_SHA384
1217			{ TLS_RSA_WITH_AES_256_GCM_SHA384,
1218			CS_RSA,
1219			CRYPTO_FLAGS_AES256 \| CRYPTO_FLAGS_GCM \| CRYPTO_FLAGS_SHA3,
1220			0, /* macSize */
1221			32, /* keySize */
1222			4, /* ivSize */
1223			0, /* blocksize */
1224			csAesGcmInit,
1225			csAesGcmEncrypt,
1226			csAesGcmDecrypt,
1227			NULL,
1228			NULL },
1229			#endif
1230
1231			#ifdef USE_TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384
1232			{ TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384,
1233			CS_ECDH_ECDSA,
1234			CRYPTO_FLAGS_AES256 \| CRYPTO_FLAGS_GCM \| CRYPTO_FLAGS_SHA3,
1235			0, /* macSize */
1236			32, /* keySize */
1237			4, /* ivSize */
1238			0, /* blocksize */
1239			csAesGcmInit,
1240			csAesGcmEncrypt,
1241			csAesGcmDecrypt,
1242			NULL,
1243			NULL },
1244			#endif /* USE_TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384 */
1245
1246			#ifdef USE_TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384
1247			{ TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384,
1248			CS_ECDH_RSA,
1249			CRYPTO_FLAGS_AES256 \| CRYPTO_FLAGS_GCM \| CRYPTO_FLAGS_SHA3,
1250			0, /* macSize */
1251			32, /* keySize */
1252			4, /* ivSize */
1253			0, /* blocksize */
1254			csAesGcmInit,
1255			csAesGcmEncrypt,
1256			csAesGcmDecrypt,
1257			NULL,
1258			NULL },
1259			#endif /* USE_TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384 */
1260
1261			#ifdef USE_TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384
1262			{ TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384,
1263			CS_ECDH_ECDSA,
1264			CRYPTO_FLAGS_AES256 \| CRYPTO_FLAGS_SHA3,
1265			48, /* macSize */
1266			32, /* keySize */
1267			16, /* ivSize */
1268			16, /* blocksize */
1269			csAesInit,
1270			csAesEncrypt,
1271			csAesDecrypt,
1272			csShaGenerateMac,
1273			csShaVerifyMac },
1274			#endif /* USE_TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384 */
1275
1276			#ifdef USE_TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384
1277			{ TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384,
1278			CS_ECDH_RSA,
1279			CRYPTO_FLAGS_AES256 \| CRYPTO_FLAGS_SHA3,
1280			48, /* macSize */
1281			32, /* keySize */
1282			16, /* ivSize */
1283			16, /* blocksize */
1284			csAesInit,
1285			csAesEncrypt,
1286			csAesDecrypt,
1287			csShaGenerateMac,
1288			csShaVerifyMac },
1289			#endif /* USE_TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384 */
1290
1291			#ifdef USE_TLS_RSA_WITH_AES_256_CBC_SHA256
1292			{ TLS_RSA_WITH_AES_256_CBC_SHA256,
1293			CS_RSA,
1294			CRYPTO_FLAGS_AES256 \| CRYPTO_FLAGS_SHA2,
1295			32, /* macSize */
1296			32, /* keySize */
1297			16, /* ivSize */
1298			16, /* blocksize */
1299			csAesInit,
1300			csAesEncrypt,
1301			csAesDecrypt,
1302			csShaGenerateMac,
1303			csShaVerifyMac },
1304			#endif
1305
1306			#ifdef USE_TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256
1307			{ TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256,
1308			CS_ECDH_ECDSA,
1309			CRYPTO_FLAGS_AES \| CRYPTO_FLAGS_GCM \| CRYPTO_FLAGS_SHA2,
1310			0, /* macSize */
1311			16, /* keySize */
1312			4, /* ivSize */
1313			0, /* blocksize */
1314			csAesGcmInit,
1315			csAesGcmEncrypt,
1316			csAesGcmDecrypt,
1317			NULL,
1318			NULL },
1319			#endif /* USE_TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256 */
1320
1321			#ifdef USE_TLS_RSA_WITH_AES_128_GCM_SHA256
1322			{ TLS_RSA_WITH_AES_128_GCM_SHA256,
1323			CS_RSA,
1324			CRYPTO_FLAGS_AES \| CRYPTO_FLAGS_GCM \| CRYPTO_FLAGS_SHA2,
1325			0, /* macSize */
1326			16, /* keySize */
1327			4, /* ivSize */
1328			0, /* blocksize */
1329			csAesGcmInit,
1330			csAesGcmEncrypt,
1331			csAesGcmDecrypt,
1332			NULL,
1333			NULL },
1334			#endif
1335
1336			#ifdef USE_TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256
1337			{ TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256,
1338			CS_ECDH_RSA,
1339			CRYPTO_FLAGS_AES \| CRYPTO_FLAGS_GCM \| CRYPTO_FLAGS_SHA2,
1340			0, /* macSize */
1341			16, /* keySize */
1342			4, /* ivSize */
1343			0, /* blocksize */
1344			csAesGcmInit,
1345			csAesGcmEncrypt,
1346			csAesGcmDecrypt,
1347			NULL,
1348			NULL },
1349			#endif /* USE_TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256 */
1350
1351			#ifdef USE_TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256
1352			{ TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256,
1353			CS_ECDH_ECDSA,
1354			CRYPTO_FLAGS_AES \| CRYPTO_FLAGS_SHA2,
1355			32, /* macSize */
1356			16, /* keySize */
1357			16, /* ivSize */
1358			16, /* blocksize */
1359			csAesInit,
1360			csAesEncrypt,
1361			csAesDecrypt,
1362			csShaGenerateMac,
1363			csShaVerifyMac },
1364			#endif /* USE_TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256 */
1365
1366			#ifdef USE_TLS_RSA_WITH_AES_128_CBC_SHA256
1367			{ TLS_RSA_WITH_AES_128_CBC_SHA256,
1368			CS_RSA,
1369			CRYPTO_FLAGS_AES \| CRYPTO_FLAGS_SHA2,
1370			32, /* macSize */
1371			16, /* keySize */
1372			16, /* ivSize */
1373			16, /* blocksize */
1374			csAesInit,
1375			csAesEncrypt,
1376			csAesDecrypt,
1377			csShaGenerateMac,
1378			csShaVerifyMac },
1379			#endif
1380
1381			#ifdef USE_TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256
1382			{ TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256,
1383			CS_ECDH_RSA,
1384			CRYPTO_FLAGS_AES \| CRYPTO_FLAGS_SHA2,
1385			32, /* macSize */
1386			16, /* keySize */
1387			16, /* ivSize */
1388			16, /* blocksize */
1389			csAesInit,
1390			csAesEncrypt,
1391			csAesDecrypt,
1392			csShaGenerateMac,
1393			csShaVerifyMac },
1394			#endif /* USE_TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256 */
1395
1396			#ifdef USE_TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA
1397			{ TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA,
1398			CS_ECDH_ECDSA,
1399			CRYPTO_FLAGS_AES256 \| CRYPTO_FLAGS_SHA1,
1400			20, /* macSize */
1401			32, /* keySize */
1402			16, /* ivSize */
1403			16, /* blocksize */
1404			csAesInit,
1405			csAesEncrypt,
1406			csAesDecrypt,
1407			csShaGenerateMac,
1408			csShaVerifyMac },
1409			#endif /* USE_TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA */
1410
1411			#ifdef USE_TLS_RSA_WITH_AES_256_CBC_SHA
1412			{ TLS_RSA_WITH_AES_256_CBC_SHA,
1413			CS_RSA,
1414			CRYPTO_FLAGS_AES256 \| CRYPTO_FLAGS_SHA1,
1415			20, /* macSize */
1416			32, /* keySize */
1417			16, /* ivSize */
1418			16, /* blocksize */
1419			csAesInit,
1420			csAesEncrypt,
1421			csAesDecrypt,
1422			csShaGenerateMac,
1423			csShaVerifyMac },
1424			#endif /* USE_TLS_RSA_WITH_AES_256_CBC_SHA */
1425
1426			#ifdef USE_TLS_ECDH_RSA_WITH_AES_256_CBC_SHA
1427			{ TLS_ECDH_RSA_WITH_AES_256_CBC_SHA,
1428			CS_ECDH_RSA,
1429			CRYPTO_FLAGS_AES256 \| CRYPTO_FLAGS_SHA1,
1430			20, /* macSize */
1431			32, /* keySize */
1432			16, /* ivSize */
1433			16, /* blocksize */
1434			csAesInit,
1435			csAesEncrypt,
1436			csAesDecrypt,
1437			csShaGenerateMac,
1438			csShaVerifyMac },
1439			#endif /* USE_TLS_ECDH_RSA_WITH_AES_256_CBC_SHA */
1440
1441			#ifdef USE_TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA
1442			{ TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA,
1443			CS_ECDH_ECDSA,
1444			CRYPTO_FLAGS_AES \| CRYPTO_FLAGS_SHA1,
1445			20, /* macSize */
1446			16, /* keySize */
1447			16, /* ivSize */
1448			16, /* blocksize */
1449			csAesInit,
1450			csAesEncrypt,
1451			csAesDecrypt,
1452			csShaGenerateMac,
1453			csShaVerifyMac },
1454			#endif /* USE_TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA */
1455
1456			#ifdef USE_TLS_RSA_WITH_AES_128_CBC_SHA
1457			{ TLS_RSA_WITH_AES_128_CBC_SHA,
1458			CS_RSA,
1459			CRYPTO_FLAGS_AES \| CRYPTO_FLAGS_SHA1,
1460			20, /* macSize */
1461			16, /* keySize */
1462			16, /* ivSize */
1463			16, /* blocksize */
1464			csAesInit,
1465			csAesEncrypt,
1466			csAesDecrypt,
1467			csShaGenerateMac,
