1
/*
2
 * Copyright 1995-2025 The OpenSSL Project Authors. All Rights Reserved.
3
 * Copyright (c) 2002, Oracle and/or its affiliates. All rights reserved
4
 * Copyright 2005 Nokia. All rights reserved.
5
 *
6
 * Licensed under the Apache License 2.0 (the "License").  You may not use
7
 * this file except in compliance with the License.  You can obtain a copy
8
 * in the file LICENSE in the source distribution or at
9
 * https://www.openssl.org/source/license.html
10
 */
11

12
#include <stdio.h>
13
#include <ctype.h>
14
#include <openssl/objects.h>
15
#include <openssl/comp.h>
16
#include <openssl/engine.h>
17
#include <openssl/crypto.h>
18
#include <openssl/conf.h>
19
#include <openssl/trace.h>
20
#include "internal/nelem.h"
21
#include "ssl_local.h"
22
#include "internal/thread_once.h"
23
#include "internal/cryptlib.h"
24
#include "internal/comp.h"
25
#include "internal/ssl_unwrap.h"
26

27
/* NB: make sure indices in these tables match values above */
28

29
typedef struct {
30
    uint32_t mask;
31
    int nid;
32
} ssl_cipher_table;
33

34
/* Table of NIDs for each cipher */
35
static const ssl_cipher_table ssl_cipher_table_cipher[SSL_ENC_NUM_IDX] = {
36
    { SSL_DES, NID_des_cbc }, /* SSL_ENC_DES_IDX 0 */
37
    { SSL_3DES, NID_des_ede3_cbc }, /* SSL_ENC_3DES_IDX 1 */
38
    { SSL_RC4, NID_rc4 }, /* SSL_ENC_RC4_IDX 2 */
39
    { SSL_RC2, NID_rc2_cbc }, /* SSL_ENC_RC2_IDX 3 */
40
    { SSL_IDEA, NID_idea_cbc }, /* SSL_ENC_IDEA_IDX 4 */
41
    { SSL_eNULL, NID_undef }, /* SSL_ENC_NULL_IDX 5 */
42
    { SSL_AES128, NID_aes_128_cbc }, /* SSL_ENC_AES128_IDX 6 */
43
    { SSL_AES256, NID_aes_256_cbc }, /* SSL_ENC_AES256_IDX 7 */
44
    { SSL_CAMELLIA128, NID_camellia_128_cbc }, /* SSL_ENC_CAMELLIA128_IDX 8 */
45
    { SSL_CAMELLIA256, NID_camellia_256_cbc }, /* SSL_ENC_CAMELLIA256_IDX 9 */
46
    { SSL_eGOST2814789CNT, NID_gost89_cnt }, /* SSL_ENC_GOST89_IDX 10 */
47
    { SSL_SEED, NID_seed_cbc }, /* SSL_ENC_SEED_IDX 11 */
48
    { SSL_AES128GCM, NID_aes_128_gcm }, /* SSL_ENC_AES128GCM_IDX 12 */
49
    { SSL_AES256GCM, NID_aes_256_gcm }, /* SSL_ENC_AES256GCM_IDX 13 */
50
    { SSL_AES128CCM, NID_aes_128_ccm }, /* SSL_ENC_AES128CCM_IDX 14 */
51
    { SSL_AES256CCM, NID_aes_256_ccm }, /* SSL_ENC_AES256CCM_IDX 15 */
52
    { SSL_AES128CCM8, NID_aes_128_ccm }, /* SSL_ENC_AES128CCM8_IDX 16 */
53
    { SSL_AES256CCM8, NID_aes_256_ccm }, /* SSL_ENC_AES256CCM8_IDX 17 */
54
    { SSL_eGOST2814789CNT12, NID_gost89_cnt_12 }, /* SSL_ENC_GOST8912_IDX 18 */
55
    { SSL_CHACHA20POLY1305, NID_chacha20_poly1305 }, /* SSL_ENC_CHACHA_IDX 19 */
56
    { SSL_ARIA128GCM, NID_aria_128_gcm }, /* SSL_ENC_ARIA128GCM_IDX 20 */
57
    { SSL_ARIA256GCM, NID_aria_256_gcm }, /* SSL_ENC_ARIA256GCM_IDX 21 */
58
    { SSL_MAGMA, NID_magma_ctr_acpkm }, /* SSL_ENC_MAGMA_IDX */
59
    { SSL_KUZNYECHIK, NID_kuznyechik_ctr_acpkm }, /* SSL_ENC_KUZNYECHIK_IDX */
60
};
61

