Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
freebsd
GitHub Repository: freebsd/freebsd-src
 Path: blob/main/contrib/bearssl/samples/custom_profile.c
39534 views
1
/*

2
 * Copyright (c) 2016 Thomas Pornin <[email protected]>

3
 *

4
 * Permission is hereby granted, free of charge, to any person obtaining 

5
 * a copy of this software and associated documentation files (the

6
 * "Software"), to deal in the Software without restriction, including

7
 * without limitation the rights to use, copy, modify, merge, publish,

8
 * distribute, sublicense, and/or sell copies of the Software, and to

9
 * permit persons to whom the Software is furnished to do so, subject to

10
 * the following conditions:

11
 *

12
 * The above copyright notice and this permission notice shall be 

13
 * included in all copies or substantial portions of the Software.

14
 *

15
 * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, 

16
 * EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF

17
 * MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND 

18
 * NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS

19
 * BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN

20
 * ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN

21
 * CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE

22
 * SOFTWARE.

23
 */

24


25
#include "bearssl.h"

26


27
/*

28
 * A "profile" is an initialisation function for a SSL context, that

29
 * configures a list of cipher suites and algorithm implementations.

30
 * While BearSSL comes with a few predefined profiles, you might one

31
 * to define you own, using the example below as guidance.

32
 *

33
 * Each individual initialisation call sets a parameter or an algorithm

34
 * support. Setting a specific algorithm pulls in the implementation of

35
 * that algorithm in the compiled binary, as per static linking

36
 * behaviour. Removing some of this calls will then reduce total code

37
 * footprint, but also mechanically prevents some features to be

38
 * supported (protocol versions and cipher suites).

39
 *

40
 * The two below define profiles for the client and the server contexts,

41
 * respectively. Of course, in a typical size-constrained application,

42
 * you would use one or the other, not both, to avoid pulling in code

43
 * for both.

44
 */

45


46
void

47
example_client_profile(br_ssl_client_context *cc

48
	/* and possibly some other arguments */)

49
{

50
	/*

51
	 * A list of cipher suites, by preference (first is most

52
	 * preferred). The list below contains all cipher suites supported

53
	 * by BearSSL; trim it done to your needs.

54
	 */

55
	static const uint16_t suites[] = {

56
		BR_TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256,

57
		BR_TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256,

58
		BR_TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,

59
		BR_TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,

60
		BR_TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,

61
		BR_TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,

62
		BR_TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,

63
		BR_TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,

64
		BR_TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384,

65
		BR_TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,

66
		BR_TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,

67
		BR_TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,

68
		BR_TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,

69
		BR_TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,

70
		BR_TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256,

71
		BR_TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256,

72
		BR_TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384,

73
		BR_TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384,

74
		BR_TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256,

75
		BR_TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256,

76
		BR_TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384,

77
		BR_TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384,

78
		BR_TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA,

79
		BR_TLS_ECDH_RSA_WITH_AES_128_CBC_SHA,

80
		BR_TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA,

81
		BR_TLS_ECDH_RSA_WITH_AES_256_CBC_SHA,

82
		BR_TLS_RSA_WITH_AES_128_GCM_SHA256,

83
		BR_TLS_RSA_WITH_AES_256_GCM_SHA384,

84
		BR_TLS_RSA_WITH_AES_128_CBC_SHA256,

85
		BR_TLS_RSA_WITH_AES_256_CBC_SHA256,

86
		BR_TLS_RSA_WITH_AES_128_CBC_SHA,

87
		BR_TLS_RSA_WITH_AES_256_CBC_SHA,

88
		BR_TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA,

89
		BR_TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,

90
		BR_TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA,

91
		BR_TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA,

92
		BR_TLS_RSA_WITH_3DES_EDE_CBC_SHA

93
	};

94


95
	/*

96
	 * Client context must be cleared at some point. This sets

97
	 * every value and pointer to 0 or NULL.

98
	 */

99
	br_ssl_client_zero(cc);

100


101
	/*

102
	 * Define minimum and maximum protocol versions. Supported

103
	 * versions are:

104
	 *    BR_TLS10    TLS 1.0

105
	 *    BR_TLS11    TLS 1.1

106
	 *    BR_TLS12    TLS 1.2

107
	 */

108
	br_ssl_engine_set_versions(&cc->eng, BR_TLS10, BR_TLS12);

109


110
	/*

111
	 * Set the PRF implementation(s).