1468			csShaVerifyMac },
1469			#endif /* USE_TLS_RSA_WITH_AES_128_CBC_SHA */
1470
1471			#ifdef USE_TLS_ECDH_RSA_WITH_AES_128_CBC_SHA
1472			{ TLS_ECDH_RSA_WITH_AES_128_CBC_SHA,
1473			CS_ECDH_RSA,
1474			CRYPTO_FLAGS_AES \| CRYPTO_FLAGS_SHA1,
1475			20, /* macSize */
1476			16, /* keySize */
1477			16, /* ivSize */
1478			16, /* blocksize */
1479			csAesInit,
1480			csAesEncrypt,
1481			csAesDecrypt,
1482			csShaGenerateMac,
1483			csShaVerifyMac },
1484			#endif /* USE_TLS_ECDH_RSA_WITH_AES_128_CBC_SHA */
1485
1486			#ifdef USE_SSL_RSA_WITH_3DES_EDE_CBC_SHA
1487			{ SSL_RSA_WITH_3DES_EDE_CBC_SHA,
1488			CS_RSA,
1489			CRYPTO_FLAGS_3DES \| CRYPTO_FLAGS_SHA1,
1490			20, /* macSize */
1491			24, /* keySize */
1492			8, /* ivSize */
1493			8, /* blocksize */
1494			csDes3Init,
1495			csDes3Encrypt,
1496			csDes3Decrypt,
1497			csShaGenerateMac,
1498			csShaVerifyMac },
1499			#endif /* USE_SSL_RSA_WITH_3DES_EDE_CBC_SHA */
1500
1501			#ifdef USE_TLS_PSK_WITH_AES_256_CBC_SHA384
1502			{ TLS_PSK_WITH_AES_256_CBC_SHA384,
1503			CS_PSK,
1504			CRYPTO_FLAGS_AES256 \| CRYPTO_FLAGS_SHA3,
1505			48, /* macSize */
1506			32, /* keySize */
1507			16, /* ivSize */
1508			16, /* blocksize */
1509			csAesInit,
1510			csAesEncrypt,
1511			csAesDecrypt,
1512			csShaGenerateMac,
1513			csShaVerifyMac },
1514			#endif /* USE_TLS_PSK_WITH_AES_256_CBC_SHA384 */
1515
1516			#ifdef USE_TLS_PSK_WITH_AES_128_CBC_SHA256
1517			{ TLS_PSK_WITH_AES_128_CBC_SHA256,
1518			CS_PSK,
1519			CRYPTO_FLAGS_AES \| CRYPTO_FLAGS_SHA2,
1520			32, /* macSize */
1521			16, /* keySize */
1522			16, /* ivSize */
1523			16, /* blocksize */
1524			csAesInit,
1525			csAesEncrypt,
1526			csAesDecrypt,
1527			csShaGenerateMac,
1528			csShaVerifyMac },
1529			#endif /* USE_TLS_PSK_WITH_AES_128_CBC_SHA256 */
1530
1531			#ifdef USE_TLS_PSK_WITH_AES_256_CBC_SHA
1532			{ TLS_PSK_WITH_AES_256_CBC_SHA,
1533			CS_PSK,
1534			CRYPTO_FLAGS_AES256 \| CRYPTO_FLAGS_SHA1,
1535			20, /* macSize */
1536			32, /* keySize */
1537			16, /* ivSize */
1538			16, /* blocksize */
1539			csAesInit,
1540			csAesEncrypt,
1541			csAesDecrypt,
1542			csShaGenerateMac,
1543			csShaVerifyMac },
1544			#endif /* USE_TLS_PSK_WITH_AES_256_CBC_SHA */
1545
1546			#ifdef USE_TLS_PSK_WITH_AES_128_CBC_SHA
1547			{ TLS_PSK_WITH_AES_128_CBC_SHA,
1548			CS_PSK,
1549			CRYPTO_FLAGS_AES \| CRYPTO_FLAGS_SHA1,
1550			20, /* macSize */
1551			16, /* keySize */
1552			16, /* ivSize */
1553			16, /* blocksize */
1554			csAesInit,
1555			csAesEncrypt,
1556			csAesDecrypt,
1557			csShaGenerateMac,
1558			csShaVerifyMac },
1559			#endif /* USE_TLS_PSK_WITH_AES_128_CBC_SHA */
1560
1561			/* @security Deprecated weak ciphers */
1562
1563			#ifdef USE_SSL_RSA_WITH_RC4_128_SHA
1564			{ SSL_RSA_WITH_RC4_128_SHA,
1565			CS_RSA,
1566			CRYPTO_FLAGS_ARC4 \| CRYPTO_FLAGS_ARC4INITE \| CRYPTO_FLAGS_ARC4INITD \| CRYPTO_FLAGS_SHA1,
1567			20, /* macSize */
1568			16, /* keySize */
1569			0, /* ivSize */
1570			1, /* blocksize */
1571			csArc4Init,
1572			csArc4Encrypt,
1573			csArc4Decrypt,
1574			csShaGenerateMac,
1575			csShaVerifyMac },
1576			#endif /* USE_SSL_RSA_WITH_RC4_128_SHA */
1577
1578			#ifdef USE_TLS_RSA_WITH_SEED_CBC_SHA
1579			{ TLS_RSA_WITH_SEED_CBC_SHA,
1580			CS_RSA,
1581			CRYPTO_FLAGS_SHA1,
1582			20, /* macSize */
1583			16, /* keySize */
1584			16, /* ivSize */
1585			16, /* blocksize */
1586			csSeedInit,
1587			csSeedEncrypt,
1588			csSeedDecrypt,
1589			csShaGenerateMac,
1590			csShaVerifyMac },
1591			#endif /* USE_SSL_RSA_WITH_SEED_CBC_SHA */
1592
1593			#ifdef USE_TLS_RSA_WITH_IDEA_CBC_SHA
1594			{ TLS_RSA_WITH_IDEA_CBC_SHA,
1595			CS_RSA,
1596			CRYPTO_FLAGS_IDEA \| CRYPTO_FLAGS_SHA1,
1597			20, /* macSize */
1598			16, /* keySize */
1599			8, /* ivSize */
1600			8, /* blocksize */
1601			csIdeaInit,
1602			csIdeaEncrypt,
1603			csIdeaDecrypt,
1604			csShaGenerateMac,
1605			csShaVerifyMac },
1606			#endif /* USE_SSL_RSA_WITH_IDEA_CBC_SHA */
1607
1608			#ifdef USE_SSL_RSA_WITH_RC4_128_MD5
1609			{ SSL_RSA_WITH_RC4_128_MD5,
1610			CS_RSA,
1611			CRYPTO_FLAGS_ARC4 \| CRYPTO_FLAGS_ARC4INITE \| CRYPTO_FLAGS_ARC4INITD \| CRYPTO_FLAGS_MD5,
1612			16, /* macSize */
1613			16, /* keySize */
1614			0, /* ivSize */
1615			1, /* blocksize */
1616			csArc4Init,
1617			csArc4Encrypt,
1618			csArc4Decrypt,
1619			csMd5GenerateMac,
1620			csMd5VerifyMac },
1621			#endif /* USE_SSL_RSA_WITH_RC4_128_MD5 */
1622
1623			/* @security Deprecated unencrypted ciphers */
1624
1625			#ifdef USE_SSL_RSA_WITH_NULL_SHA
1626			{ SSL_RSA_WITH_NULL_SHA,
1627			CS_RSA,
1628			CRYPTO_FLAGS_SHA1,
1629			20, /* macSize */
1630			0, /* keySize */
1631			0, /* ivSize */
1632			0, /* blocksize */
1633			csNullInit,
1634			csNullEncrypt,
1635			csNullDecrypt,
1636			csShaGenerateMac,
1637			csShaVerifyMac },
1638			#endif /* USE_SSL_RSA_WITH_NULL_SHA */
1639
1640			#ifdef USE_SSL_RSA_WITH_NULL_MD5
1641			{ SSL_RSA_WITH_NULL_MD5,
1642			CS_RSA,
1643			CRYPTO_FLAGS_MD5,
1644			16, /* macSize */
1645			0, /* keySize */
1646			0, /* ivSize */
1647			0, /* blocksize */
1648			csNullInit,
1649			csNullEncrypt,
1650			csNullDecrypt,
1651			csMd5GenerateMac,
1652			csMd5VerifyMac },
1653			#endif /* USE_SSL_RSA_WITH_NULL_MD5 */
1654
1655			/* @security Deprecated unauthenticated ciphers */
1656
1657			#ifdef USE_TLS_DH_anon_WITH_AES_256_CBC_SHA
1658			{ TLS_DH_anon_WITH_AES_256_CBC_SHA,
1659			CS_DH_ANON,
1660			CRYPTO_FLAGS_AES256 \| CRYPTO_FLAGS_SHA1,
1661			20, /* macSize */
1662			32, /* keySize */
1663			16, /* ivSize */
1664			16, /* blocksize */
1665			csAesInit,
1666			csAesEncrypt,
1667			csAesDecrypt,
1668			csShaGenerateMac,
1669			csShaVerifyMac },
1670			#endif /* USE_TLS_DH_anon_WITH_AES_256_CBC_SHA */
1671
1672			#ifdef USE_TLS_DH_anon_WITH_AES_128_CBC_SHA
1673			{ TLS_DH_anon_WITH_AES_128_CBC_SHA,
1674			CS_DH_ANON,
1675			CRYPTO_FLAGS_AES \| CRYPTO_FLAGS_SHA1,
1676			20, /* macSize */
1677			16, /* keySize */
1678			16, /* ivSize */
1679			16, /* blocksize */
1680			csAesInit,
1681			csAesEncrypt,
1682			csAesDecrypt,
1683			csShaGenerateMac,
1684			csShaVerifyMac },
1685			#endif /* USE_TLS_DH_anon_WITH_AES_128_CBC_SHA */
1686
1687			#ifdef USE_SSL_DH_anon_WITH_3DES_EDE_CBC_SHA
1688			{ SSL_DH_anon_WITH_3DES_EDE_CBC_SHA,
1689			CS_DH_ANON,
1690			CRYPTO_FLAGS_3DES \| CRYPTO_FLAGS_SHA1,
1691			20, /* macSize */
1692			24, /* keySize */
1693			8, /* ivSize */
1694			8, /* blocksize */
1695			csDes3Init,
1696			csDes3Encrypt,
1697			csDes3Decrypt,
1698			csShaGenerateMac,
1699			csShaVerifyMac },
1700			#endif /* USE_SSL_DH_anon_WITH_3DES_EDE_CBC_SHA */
1701
1702			#ifdef USE_SSL_DH_anon_WITH_RC4_128_MD5
1703			{ SSL_DH_anon_WITH_RC4_128_MD5,
1704			CS_DH_ANON,
1705			CRYPTO_FLAGS_ARC4INITE \| CRYPTO_FLAGS_ARC4INITD \| CRYPTO_FLAGS_MD5,
1706			16, /* macSize */
1707			16, /* keySize */
1708			0, /* ivSize */
1709			1, /* blocksize */
1710			csArc4Init,
1711			csArc4Encrypt,
1712			csArc4Decrypt,
1713			csMd5GenerateMac,
1714			csMd5VerifyMac },
1715			#endif /* USE_SSL_DH_anon_WITH_RC4_128_MD5 */
1716
1717			/*
1718			The NULL Cipher suite must exist and be the last in this list
1719			*/
1720			{ SSL_NULL_WITH_NULL_NULL,
1721			CS_NULL,
1722			0,
1723			0,
1724			0,
1725			0,
1726			0,
1727			csNullInit,
1728			csNullEncrypt,
1729			csNullDecrypt,
1730			csNullGenerateMac,
1731			csNullVerifyMac }
1732			};
1733
1734			#ifdef USE_SERVER_SIDE_SSL
1735			/******************************************************************************/
1736			/*
1737			Disable and re-enable ciphers suites on a global or per-session level.
1738			This is only a server-side feature because the client is always able to
1739			nominate the specific cipher it wishes to use. Servers may want to disable
1740			specific ciphers for a given session (or globally without having to
1741			rebuild the library).