62
/* NB: make sure indices in this table matches values above */
63
static const ssl_cipher_table ssl_cipher_table_mac[SSL_MD_NUM_IDX] = {
64
    { SSL_MD5, NID_md5 }, /* SSL_MD_MD5_IDX 0 */
65
    { SSL_SHA1, NID_sha1 }, /* SSL_MD_SHA1_IDX 1 */
66
    { SSL_GOST94, NID_id_GostR3411_94 }, /* SSL_MD_GOST94_IDX 2 */
67
    { SSL_GOST89MAC, NID_id_Gost28147_89_MAC }, /* SSL_MD_GOST89MAC_IDX 3 */
68
    { SSL_SHA256, NID_sha256 }, /* SSL_MD_SHA256_IDX 4 */
69
    { SSL_SHA384, NID_sha384 }, /* SSL_MD_SHA384_IDX 5 */
70
    { SSL_GOST12_256, NID_id_GostR3411_2012_256 }, /* SSL_MD_GOST12_256_IDX 6 */
71
    { SSL_GOST89MAC12, NID_gost_mac_12 }, /* SSL_MD_GOST89MAC12_IDX 7 */
72
    { SSL_GOST12_512, NID_id_GostR3411_2012_512 }, /* SSL_MD_GOST12_512_IDX 8 */
73
    { 0, NID_md5_sha1 }, /* SSL_MD_MD5_SHA1_IDX 9 */
74
    { 0, NID_sha224 }, /* SSL_MD_SHA224_IDX 10 */
75
    { 0, NID_sha512 }, /* SSL_MD_SHA512_IDX 11 */
76
    { SSL_MAGMAOMAC, NID_magma_mac }, /* sSL_MD_MAGMAOMAC_IDX */
77
    { SSL_KUZNYECHIKOMAC, NID_kuznyechik_mac } /* SSL_MD_KUZNYECHIKOMAC_IDX */
78
};
79

80
/* *INDENT-OFF* */
81
static const ssl_cipher_table ssl_cipher_table_kx[] = {
82
    { SSL_kRSA, NID_kx_rsa },
83
    { SSL_kECDHE, NID_kx_ecdhe },
84
    { SSL_kDHE, NID_kx_dhe },
85
    { SSL_kECDHEPSK, NID_kx_ecdhe_psk },
86
    { SSL_kDHEPSK, NID_kx_dhe_psk },
87
    { SSL_kRSAPSK, NID_kx_rsa_psk },
88
    { SSL_kPSK, NID_kx_psk },
89
    { SSL_kSRP, NID_kx_srp },
90
    { SSL_kGOST, NID_kx_gost },
91
    { SSL_kGOST18, NID_kx_gost18 },
92
    { SSL_kANY, NID_kx_any }
93
};
94

95
static const ssl_cipher_table ssl_cipher_table_auth[] = {
96
    { SSL_aRSA, NID_auth_rsa },
97
    { SSL_aECDSA, NID_auth_ecdsa },
98
    { SSL_aPSK, NID_auth_psk },
99
    { SSL_aDSS, NID_auth_dss },
100
    { SSL_aGOST01, NID_auth_gost01 },
101
    { SSL_aGOST12, NID_auth_gost12 },
102
    { SSL_aSRP, NID_auth_srp },
103
    { SSL_aNULL, NID_auth_null },
104
    { SSL_aANY, NID_auth_any }
105
};
106
/* *INDENT-ON* */
107

108
/* Utility function for table lookup */
109
static int ssl_cipher_info_find(const ssl_cipher_table *table,
110
    size_t table_cnt, uint32_t mask)
111
{
112
    size_t i;
113
    for (i = 0; i < table_cnt; i++, table++) {
114
        if (table->mask == mask)
115
            return (int)i;
116
    }
117
    return -1;
118
}
119