112
	 * For TLS 1.0 and 1.1, the "prf10" is needed.

113
	 * For TLS 1.2, this depends on the cipher suite:

114
	 *  -- cipher suites with a name ending in "SHA384" need "prf_sha384";

115
	 *  -- all others need "prf_sha256".

116
	 *

117
	 * Note that a cipher suite like TLS_RSA_WITH_AES_128_CBC_SHA will

118
	 * use SHA-1 for the per-record MAC (that's what the final "SHA"

119
	 * means), but still SHA-256 for the PRF when selected along with

120
	 * the TLS-1.2 protocol version.

121
	 */

122
	br_ssl_engine_set_prf10(&cc->eng, &br_tls10_prf);

123
	br_ssl_engine_set_prf_sha256(&cc->eng, &br_tls12_sha256_prf);

124
	br_ssl_engine_set_prf_sha384(&cc->eng, &br_tls12_sha384_prf);

125


126
	/*

127
	 * Set hash functions for the engine. Required hash functions

128
	 * depend on the protocol and cipher suite:

129
	 *

130
	 * -- TLS 1.0 and 1.1 require both MD5 and SHA-1.

131
	 * -- With TLS 1.2, cipher suites with a name ending in "SHA384"

132
	 *    require SHA-384.

133
	 * -- With TLS 1.2, cipher suites with a name ending in "SHA256"

134
	 *    require SHA-256.

135
	 * -- With TLS 1.2, cipher suites with a name ending in "SHA"

136
	 *    require both SHA-256 and SHA-1.

137
	 *

138
	 * Moreover, these hash functions are also used to compute

139
	 * hashes supporting signatures on the server side (for ECDHE_*

140
	 * cipher suites), and on the client side (for client

141
	 * certificates, except in the case of full static ECDH). In TLS

142
	 * 1.0 and 1.1, SHA-1 (and also MD5) will be used, but with TLS

143
	 * 1.2 these hash functions are negotiated between client and

144
	 * server; SHA-256 and/or SHA-384 should be sufficient in

145
	 * practice.

146
	 *

147
	 * Note that with current implementations, SHA-224 and SHA-256

148
	 * share the same file, so if you use one, you may have the other

149
	 * one with no additional overhead. Similarly, SHA-384 and SHA-512

150
	 * share the same implementation code.

151
	 */

152
	br_ssl_engine_set_hash(&cc->eng, br_md5_ID, &br_md5_vtable);

153
	br_ssl_engine_set_hash(&cc->eng, br_sha1_ID, &br_sha1_vtable);

154
	br_ssl_engine_set_hash(&cc->eng, br_sha224_ID, &br_sha224_vtable);

155
	br_ssl_engine_set_hash(&cc->eng, br_sha256_ID, &br_sha256_vtable);

156
	br_ssl_engine_set_hash(&cc->eng, br_sha384_ID, &br_sha384_vtable);

157
	br_ssl_engine_set_hash(&cc->eng, br_sha512_ID, &br_sha512_vtable);

158


159
	/*

160
	 * Set the cipher suites. All specified cipher suite MUST be

161
	 * supported, and the relevant algorithms MUST have been

162
	 * configured (failure to provide needed implementations may

163
	 * trigger unwanted behaviours like segfaults or overflows).

164
	 */

165
	br_ssl_engine_set_suites(&cc->eng, suites,

166
		(sizeof suites) / (sizeof suites[0]));

167


168
	/*

169
	 * Public-key algorithm implementations.

170
	 *

171
	 * -- RSA public core ("rsapub") is needed for "RSA" key exchange

172
	 *    (cipher suites whose name starts with TLS_RSA).

173
	 *

174
	 * -- RSA signature verification ("rsavrfy") is needed for

175
	 *    "ECDHE_RSA" cipher suites (not ECDH_RSA).

176
	 *

177
	 * -- Elliptic curve implementation ("ec") is needed for cipher

178
	 *    suites that use elliptic curves (both "ECDH" and "ECDHE"

179
	 *    cipher suites).

180
	 *

181
	 * -- ECDSA signature verification is needed for "ECDHE_ECDSA"

182
	 *    cipher suites (but not for ECDHE_RSA, ECDH_ECDSA or ECDH_RSA).