1742
1743			This function must be called immediately after matrixSslNewServerSession
1744
1745			If ssl is NULL, the setting will be global. If a cipher is globally
1746			disabled, the per-session setting will be ignored.
1747
1748			flags:
1749			PS_TRUE to reenable (always enabled by default if compiled in)
1750			PS_FALSE to disable cipher suite
1751			*/
1752	13		int32_t matrixSslSetCipherSuiteEnabledStatus(ssl_t *ssl, psCipher16_t cipherId,
1753			uint32_t flags)
1754			{
1755			uint8_t i, j;
1756
1757	13	100	if (ssl && !(ssl->flags & SSL_FLAGS_SERVER))
		100
1758			{
1759	1		return PS_UNSUPPORTED_FAIL;
1760			}
1761	12	100	if (flags != PS_TRUE && flags != PS_FALSE)
		50
1762			{
1763	0		return PS_ARG_FAIL;
1764			}
1765	218	100	for (i = 0; supportedCiphers[i].ident != SSL_NULL_WITH_NULL_NULL; i++)
1766			{
1767	216	100	if (supportedCiphers[i].ident == cipherId)
1768			{
1769	10	100	if (ssl == NULL)
1770			{
1771			/*
1772			Global status of cipher suite. Disabled status takes
1773			precident over session setting
1774			*/
1775	6	100	if (flags == PS_TRUE)
1776			{
1777			/* Unset the disabled bit */
1778	2		disabledCipherFlags[i >> 5] &= ~(1 << (i & 31));
1779			}
1780			else
1781			{
1782			/* Set the disabled bit */
1783	4		disabledCipherFlags[i >> 5] \|= 1 << (i & 31);
1784			}
1785	6		return PS_SUCCESS;
1786			}
1787			else
1788			{
1789			/* Status of this suite for a specific session */
1790	12	100	for (j = 0; j < SSL_MAX_DISABLED_CIPHERS; j++)
1791			{
1792	11	100	if (flags == PS_FALSE)
1793			{
1794			/* Find first empty spot to add disabled cipher */
1795	2	100	if (ssl->disabledCiphers[j] == 0x0 \|\|
		50
1796	1		ssl->disabledCiphers[j] == cipherId)
1797			{
1798	2		ssl->disabledCiphers[j] = cipherId;
1799	2		return PS_SUCCESS;
1800			}
1801			}
1802			else
1803			{
1804	9	100	if (ssl->disabledCiphers[j] == cipherId)
1805			{
1806	1		ssl->disabledCiphers[j] = 0x0;
1807	1		return PS_SUCCESS;
1808			}
1809			}
1810			}
1811	1	50	if (flags == PS_FALSE)
1812			{
1813	0		return PS_LIMIT_FAIL; /* No empty spot in disabledCiphers */
1814			}
1815			else
1816			{
1817			/* Tried to re-enabled a cipher that wasn't disabled */
1818	1		return PS_SUCCESS;
1819			}
1820			}
1821			}
1822			}
1823	2		return PS_FAILURE; /* Cipher not found */
1824			}
1825			/*
1826			Convert the cipher suite "type" into what public key signature algorithm is
1827			required. Return values are from the sigAlgorithm of psX509_t:
1828
1829			RSA_TYPE_SIG (User must also test for RSAPSS_TYPE_SIG!!)
1830			ECDSA_TYPE_SIG
1831
1832			CS_NULL (0) if no public key signatures needed (PSK and DH_anon)
1833
1834			The dhParamsRequired return paramater must hold whether standard DH
1835			is used in the suite. The caller will have to load some during
1836			the callback if so
1837
1838			The ecKeyExchange is to identify RSA signatures but EC key exchange
1839			*/
1840
1841	0		static uint16 getKeyTypeFromCipherType(uint16 type, uint16 *dhParamsRequired,
1842			uint16 *ecKeyExchange)
1843			{
1844	0		dhParamsRequired = ecKeyExchange = 0;
1845	0		switch (type)
1846			{
1847			case CS_RSA:
1848	0		return RSA_TYPE_SIG;
1849
1850			case CS_DHE_RSA:
1851	0		*dhParamsRequired = 1;
1852	0		return RSA_TYPE_SIG;
1853
1854			case CS_DH_ANON:
1855			case CS_DHE_PSK:
1856	0		*dhParamsRequired = 1;
1857	0		return CS_NULL;
1858
1859			case CS_ECDHE_ECDSA:
1860			case CS_ECDH_ECDSA:
1861	0		return ECDSA_TYPE_SIG;
1862
1863			case CS_ECDHE_RSA:
1864			case CS_ECDH_RSA:
1865	0		*ecKeyExchange = 1;
1866	0		return RSA_TYPE_SIG;
1867
1868			default: /* CS_NULL or CS_PSK type */
1869	0		return CS_NULL; /* a cipher suite with no pub key or DH */
1870			}
1871			}
1872			#endif /* USE_SERVER_SIDE_SSL */
1873
1874			#ifdef VALIDATE_KEY_MATERIAL
1875			# define KEY_ALG_ANY 1
1876			# define KEY_ALG_FIRST 2
1877			/*
1878			anyOrFirst is basically a determination of whether we are looking through
1879			a collection of CA files for an algorithm (ANY) or a cert chain where
1880			we really only care about the child most cert because that is the one
1881			that ultimately determines the authentication algorithm (FIRST)
1882			*/
1883	358331		static int32 haveCorrectKeyAlg(psX509Cert_t *cert, int32 keyAlg, int anyOrFirst)
1884			{
1885	358331	50	while (cert)
1886			{
1887	358331	50	if (cert->pubKeyAlgorithm == keyAlg)
1888			{
1889	358331		return PS_SUCCESS;
1890			}
1891	0	0	if (anyOrFirst == KEY_ALG_FIRST)
1892			{
1893	0		return PS_FAILURE;
1894			}
1895	0		cert = cert->next;
1896			}
1897	0		return PS_FAILURE;
1898			}
1899
1900			# ifdef USE_SERVER_SIDE_SSL
1901			/* If using TLS 1.2 we need to test agains the sigHashAlg and eccParams */
1902	1147		static int32_t validateKeyForExtensions(ssl_t ssl, const sslCipherSpec_t spec,
1903			sslKeys_t *givenKey)
1904			{
1905			# ifdef USE_TLS_1_2
1906			psX509Cert_t *crt;
1907			# endif
1908
1909			/* Can immediately weed out PSK suites and anon suites that don't use
1910			sigHashAlg or EC curves */
1911	1147	50	if (spec->type == CS_PSK \|\| spec->type == CS_DHE_PSK \|\|
		50
		50
1912	1147		spec->type == CS_DH_ANON)
1913			{
1914	0		return PS_SUCCESS;
1915			}
1916
1917			# ifdef USE_TLS_1_2
1918			/* hash and sig alg is a TLS 1.2 only extension */
1919	1147	50	if (ssl->flags & SSL_FLAGS_TLS_1_2)
1920			{
1921
1922			/* Walk through each cert and confirm the client will be able to
1923			deal with them based on the algorithms provided in the extension */
1924	1147		crt = givenKey->cert;
1925	2294	100	while (crt)
1926			{
1927
1928			# ifdef USE_DHE_CIPHER_SUITE
1929			/* Have to look out for the case where the public key alg doesn't
1930			match the sig algorithm. This is only a concern for DHE based
1931			suites where we'll be sending a signature in the
1932			SeverKeyExchange message */
1933	1147	50	if (spec->type == CS_DHE_RSA \|\| spec->type == CS_ECDHE_RSA \|\|
		100
		50
1934	1		spec->type == CS_ECDHE_ECDSA)
1935			{
1936	1146	50	if (crt->pubKeyAlgorithm == OID_RSA_KEY_ALG)
1937			{
1938	1146	50	if (
1939			# ifdef USE_SHA1
1940	0	0	!(ssl->hashSigAlg & HASH_SIG_SHA1_RSA_MASK) &&
1941			# endif
1942			# ifdef USE_SHA384
1943	0	0	!(ssl->hashSigAlg & HASH_SIG_SHA384_RSA_MASK) &&
1944			# endif
1945			# ifdef USE_SHA512
1946	0	0	!(ssl->hashSigAlg & HASH_SIG_SHA512_RSA_MASK) &&
1947			# endif
1948	0		!(ssl->hashSigAlg & HASH_SIG_SHA256_RSA_MASK))
1949			{
1950	0		return PS_UNSUPPORTED_FAIL;
1951			}
1952			}
1953			# ifdef USE_ECC
1954	1146	50	if (crt->pubKeyAlgorithm == OID_ECDSA_KEY_ALG)
1955			{
1956	0	0	if (
1957			# ifdef USE_SHA1
1958	0	0	!(ssl->hashSigAlg & HASH_SIG_SHA1_ECDSA_MASK) &&
1959			# endif
1960			# ifdef USE_SHA384
1961	0	0	!(ssl->hashSigAlg & HASH_SIG_SHA384_ECDSA_MASK) &&
1962			# endif
1963			# ifdef USE_SHA512
1964	0	0	!(ssl->hashSigAlg & HASH_SIG_SHA512_ECDSA_MASK) &&
1965			# endif
1966	0		!(ssl->hashSigAlg & HASH_SIG_SHA256_ECDSA_MASK))