120
#define ssl_cipher_info_lookup(table, x) \
121
    ssl_cipher_info_find(table, OSSL_NELEM(table), x)
122

123
/*
124
 * PKEY_TYPE for GOST89MAC is known in advance, but, because implementation
125
 * is engine-provided, we'll fill it only if corresponding EVP_PKEY_METHOD is
126
 * found
127
 */
128
static const int default_mac_pkey_id[SSL_MD_NUM_IDX] = {
129
    /* MD5, SHA, GOST94, MAC89 */
130
    EVP_PKEY_HMAC, EVP_PKEY_HMAC, EVP_PKEY_HMAC, NID_undef,
131
    /* SHA256, SHA384, GOST2012_256, MAC89-12 */
132
    EVP_PKEY_HMAC, EVP_PKEY_HMAC, EVP_PKEY_HMAC, NID_undef,
133
    /* GOST2012_512 */
134
    EVP_PKEY_HMAC,
135
    /* MD5/SHA1, SHA224, SHA512, MAGMAOMAC, KUZNYECHIKOMAC */
136
    NID_undef, NID_undef, NID_undef, NID_undef, NID_undef
137
};
138

139
#define CIPHER_ADD 1
140
#define CIPHER_KILL 2
141
#define CIPHER_DEL 3
142
#define CIPHER_ORD 4
143
#define CIPHER_SPECIAL 5
144
/*
145
 * Bump the ciphers to the top of the list.
146
 * This rule isn't currently supported by the public cipherstring API.
147
 */
148
#define CIPHER_BUMP 6
149

150
typedef struct cipher_order_st {
151
    const SSL_CIPHER *cipher;
152
    int active;
153
    int dead;
154
    struct cipher_order_st *next, *prev;
155
} CIPHER_ORDER;
156

157
static const SSL_CIPHER cipher_aliases[] = {
158
    /* "ALL" doesn't include eNULL (must be specifically enabled) */
159
    { 0, SSL_TXT_ALL, NULL, 0, 0, 0, ~SSL_eNULL },
160
    /* "COMPLEMENTOFALL" */
161
    { 0, SSL_TXT_CMPALL, NULL, 0, 0, 0, SSL_eNULL },
162

163
    /*
164
     * "COMPLEMENTOFDEFAULT" (does *not* include ciphersuites not found in
165
     * ALL!)
166
     */
167
    { 0, SSL_TXT_CMPDEF, NULL, 0, 0, 0, 0, 0, 0, 0, 0, 0, SSL_NOT_DEFAULT },
168

169
    /*
170
     * key exchange aliases (some of those using only a single bit here
171
     * combine multiple key exchange algs according to the RFCs, e.g. kDHE
172
     * combines DHE_DSS and DHE_RSA)
173
     */
174
    { 0, SSL_TXT_kRSA, NULL, 0, SSL_kRSA },
175

176
    { 0, SSL_TXT_kEDH, NULL, 0, SSL_kDHE },
177
    { 0, SSL_TXT_kDHE, NULL, 0, SSL_kDHE },
178
    { 0, SSL_TXT_DH, NULL, 0, SSL_kDHE },
179

180
    { 0, SSL_TXT_kEECDH, NULL, 0, SSL_kECDHE },
181
    { 0, SSL_TXT_kECDHE, NULL, 0, SSL_kECDHE },
182
    { 0, SSL_TXT_ECDH, NULL, 0, SSL_kECDHE },
183

184
    { 0, SSL_TXT_kPSK, NULL, 0, SSL_kPSK },
185
    { 0, SSL_TXT_kRSAPSK, NULL, 0, SSL_kRSAPSK },
186
    { 0, SSL_TXT_kECDHEPSK, NULL, 0, SSL_kECDHEPSK },
187
    { 0, SSL_TXT_kDHEPSK, NULL, 0, SSL_kDHEPSK },
188
    { 0, SSL_TXT_kSRP, NULL, 0, SSL_kSRP },
189
    { 0, SSL_TXT_kGOST, NULL, 0, SSL_kGOST },
190
    { 0, SSL_TXT_kGOST18, NULL, 0, SSL_kGOST18 },
191