183
	 *

184
	 * Normally, you use the "default" implementations, obtained

185
	 * through relevant function calls. These functions return

186
	 * implementations that are deemed "best" for the current

187
	 * platform, where "best" means "fastest within constant-time

188
	 * implementations". Selecting the default implementation is a

189
	 * mixture of compile-time and runtime checks.

190
	 *

191
	 * Nevertheless, specific implementations may be selected

192
	 * explicitly, e.g. to use code which is slower but with a

193
	 * smaller footprint.

194
	 *

195
	 * The RSA code comes in three variants, called "i15", "i31" and

196
	 * "i32". The "i31" code is somewhat faster than the "i32" code.

197
	 * Usually, "i31" is faster than "i15", except on some specific

198
	 * architectures (ARM Cortex M0, M0+, M1 and M3) where the "i15"

199
	 * should be preferred (the "i15" code is constant-time, while

200
	 * the "i31" is not, and the "i15" code is faster anyway).

201
	 *

202
	 * ECDSA code also comes in "i15" and "i31" variants. As in the

203
	 * case of RSA, the "i31" code is faster, except on the small

204
	 * ARM Cortex M, where the "i15" code is faster and safer.

205
	 *

206
	 * There are no less than 10 elliptic curve implementations:

207
	 *

208
	 *  - ec_c25519_i15, ec_c25519_i31, ec_c25519_m15 and ec_c25519_m31

209
	 *    implement Curve25519.

210
	 *

211
	 *  - ec_p256_m15 and ec_p256_m31 implement NIST curve P-256.

212
	 *

213
	 *  - ec_prime_i15 and ec_prime_i31 implement NIST curves P-256,

214
	 *    P-384 and P-521.

215
	 *

216
	 *  - ec_all_m15 is an aggregate implementation that uses

217
	 *    ec_c25519_m15, ec_p256_m15 and ec_prime_i15.

218
	 *

219
	 *  - ec_all_m31 is an aggregate implementation that uses

220
	 *    ec_c25519_m31, ec_p256_m31 and ec_prime_i31.

221
	 *

222
	 * For a given curve, "m15" is faster than "i15" (but possibly

223
	 * with a larger code footprint) and "m31" is faster than "i31"

224
	 * (there again with a larger code footprint). For best

225
	 * performance, use ec_all_m31, except on the small ARM Cortex M

226
	 * where ec_all_m15 should be used. Referencing the other

227
	 * implementations directly will result in smaller code, but

228
	 * support for fewer curves and possibly lower performance.

229
	 */

230
	br_ssl_client_set_default_rsapub(cc);

231
	br_ssl_engine_set_default_rsavrfy(&cc->eng);

232
	br_ssl_engine_set_default_ecdsa(&cc->eng);

233
	/* Alternate: set implementations explicitly.

234
	br_ssl_client_set_rsapub(cc, &br_rsa_i31_public);

235
	br_ssl_client_set_rsavrfy(cc, &br_rsa_i31_pkcs1_vrfy);

236
	br_ssl_engine_set_ec(&cc->eng, &br_ec_all_m31);

237
	br_ssl_engine_set_ecdsa(&cc->eng, &br_ecdsa_i31_vrfy_asn1);

238
	*/

239


240
	/*

241
	 * Record handler:

242
	 * -- Cipher suites in AES_128_CBC, AES_256_CBC and 3DES_EDE_CBC

243
	 *    need the CBC record handler ("set_cbc").

244
	 * -- Cipher suites in AES_128_GCM and AES_256_GCM need the GCM

245
	 *    record handler ("set_gcm").

246
	 * -- Cipher suites in CHACHA20_POLY1305 need the ChaCha20+Poly1305

247
	 *    record handler ("set_chapol").

248
	 */

249
	br_ssl_engine_set_cbc(&cc->eng,

250
		&br_sslrec_in_cbc_vtable,

251
		&br_sslrec_out_cbc_vtable);

252
	br_ssl_engine_set_gcm(&cc->eng,

253
		&br_sslrec_in_gcm_vtable,

254
		&br_sslrec_out_gcm_vtable);

255
	br_ssl_engine_set_chapol(&cc->eng,

256
		&br_sslrec_in_chapol_vtable,

257
		&br_sslrec_out_chapol_vtable);

258


259
	/*

260
	 * Symmetric encryption:

261
	 * -- AES_128_CBC and AES_256_CBC require an "aes_cbc" implementation

262
	 *    (actually two implementations, for encryption and decryption).