1967			{
1968	0		return PS_UNSUPPORTED_FAIL;
1969			}
1970			}
1971			# endif /* USE_ECC */
1972			}
1973			# endif /* USE_DHE_CIPHER_SUITE */
1974
1975			/* Now look for the specific pubkey/hash combo is supported */
1976	1147		switch (crt->sigAlgorithm)
1977			{
1978			# ifdef USE_RSA_CIPHER_SUITE
1979			case OID_SHA256_RSA_SIG:
1980	1147	50	if (!(ssl->hashSigAlg & HASH_SIG_SHA256_RSA_MASK))
1981			{
1982	0		return PS_UNSUPPORTED_FAIL;
1983			}
1984	1147		break;
1985			# ifdef USE_SHA1
1986			case OID_SHA1_RSA_SIG:
1987	0	0	if (!(ssl->hashSigAlg & HASH_SIG_SHA1_RSA_MASK))
1988			{
1989	0		return PS_UNSUPPORTED_FAIL;
1990			}
1991	0		break;
1992			# endif
1993			# ifdef USE_SHA384
1994			case OID_SHA384_RSA_SIG:
1995	0	0	if (!(ssl->hashSigAlg & HASH_SIG_SHA384_RSA_MASK))
1996			{
1997	0		return PS_UNSUPPORTED_FAIL;
1998			}
1999	0		break;
2000			# endif
2001			# endif /* USE_RSA_CIPHER_SUITE */
2002			# ifdef USE_ECC_CIPHER_SUITE
2003			case OID_SHA256_ECDSA_SIG:
2004	0	0	if (!(ssl->hashSigAlg & HASH_SIG_SHA256_ECDSA_MASK))
2005			{
2006	0		return PS_UNSUPPORTED_FAIL;
2007			}
2008	0		break;
2009			# ifdef USE_SHA1
2010			case OID_SHA1_ECDSA_SIG:
2011	0	0	if (!(ssl->hashSigAlg & HASH_SIG_SHA1_ECDSA_MASK))
2012			{
2013	0		return PS_UNSUPPORTED_FAIL;
2014			}
2015	0		break;
2016			# endif
2017			# ifdef USE_SHA384
2018			case OID_SHA384_ECDSA_SIG:
2019	0	0	if (!(ssl->hashSigAlg & HASH_SIG_SHA384_ECDSA_MASK))
2020			{
2021	0		return PS_UNSUPPORTED_FAIL;
2022			}
2023	0		break;
2024			# endif
2025			# endif /* USE_ECC */
2026			default:
2027			psTraceInfo("Don't share ANY sig/hash algorithms with peer\n");
2028	0		return PS_UNSUPPORTED_FAIL;
2029			}
2030
2031			# ifdef USE_ECC
2032			/* EC suites have the added check of specific curves. Just
2033			checking DH suites because the curve comes from the cert.
2034			ECDHE suites negotiate key exchange curve elsewhere */
2035	1147	50	if (spec->type == CS_ECDH_ECDSA \|\| spec->type == CS_ECDH_RSA)
		50
2036			{
2037	0	0	if (ssl->ecInfo.ecFlags)
2038			{
2039			/* Do negotiated curves work with our signatures */
2040	0	0	if (psTestUserEcID(crt->publicKey.key.ecc.curve->curveId,
2041	0		ssl->ecInfo.ecFlags) < 0)
2042			{
2043	0		return PS_UNSUPPORTED_FAIL;
2044			}
2045			}
2046			else
2047			{
2048			psTraceInfo("Don't share ANY EC curves with peer\n");
2049	0		return PS_UNSUPPORTED_FAIL;
2050			}
2051			}
2052			# endif
2053	1147		crt = crt->next;
2054			}
2055			}
2056
2057
2058			# endif /* USE_TLS_1_2 */
2059
2060			/* Must be good */
2061	1147		return PS_SUCCESS;
2062			}
2063
2064			/*
2065			This is the signature algorithm that the client will be using to encrypt
2066			the key material based on what the cipher suite says it should be.
2067			Only looking at child most cert
2068			*/
2069	1147		static int32 haveCorrectSigAlg(psX509Cert_t *cert, int32 sigType)
2070			{
2071	1147	50	if (sigType == RSA_TYPE_SIG)
2072			{
2073	1147	50	if (cert->sigAlgorithm == OID_SHA1_RSA_SIG \|\|
		50
2074	0	0	cert->sigAlgorithm == OID_SHA256_RSA_SIG \|\|
2075	0	0	cert->sigAlgorithm == OID_SHA384_RSA_SIG \|\|
2076	0	0	cert->sigAlgorithm == OID_SHA512_RSA_SIG \|\|
2077	0	0	cert->sigAlgorithm == OID_MD5_RSA_SIG \|\|
2078	0	0	cert->sigAlgorithm == OID_MD2_RSA_SIG \|\|
2079	0		cert->sigAlgorithm == OID_RSASSA_PSS)
2080			{
2081	1147		return PS_SUCCESS;
2082			}
2083			}
2084	0	0	else if (sigType == ECDSA_TYPE_SIG)
2085			{
2086	0	0	if (cert->sigAlgorithm == OID_SHA1_ECDSA_SIG \|\|
		0
2087	0	0	cert->sigAlgorithm == OID_SHA224_ECDSA_SIG \|\|
2088	0	0	cert->sigAlgorithm == OID_SHA256_ECDSA_SIG \|\|
2089	0	0	cert->sigAlgorithm == OID_SHA384_ECDSA_SIG \|\|
2090	0		cert->sigAlgorithm == OID_SHA512_ECDSA_SIG)
2091			{
2092	0		return PS_SUCCESS;
2093			}
2094			}
2095
2096	0		return PS_FAILURE;
2097			}
2098			# endif /* USE_SERVER_SIDE_SSL */
2099
2100			/******************************************************************************/
2101			/*
2102			Don't report a matching cipher suite if the user hasn't loaded the
2103			proper public key material to support it. We do not check the client
2104			auth side of the algorithms because that authentication mechanism is
2105			negotiated within the handshake itself
2106
2107			The annoying #ifdef USE_SERVER_SIDE and CLIENT_SIDE are because the
2108			structure members only exist one one side or the other and so are used
2109			for compiling. You can't actually get into the wrong area of the
2110			SSL_FLAGS_SERVER test so no #else cases should be needed
2111			*/
2112	402979		int32_t haveKeyMaterial(const ssl_t *ssl, int32 cipherType, short reallyTest)
2113			{
2114
2115			# ifdef USE_SERVER_SIDE_SSL
2116			/* If the user has a ServerNameIndication callback registered we're
2117			going to skip the first test because they may not have loaded the
2118			final key material yet */
2119	402979	50	if (ssl->sni_cb && reallyTest == 0)
		0
2120			{
2121	0		return PS_SUCCESS;
2122			}
2123			# endif
2124
2125			# ifndef USE_ONLY_PSK_CIPHER_SUITE
2126
2127			/* To start, capture all the cipherTypes where servers must have an
2128			identity and clients have a CA so we don't repeat them everywhere */
2129	402979	100	if (cipherType == CS_RSA \|\| cipherType == CS_DHE_RSA \|\|
		100
		100
2130	44648	50	cipherType == CS_ECDHE_RSA \|\| cipherType == CS_ECDH_RSA \|\|
		50
2131	44648	50	cipherType == CS_ECDHE_ECDSA \|\| cipherType == CS_ECDH_ECDSA)
2132			{
2133	358331	100	if (ssl->flags & SSL_FLAGS_SERVER)
2134			{
2135			# ifdef USE_SERVER_SIDE_SSL
2136	1147	50	if (ssl->keys == NULL \|\| ssl->keys->cert == NULL)
		50
2137			{
2138	0		return PS_FAILURE;
2139			}
2140			# endif
2141			# ifdef USE_CLIENT_SIDE_SSL
2142			}
2143			else
2144			{
2145	357184	50	if (ssl->keys == NULL \|\| ssl->keys->CAcerts == NULL)
		50
2146			{
2147	0		return PS_FAILURE;
2148			}
2149			# endif
2150			}
2151			}
2152
2153			/* Standard RSA ciphers types - auth and exchange */
2154	402979	100	if (cipherType == CS_RSA)
2155			{
2156	133945	100	if (ssl->flags & SSL_FLAGS_SERVER)
2157			{
2158			# ifdef USE_SERVER_SIDE_SSL
2159	1	50	if (haveCorrectKeyAlg(ssl->keys->cert, OID_RSA_KEY_ALG,
2160			KEY_ALG_FIRST) < 0)
2161			{
2162	0		return PS_FAILURE;
2163			}
2164	1	50	if (haveCorrectSigAlg(ssl->keys->cert, RSA_TYPE_SIG) < 0)
2165			{
2166	0		return PS_FAILURE;
2167			}
2168			# endif
2169			# ifdef USE_CLIENT_SIDE_SSL
2170			}
2171			else /* Client */
2172
2173			{
2174	133944	50	if (haveCorrectKeyAlg(ssl->keys->CAcerts, OID_RSA_KEY_ALG,
2175			KEY_ALG_ANY) < 0)
2176			{
2177	0		return PS_FAILURE;
2178			}
2179			# endif
2180			}
2181			}
2182
2183			# ifdef USE_DHE_CIPHER_SUITE
2184			/*
2185			DHE_RSA ciphers types
2186			*/
2187	402979	100	if (cipherType == CS_DHE_RSA)
2188			{
2189	89296	50	if (ssl->flags & SSL_FLAGS_SERVER)
2190			{
2191			# ifdef REQUIRE_DH_PARAMS
2192	0	0	if (ssl->keys->dhParams.size == 0)
2193			{
2194	0		return PS_FAILURE;