192
    /* server authentication aliases */
193
    { 0, SSL_TXT_aRSA, NULL, 0, 0, SSL_aRSA },
194
    { 0, SSL_TXT_aDSS, NULL, 0, 0, SSL_aDSS },
195
    { 0, SSL_TXT_DSS, NULL, 0, 0, SSL_aDSS },
196
    { 0, SSL_TXT_aNULL, NULL, 0, 0, SSL_aNULL },
197
    { 0, SSL_TXT_aECDSA, NULL, 0, 0, SSL_aECDSA },
198
    { 0, SSL_TXT_ECDSA, NULL, 0, 0, SSL_aECDSA },
199
    { 0, SSL_TXT_aPSK, NULL, 0, 0, SSL_aPSK },
200
    { 0, SSL_TXT_aGOST01, NULL, 0, 0, SSL_aGOST01 },
201
    { 0, SSL_TXT_aGOST12, NULL, 0, 0, SSL_aGOST12 },
202
    { 0, SSL_TXT_aGOST, NULL, 0, 0, SSL_aGOST01 | SSL_aGOST12 },
203
    { 0, SSL_TXT_aSRP, NULL, 0, 0, SSL_aSRP },
204

205
    /* aliases combining key exchange and server authentication */
206
    { 0, SSL_TXT_EDH, NULL, 0, SSL_kDHE, ~SSL_aNULL },
207
    { 0, SSL_TXT_DHE, NULL, 0, SSL_kDHE, ~SSL_aNULL },
208
    { 0, SSL_TXT_EECDH, NULL, 0, SSL_kECDHE, ~SSL_aNULL },
209
    { 0, SSL_TXT_ECDHE, NULL, 0, SSL_kECDHE, ~SSL_aNULL },
210
    { 0, SSL_TXT_NULL, NULL, 0, 0, 0, SSL_eNULL },
211
    { 0, SSL_TXT_RSA, NULL, 0, SSL_kRSA, SSL_aRSA },
212
    { 0, SSL_TXT_ADH, NULL, 0, SSL_kDHE, SSL_aNULL },
213
    { 0, SSL_TXT_AECDH, NULL, 0, SSL_kECDHE, SSL_aNULL },
214
    { 0, SSL_TXT_PSK, NULL, 0, SSL_PSK },
215
    { 0, SSL_TXT_SRP, NULL, 0, SSL_kSRP },
216

217
    /* symmetric encryption aliases */
218
    { 0, SSL_TXT_3DES, NULL, 0, 0, 0, SSL_3DES },
219
    { 0, SSL_TXT_RC4, NULL, 0, 0, 0, SSL_RC4 },
220
    { 0, SSL_TXT_RC2, NULL, 0, 0, 0, SSL_RC2 },
221
    { 0, SSL_TXT_IDEA, NULL, 0, 0, 0, SSL_IDEA },
222
    { 0, SSL_TXT_SEED, NULL, 0, 0, 0, SSL_SEED },
223
    { 0, SSL_TXT_eNULL, NULL, 0, 0, 0, SSL_eNULL },
224
    { 0, SSL_TXT_GOST, NULL, 0, 0, 0,
225
        SSL_eGOST2814789CNT | SSL_eGOST2814789CNT12 | SSL_MAGMA | SSL_KUZNYECHIK },
226
    { 0, SSL_TXT_AES128, NULL, 0, 0, 0,
227
        SSL_AES128 | SSL_AES128GCM | SSL_AES128CCM | SSL_AES128CCM8 },
228
    { 0, SSL_TXT_AES256, NULL, 0, 0, 0,
229
        SSL_AES256 | SSL_AES256GCM | SSL_AES256CCM | SSL_AES256CCM8 },
230
    { 0, SSL_TXT_AES, NULL, 0, 0, 0, SSL_AES },
231
    { 0, SSL_TXT_AES_GCM, NULL, 0, 0, 0, SSL_AES128GCM | SSL_AES256GCM },
232
    { 0, SSL_TXT_AES_CCM, NULL, 0, 0, 0,
233
        SSL_AES128CCM | SSL_AES256CCM | SSL_AES128CCM8 | SSL_AES256CCM8 },
234
    { 0, SSL_TXT_AES_CCM_8, NULL, 0, 0, 0, SSL_AES128CCM8 | SSL_AES256CCM8 },
235
    { 0, SSL_TXT_CAMELLIA128, NULL, 0, 0, 0, SSL_CAMELLIA128 },
236
    { 0, SSL_TXT_CAMELLIA256, NULL, 0, 0, 0, SSL_CAMELLIA256 },
237
    { 0, SSL_TXT_CAMELLIA, NULL, 0, 0, 0, SSL_CAMELLIA },
238
    { 0, SSL_TXT_CHACHA20, NULL, 0, 0, 0, SSL_CHACHA20 },
239
    { 0, SSL_TXT_GOST2012_GOST8912_GOST8912, NULL, 0, 0, 0, SSL_eGOST2814789CNT12 },
240