263
	 * -- 3DES_EDE_CBC requires a "des_cbc" implementation

264
	 *    (actually two implementations, for encryption and decryption).

265
	 * -- AES_128_GCM and AES_256_GCM require an "aes_ctr" imeplementation

266
	 *    and also a GHASH implementation.

267
	 *

268
	 * Two 3DES implementations are provided:

269
	 *

270
	 *    des_tab     Classical table-based implementation; it is

271
	 *                not constant-time.

272
	 *

273
	 *    dest_ct     Constant-time DES/3DES implementation. It is

274
	 *                slower than des_tab.

275
	 *

276
	 * Four AES implementations are provided:

277
	 *

278
	 *    aes_ct      Constant-time AES implementation, for 32-bit

279
	 *                systems.

280
	 *

281
	 *    aes_ct64    Constant-time AES implementation, for 64-bit

282
	 *                systems. It actually also runs on 32-bit systems,

283
	 *                but, on such systems, it yields larger code and

284
	 *                slightly worse performance. On 64-bit systems,

285
	 *                aes_ct64 is about twice faster than aes_ct for

286
	 *                CTR processing (GCM encryption and decryption),

287
	 *                and for CBC (decryption only).

288
	 *

289
	 *    aes_small   Smallest implementation provided, but also the

290
	 *                slowest, and it is not constant-time. Use it

291
	 *                only if desperate for code size.

292
	 *

293
	 *    aes_big     Classical table-based AES implementation. This

294
	 *                is decently fast and still resonably compact,

295
	 *                but it is not constant-time.

296
	 *

297
	 *    aes_x86ni   Very fast implementation that uses the AES-NI

298
	 *                opcodes on recent x86 CPU. But it may not be

299
	 *                compiled in the library if the compiler or

300
	 *                architecture is not supported; and the CPU

301
	 *                may also not support the opcodes. Selection

302
	 *                functions are provided to test for availability

303
	 *                of the code and the opcodes.

304
	 *

305
	 * Whether having constant-time implementations is absolutely

306
	 * required for security depends on the context (in particular

307
	 * whether the target architecture actually has cache memory),

308
	 * and while side-channel analysis for non-constant-time AES

309
	 * code has been demonstrated in lab conditions, it certainly

310
	 * does not apply to all actual usages, and it has never been

311
	 * spotted in the wild. It is still considered cautious to use

312
	 * constant-time code by default, and to consider the other

313
	 * implementations only if duly measured performance issues make

314
	 * it mandatory.

315
	 */

316
	br_ssl_engine_set_aes_cbc(&cc->eng,

317
		&br_aes_ct_cbcenc_vtable,

318
		&br_aes_ct_cbcdec_vtable);

319
	br_ssl_engine_set_aes_ctr(&cc->eng,

320
		&br_aes_ct_ctr_vtable);

321
	/* Alternate: aes_ct64

322
	br_ssl_engine_set_aes_cbc(&cc->eng,

323
		&br_aes_ct64_cbcenc_vtable,

324
		&br_aes_ct64_cbcdec_vtable);

325
	br_ssl_engine_set_aes_ctr(&cc->eng,

326
		&br_aes_ct64_ctr_vtable);

327
	*/

328
	/* Alternate: aes_small

329
	br_ssl_engine_set_aes_cbc(&cc->eng,

330
		&br_aes_small_cbcenc_vtable,

331
		&br_aes_small_cbcdec_vtable);

332
	br_ssl_engine_set_aes_ctr(&cc->eng,

333
		&br_aes_small_ctr_vtable);

334
	*/

335
	/* Alternate: aes_big

336
	br_ssl_engine_set_aes_cbc(&cc->eng,

337
		&br_aes_big_cbcenc_vtable,

338
		&br_aes_big_cbcdec_vtable);

339
	br_ssl_engine_set_aes_ctr(&cc->eng,

340
		&br_aes_big_ctr_vtable);

341
	*/

342
	br_ssl_engine_set_des_cbc(&cc->eng,

343
		&br_des_ct_cbcenc_vtable,

344
		&br_des_ct_cbcdec_vtable);

345
	/* Alternate: des_tab

346
	br_ssl_engine_set_des_cbc(&cc->eng,

347
		&br_des_tab_cbcenc_vtable,

348
		&br_des_tab_cbcdec_vtable);

349
	*/

350


351
	/*

352
	 * GHASH is needed for AES_128_GCM and AES_256_GCM. Three

353
	 * implementations are provided:

354
	 *

355
	 *    ctmul     Uses 32-bit multiplications with a 64-bit result.