2195			}
2196			# endif
2197			# ifdef USE_SERVER_SIDE_SSL
2198	0	0	if (haveCorrectKeyAlg(ssl->keys->cert, OID_RSA_KEY_ALG,
2199			KEY_ALG_FIRST) < 0)
2200			{
2201	0		return PS_FAILURE;
2202			}
2203			# endif
2204			# ifdef USE_CLIENT_SIDE_SSL
2205			}
2206			else
2207			{
2208	89296	50	if (haveCorrectKeyAlg(ssl->keys->CAcerts, OID_RSA_KEY_ALG,
2209			KEY_ALG_ANY) < 0)
2210			{
2211	0		return PS_FAILURE;
2212			}
2213			# endif
2214			}
2215			}
2216
2217			# ifdef REQUIRE_DH_PARAMS
2218			/*
2219			Anon DH ciphers don't need much
2220			*/
2221	402979	50	if (cipherType == CS_DH_ANON)
2222			{
2223	0	0	if (ssl->flags & SSL_FLAGS_SERVER)
2224			{
2225	0	0	if (ssl->keys == NULL \|\| ssl->keys->dhParams.size == 0)
		0
2226			{
2227	0		return PS_FAILURE;
2228			}
2229			}
2230			}
2231			# endif
2232
2233			# ifdef USE_PSK_CIPHER_SUITE
2234	402979	100	if (cipherType == CS_DHE_PSK)
2235			{
2236			# ifdef REQUIRE_DH_PARAMS
2237	44648	50	if (ssl->flags & SSL_FLAGS_SERVER)
2238			{
2239	0	0	if (ssl->keys == NULL \|\| ssl->keys->dhParams.size == 0)
		0
2240			{
2241	0		return PS_FAILURE;
2242			}
2243			}
2244			# endif
2245			/* Only using these for clients at the moment */
2246	44648	50	if (!(ssl->flags & SSL_FLAGS_SERVER))
2247			{
2248	44648	50	if (ssl->keys == NULL \|\| ssl->keys->pskKeys == NULL)
		50
2249			{
2250	44648		return PS_FAILURE;
2251			}
2252			}
2253			}
2254			# endif /* USE_PSK_CIPHER_SUITE */
2255			# endif /* USE_DHE_CIPHER_SUITE */
2256
2257			# ifdef USE_ECC_CIPHER_SUITE /* key exchange */
2258			/*
2259			ECDHE_RSA ciphers use RSA keys
2260			*/
2261	358331	100	if (cipherType == CS_ECDHE_RSA)
2262			{
2263	135090	100	if (ssl->flags & SSL_FLAGS_SERVER)
2264			{
2265			# ifdef USE_SERVER_SIDE_SSL
2266	1146	50	if (haveCorrectKeyAlg(ssl->keys->cert, OID_RSA_KEY_ALG,
2267			KEY_ALG_FIRST) < 0)
2268			{
2269	0		return PS_FAILURE;
2270			}
2271	1146	50	if (haveCorrectSigAlg(ssl->keys->cert, RSA_TYPE_SIG) < 0)
2272			{
2273	0		return PS_FAILURE;
2274			}
2275			# endif
2276			# ifdef USE_CLIENT_SIDE_SSL
2277			}
2278			else
2279			{
2280	133944	50	if (haveCorrectKeyAlg(ssl->keys->CAcerts, OID_RSA_KEY_ALG,
2281			KEY_ALG_ANY) < 0)
2282			{
2283	0		return PS_FAILURE;
2284			}
2285			# endif
2286			}
2287			}
2288
2289			/*
2290			ECDH_RSA ciphers use ECDSA key exhange and RSA auth.
2291			*/
2292	358331	50	if (cipherType == CS_ECDH_RSA)
2293			{
2294	0	0	if (ssl->flags & SSL_FLAGS_SERVER)
2295			{
2296			# ifdef USE_SERVER_SIDE_SSL
2297	0	0	if (haveCorrectKeyAlg(ssl->keys->cert, OID_ECDSA_KEY_ALG,
2298			KEY_ALG_FIRST) < 0)
2299			{
2300	0		return PS_FAILURE;
2301			}
2302	0	0	if (haveCorrectSigAlg(ssl->keys->cert, RSA_TYPE_SIG) < 0)
2303			{
2304	0		return PS_FAILURE;
2305			}
2306			# endif
2307			# ifdef USE_CLIENT_SIDE_SSL
2308			}
2309			else
2310			{
2311	0	0	if (haveCorrectKeyAlg(ssl->keys->CAcerts, OID_RSA_KEY_ALG,
2312			KEY_ALG_ANY) < 0)
2313			{
2314	0		return PS_FAILURE;
2315			}
2316			# endif
2317			}
2318			}
2319
2320
2321			/*
2322			ECDHE_ECDSA and ECDH_ECDSA ciphers must have ECDSA keys
2323			*/
2324	358331	50	if (cipherType == CS_ECDHE_ECDSA \|\| cipherType == CS_ECDH_ECDSA)
		50
2325			{
2326	0	0	if (ssl->flags & SSL_FLAGS_SERVER)
2327			{
2328			# ifdef USE_SERVER_SIDE_SSL
2329	0	0	if (haveCorrectKeyAlg(ssl->keys->cert, OID_ECDSA_KEY_ALG,
2330			KEY_ALG_FIRST) < 0)
2331			{
2332	0		return PS_FAILURE;
2333			}
2334	0	0	if (haveCorrectSigAlg(ssl->keys->cert, ECDSA_TYPE_SIG) < 0)
2335			{
2336	0		return PS_FAILURE;
2337			}
2338			# endif
2339			# ifdef USE_CLIENT_SIDE_SSL
2340			}
2341			else
2342			{
2343	0	0	if (haveCorrectKeyAlg(ssl->keys->CAcerts, OID_ECDSA_KEY_ALG,
2344			KEY_ALG_ANY) < 0)
2345			{
2346	0		return PS_FAILURE;
2347			}
2348			# endif
2349			}
2350			}
2351			# endif /* USE_ECC_CIPHER_SUITE */
2352			# endif /* USE_ONLY_PSK_CIPHER_SUITE */
2353
2354			# ifdef USE_PSK_CIPHER_SUITE
2355	358331	50	if (cipherType == CS_PSK)
2356			{
2357	0	0	if (ssl->keys == NULL \|\| ssl->keys->pskKeys == NULL)
		0
2358			{
2359	0		return PS_FAILURE;
2360			}
2361			}
2362			# endif /* USE_PSK_CIPHER_SUITE */
2363
2364	358331		return PS_SUCCESS;
2365			}
2366			#endif /* VALIDATE_KEY_MATERIAL */
2367
2368
2369			# ifdef USE_SERVER_SIDE_SSL
2370
2371			# ifdef USE_SERVER_PREFERRED_CIPHERS
2372
2373			/* quick sort support for sorting descendingly the client's supported
2374			supported cipher list
2375			*/
2376	17190		void quick_sort_desc(uint32 *v, int l, int r) {
2377	17190		int i = l, j = r;
2378			int tmp;
2379	17190		int p = v[(l + r) / 2];
2380
2381	42406	100	while (i <= j) {
2382	52664	100	while (v[i] > p)
2383	27448		i++;
2384	58462	100	while (v[j] < p)
2385	33246		j--;
2386
2387	25216	100	if (i <= j) {
2388	20628		tmp = v[i];
2389	20628		v[i] = v[j];
2390	20628		v[j] = tmp;
2391	20628		i++;
2392	20628		j--;
2393			}
2394			};
2395
2396	17190	100	if (l < j)
2397	8018		quick_sort_desc(v, l, j);
2398	17190	100	if (i < r)
2399	8026		quick_sort_desc(v, i, r);
2400	17190		}
2401
2402			# endif /* USE_SERVER_PREFERRED_CIPHERS */
2403
2404			/* 0 return is a key was found
2405			<0 is no luck
2406			*/
2407	1147		int32 chooseCipherSuite(ssl_t ssl, unsigned char listStart, int32 listLen)
2408			{
2409			const sslCipherSpec_t *spec;
2410	1147		unsigned char *c = listStart;
2411			unsigned char *end;
2412			uint16 ecKeyExchange;
2413			uint32 cipher;
2414			sslPubkeyId_t wantKey;
2415	1147		sslKeys_t *givenKey = NULL;
2416
2417			# ifdef USE_SERVER_PREFERRED_CIPHERS
2418
2419			#define MAX_CIPHERS 256
2420
2421	1147		unsigned char *cc = listStart;
2422	1147		unsigned char *ec = listStart + listLen;
2423			uint32 ciphers[MAX_CIPHERS];
2424	1147		int ciphersLen = 0, cn = 0, i = 0;
2425
2426	20626	100	while ((cc < ec) && (cn < MAX_CIPHERS)) {
		50
2427	19479	50	if (ssl->rec.majVer > SSL2_MAJ_VER) {
2428	19479		ciphers[cn] = *cc << 8; cc++;
2429	19479		ciphers[cn] += *cc; cc++;
2430			} else {
2431			/* Deal with an SSLv2 hello message. Ciphers are 3 bytes long */
2432	0		ciphers[cn] = *cc << 16; cc++;
2433	0		ciphers[cn] += *cc << 8; cc++;
2434	0		ciphers[cn] += *cc; cc++;
2435			}
2436
2437			psTraceIntInfo("Cipher index %d ", cn);
2438			psTraceIntInfo("is %d\n", ciphers[cn]);
2439
2440	19479		cn++;
2441			}
2442
2443	1147	100	if (cn > 1) quick_sort_desc(ciphers, 0, cn - 1);
2444
2445	1147	50	while (i < cn) {
2446	1147		cipher = ciphers[i++];
2447
2448			# else
2449
2450			end = c + listLen;
2451			while (c < end) {
2452
2453			if (ssl->rec.majVer > SSL2_MAJ_VER) {
2454			cipher = *c << 8; c++;
2455			cipher += *c; c++;
2456			} else {
2457			/* Deal with an SSLv2 hello message. Ciphers are 3 bytes long */
2458			cipher = *c << 16; c++;
2459			cipher += *c << 8; c++;
2460			cipher += *c; c++;
2461			}
2462
2463			# endif /* USE_SERVER_PREFERRED_CIPHERS */
2464
2465			/* Checks if this cipher suite compiled into the library.
2466			ALSO, in the cases of static server keys (ssl->keys not NULL)
2467			the haveKeyMaterial function will be run */
2468	1147	50	if ((spec = sslGetCipherSpec(ssl, cipher)) == NULL)
2469			{
2470	0		continue;
2471			}
2472
2473	1147	50	if (ssl->keys == NULL)
2474			{
2475			/* Populate the sslPubkeyId_t struct to pass to user callback */
2476	0		wantKey.keyType = getKeyTypeFromCipherType(spec->type,
2477			&wantKey.dhParamsRequired, &ecKeyExchange);
2478			/* If this is a ECDHE_RSA or ECDH_RSA suite, there are going to
2479			need to be some indications for that */
2480			psTraceInfo("ecKeyExchange must be incorporated into the user callback.\n");
2481
2482			/* If this a pure PSK cipher with no DH then we assign that suite
2483			immediately and never invoke the user callback. This server has
2484			already indicated its willingness to use PSK if compiled in and
2485			the client has sent the suites in priority order so we use it */
2486	0	0	if (wantKey.keyType == CS_NULL && wantKey.dhParamsRequired == 0)
		0
2487			{
2488	0		ssl->cipher = spec;
2489	0		return PS_SUCCESS;
2490			}
2491
2492			/* ssl->expectedName is populated with the optional
2493			SNI extension value.
2494
2495			In this flexible server case, the SNI callback function is
2496			NOT USED.
2497			*/
2498	0		wantKey.serverName = ssl->expectedName;
2499			# ifdef USE_TLS_1_2
2500	0		wantKey.hashAlg = ssl->hashSigAlg;
2501			# else
2502			wantKey.hashAlg = 0;
2503			# endif
2504			# ifdef USE_ECC_CIPHER_SUITE
2505			/* At this point ssl->ecInfo.ecFlags carries the shared curves */
2506	0		wantKey.curveFlags = ssl->ecInfo.ecFlags;
2507			# else
2508			wantKey.curveFlags = 0;
2509			# endif
2510
2511			# ifndef USE_ONLY_PSK_CIPHER_SUITE
2512			/* Invoke the user's callback */
2513	0		givenKey = (ssl->sec.pubkeyCb)(ssl, &wantKey);
2514			# endif
2515
2516	0	0	if (givenKey == NULL)
2517			{
2518			/* User didn't have a match. Keep looking through suites */
2519	0		continue;
2520			}
2521
2522			# ifdef VALIDATE_KEY_MATERIAL
2523			/* We want to double check this. Temporarily assign their keys as
2524			ssl->keys for haveKeyMaterial to find */
2525	0		ssl->keys = givenKey;
2526	0	0	if (haveKeyMaterial(ssl, spec->type, 1) < 0)
2527			{
2528	0		ssl->keys = NULL;
2529			/* We're still looping through cipher suites above so this
2530			isn't really fatal. It just means the user gave us keys
2531			that don't match the suite we wanted */
2532			psTraceInfo("WARNING: server didn't load proper keys for ");
2533			psTraceIntInfo("cipher suite %d during pubkey callback\n",
2534			spec->ident);
2535	0		continue;
2536			}
2537			/* Reset. One final test below before we can set ssl->keys */
2538	0		ssl->keys = NULL;
2539			# endif
2540			}
2541			else
2542			{
2543	1147	50	if (ssl->expectedName)
2544			{
2545			/* The SNI callback is no longer invoked in the middle of the
2546			parse. Now is the time to call it for pre-loaded keys */
2547	0	0	if (matrixServerSetKeysSNI(ssl, ssl->expectedName,
2548	0		strlen(ssl->expectedName)) < 0)
2549			{
2550			psTraceInfo("Server didn't load SNI keys\n");
2551	0		ssl->err = SSL_ALERT_UNRECOGNIZED_NAME;
2552	0		return MATRIXSSL_ERROR;
2553			}
2554			# ifdef VALIDATE_KEY_MATERIAL
2555			/* New ssl->keys may have been loaded by the callback,
2556			see if they match the potential cipher suite */
2557	0	0	if (haveKeyMaterial(ssl, spec->type, 1) < 0)
2558			{
2559	0		continue;
2560			}
2561			# endif
2562			}
2563			/* This is here because it still could be useful to support the
2564			old mechanism where the server just loads the single known
2565			ID key at new session and never looks back */
2566	1147		givenKey = ssl->keys;
2567			}
2568
2569			# ifdef VALIDATE_KEY_MATERIAL
2570			/* Validate key for any sigHashAlg and eccParam hello extensions */
2571	1147	50	if (validateKeyForExtensions(ssl, spec, givenKey) < 0)
2572			{
2573	0		givenKey = NULL;
2574			}
2575			else
2576			{
2577			# endif
2578	1147		ssl->cipher = spec;
2579	1147		ssl->keys = givenKey;
2580	1147		return PS_SUCCESS;
2581			# ifdef VALIDATE_KEY_MATERIAL
2582			}
2583			# endif
2584			}
2585			psTraceInfo("No matching keys for any requested cipher suite.\n");
2586	0	0	psAssert(givenKey == NULL);
2587	1147		return PS_UNSUPPORTED_FAIL; /* Server can't match anything */
2588			}
2589			# endif /* USE_SERVER_SIDE */
2590
2591
2592			#ifndef USE_ONLY_PSK_CIPHER_SUITE
2593			# ifdef USE_ECC_CIPHER_SUITE
2594			/*
2595			See if any of the EC suites are supported. Needed by client very early on
2596			to know whether or not to add the EC client hello extensions
2597			*/
2598	11163		int32_t eccSuitesSupported(const ssl_t *ssl,
2599			const psCipher16_t cipherSpecs[], uint8_t cipherSpecLen)
2600			{
2601	11163		int32 i = 0;
2602
2603	11163	100	if (cipherSpecLen == 0)
2604			{
2605	22324		if (sslGetCipherSpec(ssl, TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA) \|\|
2606	22324	50	sslGetCipherSpec(ssl, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA) \|\|
2607	11162	0	sslGetCipherSpec(ssl, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA) \|\|
2608	0	0	sslGetCipherSpec(ssl, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA) \|\|
2609	0	0	sslGetCipherSpec(ssl, TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA) \|\|
2610	0	0	sslGetCipherSpec(ssl, TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA) \|\|
2611	0	0	sslGetCipherSpec(ssl, TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA) \|\|
2612	0	0	sslGetCipherSpec(ssl, TLS_ECDH_RSA_WITH_AES_256_CBC_SHA) \|\|
2613			# ifdef USE_TLS_1_2
2614	0	0	sslGetCipherSpec(ssl, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256) \|\|
2615	0	0	sslGetCipherSpec(ssl, TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384) \|\|
2616	0	0	sslGetCipherSpec(ssl, TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256) \|\|
2617	0	0	sslGetCipherSpec(ssl, TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384) \|\|
2618	0	0	sslGetCipherSpec(ssl, TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256) \|\|
2619	0	0	sslGetCipherSpec(ssl, TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384) \|\|
2620	0	0	sslGetCipherSpec(ssl, TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256) \|\|
2621	0	0	sslGetCipherSpec(ssl, TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384) \|\|
2622	0	0	sslGetCipherSpec(ssl, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256) \|\|
2623	0	0	sslGetCipherSpec(ssl, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384) \|\|
2624	0	0	sslGetCipherSpec(ssl, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) \|\|
2625	0	0	sslGetCipherSpec(ssl, TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) \|\|
2626	0	0	sslGetCipherSpec(ssl, TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256) \|\|
2627	0	0	sslGetCipherSpec(ssl, TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384) \|\|
2628	0	0	sslGetCipherSpec(ssl, TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256) \|\|
2629	0	0	sslGetCipherSpec(ssl, TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384) \|\|
2630	0	0	sslGetCipherSpec(ssl, TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256) \|\|
2631	0	0	sslGetCipherSpec(ssl, TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256) \|\|
2632			# endif
2633	0		sslGetCipherSpec(ssl, TLS_ECDH_RSA_WITH_AES_128_CBC_SHA))
2634			{
2635	11162		return 1;
2636			}
2637			}
2638			else
2639			{
2640	2	100	while (i < cipherSpecLen)
2641			{
2642	1	50	if (cipherSpecs[i] == TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA \|\|
		50
2643	1	50	cipherSpecs[i] == TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA \|\|
2644	1	50	cipherSpecs[i] == TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA \|\|
2645	1	50	cipherSpecs[i] == TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA \|\|
2646	1	50	cipherSpecs[i] == TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA \|\|
2647	1	50	cipherSpecs[i] == TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA \|\|
2648	1	50	cipherSpecs[i] == TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA \|\|
2649	1	50	cipherSpecs[i] == TLS_ECDH_RSA_WITH_AES_256_CBC_SHA \|\|
2650			# ifdef USE_TLS_1_2
2651	1	50	cipherSpecs[i] == TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 \|\|
2652	1	50	cipherSpecs[i] == TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 \|\|
2653	1	50	cipherSpecs[i] == TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256 \|\|
2654	1	50	cipherSpecs[i] == TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384 \|\|
2655	1	50	cipherSpecs[i] == TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256 \|\|
2656	1	50	cipherSpecs[i] == TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384 \|\|
2657	1	50	cipherSpecs[i] == TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 \|\|
2658	1	50	cipherSpecs[i] == TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 \|\|
2659	1	50	cipherSpecs[i] == TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 \|\|
2660	1	50	cipherSpecs[i] == TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 \|\|
2661	1	50	cipherSpecs[i] == TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 \|\|
2662	1	50	cipherSpecs[i] == TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 \|\|
2663	1	50	cipherSpecs[i] == TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256 \|\|
2664	1	50	cipherSpecs[i] == TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384 \|\|
2665	1	50	cipherSpecs[i] == TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256 \|\|
2666	1	50	cipherSpecs[i] == TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384 \|\|
2667	1	50	cipherSpecs[i] == TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 \|\|
2668	1	50	cipherSpecs[i] == TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 \|\|
2669			# endif
2670	1		cipherSpecs[i] == TLS_ECDH_RSA_WITH_AES_128_CBC_SHA)
2671			{
2672	0		return 1;
2673			}
2674	1		i++;
2675			}
2676			}
2677	1		return 0;
2678			}
2679			# endif /* USE_ECC_CIPHER_SUITE */
2680
2681			# ifdef USE_CLIENT_SIDE_SSL
2682			/* Test if agreed upon cipher suite authentication is being adhered to */
2683	1148		int32 csCheckCertAgainstCipherSuite(int32 pubKey, int32 cipherType)
2684			{
2685	1148	50	if (pubKey == PS_RSA)
2686			{
2687	1148	50	if (cipherType == CS_DHE_RSA \|\| cipherType == CS_RSA \|\|
		100
		50
2688			cipherType == CS_ECDHE_RSA)
2689			{
2690	1148		return 1;
2691			}
2692			}
2693	0	0	if (pubKey == PS_ECC)
2694			{
2695	0	0	if (cipherType == CS_ECDHE_ECDSA \|\| cipherType == CS_ECDH_ECDSA \|\|
		0
		0
2696			cipherType == CS_ECDH_RSA)
2697			{
2698	0		return 1;
2699			}
2700
2701			}
2702	0		return 0; /* no match */
2703			}
2704			# endif /* USE_CLIENT_SIDE_SSL */
2705			#endif /* USE_ONLY_PSK_CIPHER_SUITE */
2706
2707			/******************************************************************************/
2708			/**
2709			Lookup the given cipher spec ID.
2710			@param[in] id The official ciphersuite id to find.