356
	 *

357
	 *    ctmul32   Uses 32-bit multiplications with a 32-bit result.

358
	 *

359
	 *    ctmul64   Uses 64-bit multiplications with a 64-bit result.

360
	 *

361
	 * On 64-bit platforms, ctmul64 is the smallest and fastest of

362
	 * the three. On 32-bit systems, ctmul should be preferred. The

363
	 * ctmul32 implementation is meant to be used for the specific

364
	 * 32-bit systems that do not have a 32x32->64 multiplier (i.e.

365
	 * the ARM Cortex-M0 and Cortex-M0+).

366
	 *

367
	 * These implementations are all constant-time as long as the

368
	 * underlying multiplication opcode is constant-time (which is

369
	 * true for all modern systems, but not for older architectures

370
	 * such that ARM9 or 80486).

371
	 */

372
	br_ssl_engine_set_ghash(&cc->eng,

373
		&br_ghash_ctmul);

374
	/* Alternate: ghash_ctmul32

375
	br_ssl_engine_set_ghash(&cc->eng,

376
		&br_ghash_ctmul32);

377
	*/

378
	/* Alternate: ghash_ctmul64

379
	br_ssl_engine_set_ghash(&cc->eng,

380
		&br_ghash_ctmul64);

381
	*/

382


383
#if 0

384
	/*

385
	 * For a client, the normal case is to validate the server

386
	 * certificate with regards to a set of trust anchors. This

387
	 * entails using a br_x509_minimal_context structure, configured

388
	 * with the relevant algorithms, as shown below.

389
	 *

390
	 * Alternatively, the client could "know" the intended server

391
	 * public key through an out-of-band mechanism, in which case

392
	 * a br_x509_knownkey_context is appropriate, for a much reduced

393
	 * code footprint.

394
	 *

395
	 * We assume here that the following extra parameters have been

396
	 * provided:

397
	 *

398
	 *   xc                  engine context (br_x509_minimal_context *)

399
	 *   trust_anchors       trust anchors (br_x509_trust_anchor *)

400
	 *   trust_anchors_num   number of trust anchors (size_t)

401
	 */

402


403
	/*

404
	 * The X.509 engine needs a hash function for processing the

405
	 * subject and issuer DN of certificates and trust anchors. Any

406
	 * supported hash function is appropriate; here we use SHA-256.

407
	 * The trust an

408
	 */

409
	br_x509_minimal_init(xc, &br_sha256_vtable,

410
		trust_anchors, trust_anchors_num);

411


412
	/*

413
	 * Set suites and asymmetric crypto implementations. We use the

414
	 * "i31" code for RSA (it is somewhat faster than the "i32"

415
	 * implementation). These implementations are used for

416
	 * signature verification on certificates, but not for the

417
	 * SSL-specific usage of the server's public key. For instance,

418
	 * if the server has an EC public key but the rest of the chain

419
	 * (intermediate CA, root...) use RSA, then you would need only

420
	 * the RSA verification function below.

421
	 */

422
	br_x509_minimal_set_rsa(xc, &br_rsa_i31_pkcs1_vrfy);

423
	br_x509_minimal_set_ecdsa(xc,

424
		&br_ec_prime_i31, &br_ecdsa_i31_vrfy_asn1);

425


426
	/*

427
	 * Set supported hash functions. These are for signatures on

428
	 * certificates. There again, you only need the hash functions

429
	 * that are actually used in certificates, but if a given

430
	 * function was included for the SSL engine, you may as well

431
	 * add it here.

432
	 *

433
	 * Note: the engine explicitly rejects signatures that use MD5.

434
	 * Thus, there is no need for MD5 here.