2711			@return A pointer to the cipher suite structure, if configured in build.
2712			If not defined, return NULL.
2713			*/
2714	0		const sslCipherSpec_t *sslGetDefinedCipherSpec(uint16_t id)
2715			{
2716			uint8_t i;
2717
2718	0	0	for (i = 0; supportedCiphers[i].ident != SSL_NULL_WITH_NULL_NULL; i++)
2719			{
2720	0	0	if (supportedCiphers[i].ident == id)
2721			{
2722	0		return &supportedCiphers[i];
2723			}
2724			}
2725	0		return NULL;
2726			}
2727
2728			/******************************************************************************/
2729			/**
2730			Lookup and validate the given cipher spec ID.
2731			Return a pointer to the structure if found and meeting constraints in 'ssl'.
2732			This is used when negotiating security, to find out what suites we support.
2733			@param[in] id The official ciphersuite id to find.
2734			@return A pointer to the cipher suite structure, if configured in build
2735			and appropriate for the constraints in 'ssl'.
2736			If not defined or apprppriate, return NULL.
2737			*/
2738	58097		const sslCipherSpec_t sslGetCipherSpec(const ssl_t ssl, uint16_t id)
2739			{
2740			uint8_t i;
2741
2742			#ifdef USE_SERVER_SIDE_SSL
2743			uint8_t j;
2744			#endif /* USE_SERVER_SIDE_SSL */
2745
2746	58097		i = 0;
2747			do
2748			{
2749	939785	100	if (supportedCiphers[i].ident != id)
2750			{
2751	904013		continue;
2752			}
2753			/* Double check we support the requsted hash algorithm */
2754			#ifndef USE_MD5
2755			if (supportedCiphers[i].flags & CRYPTO_FLAGS_MD5)
2756			{
2757			return NULL;
2758			}
2759			#endif
2760			#ifndef USE_SHA1
2761			if (supportedCiphers[i].flags & CRYPTO_FLAGS_SHA1)
2762			{
2763			return NULL;
2764			}
2765			#endif
2766			#if !defined(USE_SHA256) && !defined(USE_SHA384)
2767			if (supportedCiphers[i].flags & CRYPTO_FLAGS_SHA2)
2768			{
2769			return NULL;
2770			}
2771			#endif
2772			/* Double check we support the requsted weak cipher algorithm */
2773			#ifndef USE_ARC4
2774			if (supportedCiphers[i].flags &
2775			(CRYPTO_FLAGS_ARC4INITE \| CRYPTO_FLAGS_ARC4INITD))
2776			{
2777			return NULL;
2778			}
2779			#endif
2780			#ifndef USE_3DES
2781			if (supportedCiphers[i].flags & CRYPTO_FLAGS_3DES)
2782			{
2783			return NULL;
2784			}
2785			#endif
2786			#ifdef USE_SERVER_SIDE_SSL
2787			/* Globally disabled? */
2788	35772	50	if (disabledCipherFlags[i >> 5] & (1 << (i & 31)))
2789			{
2790			psTraceIntInfo("Matched cipher suite %d but disabled by user\n",
2791			id);
2792	0		return NULL;
2793			}
2794			/* Disabled for session? */
2795	35772	100	if (id != 0) /* Disable NULL_WITH_NULL_NULL not possible */
2796			{
2797	121122	100	for (j = 0; j < SSL_MAX_DISABLED_CIPHERS; j++)
2798			{
2799	107664	50	if (ssl->disabledCiphers[j] == id)
2800			{
2801			psTraceIntInfo("Matched cipher suite %d but disabled by user\n",
2802			id);
2803	0		return NULL;
2804			}
2805			}
2806			}
2807			#endif /* USE_SERVER_SIDE_SSL */
2808			#ifdef USE_TLS_1_2
2809			/* Unusable because protocol doesn't allow? */
2810			# ifdef USE_DTLS
2811			if (ssl->majVer == DTLS_MAJ_VER &&
2812			ssl->minVer != DTLS_1_2_MIN_VER)
2813			{
2814			if (supportedCiphers[i].flags & CRYPTO_FLAGS_SHA3 \|\|
2815			supportedCiphers[i].flags & CRYPTO_FLAGS_SHA2)
2816			{
2817			psTraceIntInfo(
2818			"Matched cipher suite %d but only allowed in DTLS 1.2\n", id);
2819			return NULL;
2820			}
2821			}
2822			if (!(ssl->flags & SSL_FLAGS_DTLS))
2823			{
2824			# endif
2825	35772	100	if (ssl->minVer < TLS_1_2_MIN_VER)
2826			{
2827	22314	50	if (supportedCiphers[i].flags & CRYPTO_FLAGS_SHA3 \|\|
		50
2828	22314		supportedCiphers[i].flags & CRYPTO_FLAGS_SHA2)
2829			{
2830			psTraceIntInfo(
2831			"Matched cipher suite %d but only allowed in TLS 1.2\n", id);
2832	0		return NULL;
2833			}
2834			}
2835	35772	100	if (ssl->minVer == TLS_1_2_MIN_VER)
2836			{
2837	13458	50	if (supportedCiphers[i].flags & CRYPTO_FLAGS_MD5)
2838			{
2839			psTraceIntInfo("Not allowing MD5 suite %d in TLS 1.2\n",
2840			id);
2841	0		return NULL;
2842			}
2843			}
2844			# ifdef USE_DTLS
2845			}
2846			# endif
2847			#endif /* TLS_1_2 */
2848
2849			/** Check restrictions by HTTP2 (set by ALPN extension).
2850			This should filter out all ciphersuites specified in:
2851			https://tools.ietf.org/html/rfc7540#appendix-A
2852			"Note: This list was assembled from the set of registered TLS
2853			cipher suites at the time of writing. This list includes those
2854			cipher suites that do not offer an ephemeral key exchange and
2855			those that are based on the TLS null, stream, or block cipher type
2856			(as defined in Section 6.2.3 of [TLS12]). Additional cipher
2857			suites with these properties could be defined; these would not be
2858			explicitly prohibited."
2859			*/
2860	35772	50	if (ssl->flags & SSL_FLAGS_HTTP2)
2861			{
2862			/** Only allow AEAD ciphers. */
2863	0	0	if (!(supportedCiphers[i].flags & CRYPTO_FLAGS_GCM) &&
		0
2864	0		!(supportedCiphers[i].flags & CRYPTO_FLAGS_CHACHA))
2865			{
2866
2867	0		return NULL;
2868			}
2869			/** Only allow ephemeral key exchange. */
2870	0	0	switch (supportedCiphers[i].type)
2871			{
2872			case CS_DHE_RSA:
2873			case CS_ECDHE_ECDSA:
2874			case CS_ECDHE_RSA:
2875	0		break;
2876			default:
2877	0		return NULL;
2878			}
2879			}
2880
2881			/* The suite is available. Want to reject if current key material
2882			does not support? */
2883			#ifdef VALIDATE_KEY_MATERIAL
2884	35772	50	if (ssl->keys != NULL)
2885			{
2886	35772	100	if ((ssl->flags & SSL_FLAGS_SERVER) == 0)
2887			{
2888			/* Client: Just accept the cipher suite, because we do not
2889			know of server public key yet. */
2890	34625		return &supportedCiphers[i];
2891			}
2892	1147	50	if (haveKeyMaterial(ssl, supportedCiphers[i].type, 0)
2893			== PS_SUCCESS)
2894			{
2895	1147		return &supportedCiphers[i];
2896			}
2897			psTraceIntInfo("Matched cipher suite %d but no supporting keys\n",
2898			id);
2899			}
2900			else
2901			{
2902	0		return &supportedCiphers[i];
2903			}
2904			#else
2905			return &supportedCiphers[i];
2906			#endif /* VALIDATE_KEY_MATERIAL */
2907			}
2908	904013	100	while (supportedCiphers[i++].ident != SSL_NULL_WITH_NULL_NULL);
2909
2910	22325		return NULL;
2911			}
2912
2913
2914			/******************************************************************************/
2915			/*
2916			Write out a list of the supported cipher suites to the caller's buffer
2917			First 2 bytes are the number of cipher suite bytes, the remaining bytes are
2918			the cipher suites, as two byte, network byte order values.
2919			*/
2920	11162		int32_t sslGetCipherSpecList(ssl_t ssl, unsigned char c, int32 len,
2921			int32 addScsv)
2922			{
2923			unsigned char end, p;
2924			unsigned short i;
2925			int32 ignored;
2926
2927	11162	50	if (len < 4)
2928			{
2929	0		return -1;
2930			}
2931	11162		end = c + len;
2932	11162		p = c; c += 2;
2933
2934	11162		ignored = 0;
2935	212078	100	for (i = 0; supportedCiphers[i].ident != SSL_NULL_WITH_NULL_NULL; i++)
2936			{
2937	200916	50	if (end - c < 2)
2938			{
2939	0		return PS_MEM_FAIL;
2940			}
2941			#ifdef USE_TLS_1_2
2942			/* The SHA-2 based cipher suites are TLS 1.2 only so don't send
2943			those if the user has requested a lower protocol in
2944			NewClientSession */
2945			# ifdef USE_DTLS
2946			if (ssl->majVer == DTLS_MAJ_VER && ssl->minVer != DTLS_1_2_MIN_VER)
2947			{
2948			if (supportedCiphers[i].flags & CRYPTO_FLAGS_SHA3 \|\|
2949			supportedCiphers[i].flags & CRYPTO_FLAGS_SHA2)
2950			{
2951			ignored += 2;
2952			continue;
2953			}
2954			}
2955			if (!(ssl->flags & SSL_FLAGS_DTLS))
2956			{
2957			# endif
2958	200916	50	if (ssl->minVer != TLS_1_2_MIN_VER)
2959			{
2960	0	0	if (supportedCiphers[i].flags & CRYPTO_FLAGS_SHA3 \|\|
		0
2961	0		supportedCiphers[i].flags & CRYPTO_FLAGS_SHA2)
2962			{
2963	0		ignored += 2;
2964	0		continue;
2965			}
2966			}
2967			# ifdef USE_DTLS
2968			}
2969			# endif
2970			#endif /* TLS_1_2 */
2971			#ifdef VALIDATE_KEY_MATERIAL
2972	200916	100	if (haveKeyMaterial(ssl, supportedCiphers[i].type, 0) != PS_SUCCESS)
2973			{
2974	22324		ignored += 2;
2975	22324		continue;
2976			}
2977			#endif
2978	178592		*c = (unsigned char) ((supportedCiphers[i].ident & 0xFF00) >> 8); c++;
2979	178592		*c = (unsigned char) (supportedCiphers[i].ident & 0xFF); c++;
2980			}
2981	11162		i *= 2;
2982	11162		i -= (unsigned short) ignored;
2983			#ifdef ENABLE_SECURE_REHANDSHAKES
2984	11162	100	if (addScsv == 1)
2985			{
2986			# ifdef USE_CLIENT_SIDE_SSL
2987	11156		ssl->extFlags.req_renegotiation_info = 1;
2988			# endif
2989	11156	50	if (end - c < 2)
2990			{
2991	0		return PS_MEM_FAIL;
2992			}
2993	11156		*c = ((TLS_EMPTY_RENEGOTIATION_INFO_SCSV & 0xFF00) >> 8); c++;
2994	11156		*c = TLS_EMPTY_RENEGOTIATION_INFO_SCSV & 0xFF; c++;
2995	11156		i += 2;
2996			}
2997			#endif
2998
2999			#ifdef USE_CLIENT_SIDE_SSL
3000			/* This flag is set in EncodeClientHello based on sslSessOpts_t.fallbackScsv */
3001	11162	50	if (ssl->extFlags.req_fallback_scsv)
3002			{
3003			/** Add the fallback signalling ciphersuite.
3004			@see https://tools.ietf.org/html/rfc7507 */
3005	0	0	if (end - c < 2)
3006			{
3007	0		return PS_MEM_FAIL;
3008			}
3009	0		*c = (TLS_FALLBACK_SCSV >> 8) & 0xFF; c++;
3010	0		*c = TLS_FALLBACK_SCSV & 0xFF; c++;
3011	0		i += 2;
3012			}
3013			#endif
3014
3015	11162		*p = (unsigned char) (i >> 8); p++;
3016	11162		*p = (unsigned char) (i & 0xFF);
3017	11162		return i + 2;
3018			}
3019
3020			/******************************************************************************/
3021			/*
3022			Return the length of the cipher spec list, including initial length bytes,
3023			(minus any suites that we don't have the key material to support)
3024			*/
3025	11162		int32_t sslGetCipherSpecListLen(const ssl_t *ssl)
3026			{
3027			int32 i, ignored;
3028
3029	11162		ignored = 0;
3030	212078	100	for (i = 0; supportedCiphers[i].ident != SSL_NULL_WITH_NULL_NULL; i++)
3031			{
3032			#ifdef USE_TLS_1_2
3033			/* The SHA-2 based cipher suites are TLS 1.2 only so don't send
3034			those if the user has requested a lower protocol in
3035			NewClientSession */
3036			# ifdef USE_DTLS
3037			if (ssl->majVer == DTLS_MAJ_VER && ssl->minVer != DTLS_1_2_MIN_VER)
3038			{
3039			if (supportedCiphers[i].flags & CRYPTO_FLAGS_SHA3 \|\|
3040			supportedCiphers[i].flags & CRYPTO_FLAGS_SHA2)
3041			{
3042			ignored += 2;
3043			continue;
3044			}
3045			}
3046			if (!(ssl->flags & SSL_FLAGS_DTLS))
3047			{
3048			# endif
3049	200916	50	if (ssl->minVer != TLS_1_2_MIN_VER)
3050			{
3051	0	0	if (supportedCiphers[i].flags & CRYPTO_FLAGS_SHA3 \|\|
		0
3052	0		supportedCiphers[i].flags & CRYPTO_FLAGS_SHA2)
3053			{
3054	0		ignored += 2;
3055	0		continue;
3056			}
3057			}
3058			# ifdef USE_DTLS
3059			}
3060			# endif
3061			#endif /* USE_TLS_1_2 */
3062			#ifdef VALIDATE_KEY_MATERIAL
3063	200916	100	if (haveKeyMaterial(ssl, supportedCiphers[i].type, 0) != PS_SUCCESS)
3064			{
3065	22324		ignored += 2;
3066			}
3067			#endif
3068			}
3069	11162		return (i * 2) + 2 - ignored;
3070			}
3071
3072			/******************************************************************************/
3073			/*
3074			Flag the session based on the agreed upon cipher suite
3075			NOTE: sslResetContext will have cleared these flags for re-handshakes
3076			*/
3077	2299		void matrixSslSetKexFlags(ssl_t *ssl)
3078			{
3079
3080			#ifdef USE_DHE_CIPHER_SUITE
3081			/*
3082			Flag the specific DH ciphers so the correct key exchange
3083			mechanisms can be used. And because DH changes the handshake
3084			messages as well.
3085			*/
3086	2299	50	if (ssl->cipher->type == CS_DHE_RSA)
3087			{
3088	0		ssl->flags \|= SSL_FLAGS_DHE_KEY_EXCH;
3089	0		ssl->flags \|= SSL_FLAGS_DHE_WITH_RSA;
3090			}
3091
3092			# ifdef USE_PSK_CIPHER_SUITE
3093			/*
3094			Set the PSK flags and DH kex.
3095			NOTE: Although this isn't technically a DH_anon cipher, the handshake
3096			message order for DHE_PSK are identical and we can nicely piggy back
3097			on the handshake logic that already exists.
3098			*/
3099	2299	50	if (ssl->cipher->type == CS_DHE_PSK)
3100			{
3101	0		ssl->flags \|= SSL_FLAGS_DHE_KEY_EXCH;
3102	0		ssl->flags \|= SSL_FLAGS_ANON_CIPHER;
3103	0		ssl->flags \|= SSL_FLAGS_PSK_CIPHER;
3104			# ifdef USE_CLIENT_AUTH
3105	0	0	if (ssl->flags & SSL_FLAGS_SERVER)
3106			{
3107	0	0	if (ssl->flags & SSL_FLAGS_CLIENT_AUTH)
3108			{
3109			psTraceInfo("No client auth TLS mode for DHE_PSK ciphers");
3110			psTraceInfo(". Disabling CLIENT_AUTH.\n");
3111	0		ssl->flags &= ~SSL_FLAGS_CLIENT_AUTH;
3112			}
3113			}
3114			# endif /* USE_CLIENT_AUTH */
3115			}
3116			# endif /* USE_PSK_CIPHER_SUITE */
3117
3118			# ifdef USE_ECC_CIPHER_SUITE
3119	2299	100	if (ssl->cipher->type == CS_ECDHE_RSA)
3120			{
3121	2297		ssl->flags \|= SSL_FLAGS_ECC_CIPHER;
3122	2297		ssl->flags \|= SSL_FLAGS_DHE_KEY_EXCH;
3123	2297		ssl->flags \|= SSL_FLAGS_DHE_WITH_RSA;
3124			}
3125	2299	50	if (ssl->cipher->type == CS_ECDHE_ECDSA)
3126			{
3127	0		ssl->flags \|= SSL_FLAGS_ECC_CIPHER;
3128	0		ssl->flags \|= SSL_FLAGS_DHE_KEY_EXCH;
3129	0		ssl->flags \|= SSL_FLAGS_DHE_WITH_DSA;
3130			}
3131			# endif /* USE_ECC_CIPHER_SUITE */
3132
3133			# ifdef USE_ANON_DH_CIPHER_SUITE
3134	2299	50	if (ssl->cipher->type == CS_DH_ANON)
3135			{
3136	0		ssl->flags \|= SSL_FLAGS_DHE_KEY_EXCH;
3137	0		ssl->flags \|= SSL_FLAGS_ANON_CIPHER;
3138	0		ssl->sec.anon = 1;
3139			}
3140			# endif /* USE_ANON_DH_CIPHER_SUITE */
3141			#endif /* USE_DHE_CIPHER_SUITE */
3142
3143			#ifdef USE_ECC_CIPHER_SUITE
3144	2299	50	if (ssl->cipher->type == CS_ECDH_ECDSA)
3145			{
3146	0		ssl->flags \|= SSL_FLAGS_ECC_CIPHER;
3147			}
3148	2299	50	if (ssl->cipher->type == CS_ECDH_RSA)
3149			{
3150	0		ssl->flags \|= SSL_FLAGS_ECC_CIPHER;
3151			}
3152			#endif /* USE_ECC_CIPHER_SUITE */
3153
3154			#ifdef USE_PSK_CIPHER_SUITE
3155	2299	50	if (ssl->cipher->type == CS_PSK)
3156			{
3157	0		ssl->flags \|= SSL_FLAGS_PSK_CIPHER;
3158			# ifdef USE_CLIENT_AUTH
3159	0	0	if (ssl->flags & SSL_FLAGS_SERVER)
3160			{
3161	0	0	if (ssl->flags & SSL_FLAGS_CLIENT_AUTH)
3162			{
3163			psTraceInfo("No client auth TLS mode for basic PSK ciphers");
3164			psTraceInfo(". Disabling CLIENT_AUTH.\n");
3165	0		ssl->flags &= ~SSL_FLAGS_CLIENT_AUTH;
3166			}
3167			}
3168			# endif /* USE_CLIENT_AUTH */
3169			}
3170			#endif /* USE_PSK_CIPHER_SUITE */
3171
3172	2299		return;
3173			}
3174			/******************************************************************************/
3175