435
	 */

436
	br_ssl_engine_set_hash(xc, br_sha1_ID, &br_sha1_vtable);

437
	br_ssl_engine_set_hash(xc, br_sha224_ID, &br_sha224_vtable);

438
	br_ssl_engine_set_hash(xc, br_sha256_ID, &br_sha256_vtable);

439
	br_ssl_engine_set_hash(xc, br_sha384_ID, &br_sha384_vtable);

440
	br_ssl_engine_set_hash(xc, br_sha512_ID, &br_sha512_vtable);

441


442
	/*

443
	 * Link the X.509 engine in the SSL engine.

444
	 */

445
	br_ssl_engine_set_x509(&cc->eng, &xc->vtable);

446
#endif

447
}

448


449
/*

450
 * Example server profile. Most of it is shared with the client

451
 * profile, so see the comments in the client function for details.

452
 *

453
 * This example function assumes a server with a (unique) RSA private

454
 * key, so the list of cipher suites is trimmed down for RSA.

455
 */

456
void

457
example_server_profile(br_ssl_server_context *cc,

458
	const br_x509_certificate *chain, size_t chain_len,

459
	const br_rsa_private_key *sk)

460
{

461
	static const uint16_t suites[] = {

462
		BR_TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,

463
		BR_TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,

464
		BR_TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,

465
		BR_TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,

466
		BR_TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,

467
		BR_TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,

468
		BR_TLS_RSA_WITH_AES_128_GCM_SHA256,

469
		BR_TLS_RSA_WITH_AES_256_GCM_SHA384,

470
		BR_TLS_RSA_WITH_AES_128_CBC_SHA256,

471
		BR_TLS_RSA_WITH_AES_256_CBC_SHA256,

472
		BR_TLS_RSA_WITH_AES_128_CBC_SHA,

473
		BR_TLS_RSA_WITH_AES_256_CBC_SHA,

474
		BR_TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,

475
		BR_TLS_RSA_WITH_3DES_EDE_CBC_SHA

476
	};

477


478
	br_ssl_server_zero(cc);

479
	br_ssl_engine_set_versions(&cc->eng, BR_TLS10, BR_TLS12);

480


481
	br_ssl_engine_set_prf10(&cc->eng, &br_tls10_prf);

482
	br_ssl_engine_set_prf_sha256(&cc->eng, &br_tls12_sha256_prf);

483
	br_ssl_engine_set_prf_sha384(&cc->eng, &br_tls12_sha384_prf);

484


485
	/*

486
	 * Apart from the requirements listed in the client side, these

487
	 * hash functions are also used by the server to compute its

488
	 * signature on ECDHE parameters. Which functions are needed

489
	 * depends on what the client may support; furthermore, the

490
	 * client may fail to send the relevant extension, in which

491
	 * case the server will default to whatever it can (as per the

492
	 * standard, it should be SHA-1 in that case).

493
	 */

494
	br_ssl_engine_set_hash(&cc->eng, br_md5_ID, &br_md5_vtable);

495
	br_ssl_engine_set_hash(&cc->eng, br_sha1_ID, &br_sha1_vtable);

496
	br_ssl_engine_set_hash(&cc->eng, br_sha224_ID, &br_sha224_vtable);

497
	br_ssl_engine_set_hash(&cc->eng, br_sha256_ID, &br_sha256_vtable);

498
	br_ssl_engine_set_hash(&cc->eng, br_sha384_ID, &br_sha384_vtable);

499
	br_ssl_engine_set_hash(&cc->eng, br_sha512_ID, &br_sha512_vtable);

500


501
	br_ssl_engine_set_suites(&cc->eng, suites,

502
		(sizeof suites) / (sizeof suites[0]));

503


504
	/*

505
	 * Elliptic curve implementation is used for ECDHE suites (but

506
	 * not for ECDH).

507
	 */

508
	br_ssl_engine_set_ec(&cc->eng, &br_ec_prime_i31);

509


510
	/*

511
	 * Set the "server policy": handler for the certificate chain

512
	 * and private key operations. Here, we indicate that the RSA

513
	 * private key is fit for both signing and decrypting, and we

514
	 * provide the two relevant implementations.

515


516
	 * BR_KEYTYPE_KEYX allows TLS_RSA_*, BR_KEYTYPE_SIGN allows

517
	 * TLS_ECDHE_RSA_*.

518
	 */

519
	br_ssl_server_set_single_rsa(cc, chain, chain_len, sk,

520
		BR_KEYTYPE_KEYX | BR_KEYTYPE_SIGN,

521
		br_rsa_i31_private, br_rsa_i31_pkcs1_sign);

522
	/*

523
	 * If the server used an EC private key, this call would look

524
	 * like this:

525


526
	br_ssl_server_set_single_ec(cc, chain, chain_len, sk,

527
		BR_KEYTYPE_KEYX | BR_KEYTYPE_SIGN,

528
		cert_issuer_key_type,

529
		&br_ec_prime_i31, br_ecdsa_i31_sign_asn1);

530


531
	 * Note the tricky points:

532
	 *

533
	 * -- "ECDH" cipher suites use only the EC code (&br_ec_prime_i31);

534
	 *    the ECDHE_ECDSA cipher suites need both the EC code and

535
	 *    the ECDSA signature implementation.

536
	 *

537
	 * -- For "ECDH" (not "ECDHE") cipher suites, the engine must

538
	 *    know the key type (RSA or EC) for the intermediate CA that

539
	 *    issued the server's certificate; this is an artefact of

540
	 *    how the protocol is defined. BearSSL won't try to decode

541
	 *    the server's certificate to obtain that information (it

542
	 *    could do that, the code is there, but it would increase the

543
	 *    footprint). So this must be provided by the caller.

544
	 *

545
	 * -- BR_KEYTYPE_KEYX allows ECDH, BR_KEYTYPE_SIGN allows

546
	 *    ECDHE_ECDSA.

547
	 */

548


549
	br_ssl_engine_set_cbc(&cc->eng,

550
		&br_sslrec_in_cbc_vtable,

551
		&br_sslrec_out_cbc_vtable);

552
	br_ssl_engine_set_gcm(&cc->eng,

553
		&br_sslrec_in_gcm_vtable,

554
		&br_sslrec_out_gcm_vtable);

555


556
	br_ssl_engine_set_aes_cbc(&cc->eng,

557
		&br_aes_ct_cbcenc_vtable,

558
		&br_aes_ct_cbcdec_vtable);

559
	br_ssl_engine_set_aes_ctr(&cc->eng,

560
		&br_aes_ct_ctr_vtable);

561
	/* Alternate: aes_ct64

562
	br_ssl_engine_set_aes_cbc(&cc->eng,

563
		&br_aes_ct64_cbcenc_vtable,

564
		&br_aes_ct64_cbcdec_vtable);

565
	br_ssl_engine_set_aes_ctr(&cc->eng,

566
		&br_aes_ct64_ctr_vtable);

567
	*/

568
	/* Alternate: aes_small

569
	br_ssl_engine_set_aes_cbc(&cc->eng,

570
		&br_aes_small_cbcenc_vtable,

571
		&br_aes_small_cbcdec_vtable);

572
	br_ssl_engine_set_aes_ctr(&cc->eng,

573
		&br_aes_small_ctr_vtable);

574
	*/

575
	/* Alternate: aes_big

576
	br_ssl_engine_set_aes_cbc(&cc->eng,

577
		&br_aes_big_cbcenc_vtable,

578
		&br_aes_big_cbcdec_vtable);

579
	br_ssl_engine_set_aes_ctr(&cc->eng,

580
		&br_aes_big_ctr_vtable);

581
	*/

582
	br_ssl_engine_set_des_cbc(&cc->eng,

583
		&br_des_ct_cbcenc_vtable,

584
		&br_des_ct_cbcdec_vtable);

585
	/* Alternate: des_tab

586
	br_ssl_engine_set_des_cbc(&cc->eng,

587
		&br_des_tab_cbcenc_vtable,

588
		&br_des_tab_cbcdec_vtable);

589
	*/

590


591
	br_ssl_engine_set_ghash(&cc->eng,

592
		&br_ghash_ctmul);

593
	/* Alternate: ghash_ctmul32

594
	br_ssl_engine_set_ghash(&cc->eng,

595
		&br_ghash_ctmul32);

596
	*/

597
	/* Alternate: ghash_ctmul64

598
	br_ssl_engine_set_ghash(&cc->eng,

599
		&br_ghash_ctmul64);

600
	*/

601
}

602


603