241
    { 0, SSL_TXT_ARIA, NULL, 0, 0, 0, SSL_ARIA },
242
    { 0, SSL_TXT_ARIA_GCM, NULL, 0, 0, 0, SSL_ARIA128GCM | SSL_ARIA256GCM },
243
    { 0, SSL_TXT_ARIA128, NULL, 0, 0, 0, SSL_ARIA128GCM },
244
    { 0, SSL_TXT_ARIA256, NULL, 0, 0, 0, SSL_ARIA256GCM },
245
    { 0, SSL_TXT_CBC, NULL, 0, 0, 0, SSL_CBC },
246

247
    /* MAC aliases */
248
    { 0, SSL_TXT_MD5, NULL, 0, 0, 0, 0, SSL_MD5 },
249
    { 0, SSL_TXT_SHA1, NULL, 0, 0, 0, 0, SSL_SHA1 },
250
    { 0, SSL_TXT_SHA, NULL, 0, 0, 0, 0, SSL_SHA1 },
251
    { 0, SSL_TXT_GOST94, NULL, 0, 0, 0, 0, SSL_GOST94 },
252
    { 0, SSL_TXT_GOST89MAC, NULL, 0, 0, 0, 0, SSL_GOST89MAC | SSL_GOST89MAC12 },
253
    { 0, SSL_TXT_SHA256, NULL, 0, 0, 0, 0, SSL_SHA256 },
254
    { 0, SSL_TXT_SHA384, NULL, 0, 0, 0, 0, SSL_SHA384 },
255
    { 0, SSL_TXT_GOST12, NULL, 0, 0, 0, 0, SSL_GOST12_256 },
256

257
    /* protocol version aliases */
258
    { 0, SSL_TXT_SSLV3, NULL, 0, 0, 0, 0, 0, SSL3_VERSION },
259
    { 0, SSL_TXT_TLSV1, NULL, 0, 0, 0, 0, 0, TLS1_VERSION },
260
    { 0, "TLSv1.0", NULL, 0, 0, 0, 0, 0, TLS1_VERSION },
261
    { 0, SSL_TXT_TLSV1_2, NULL, 0, 0, 0, 0, 0, TLS1_2_VERSION },
262

263
    /* strength classes */
264
    { 0, SSL_TXT_LOW, NULL, 0, 0, 0, 0, 0, 0, 0, 0, 0, SSL_LOW },
265
    { 0, SSL_TXT_MEDIUM, NULL, 0, 0, 0, 0, 0, 0, 0, 0, 0, SSL_MEDIUM },
266
    { 0, SSL_TXT_HIGH, NULL, 0, 0, 0, 0, 0, 0, 0, 0, 0, SSL_HIGH },
267
    /* FIPS 140-2 approved ciphersuite */
268
    { 0, SSL_TXT_FIPS, NULL, 0, 0, 0, ~SSL_eNULL, 0, 0, 0, 0, 0, SSL_FIPS },
269

270
    /* "EDH-" aliases to "DHE-" labels (for backward compatibility) */
271
    { 0, SSL3_TXT_EDH_DSS_DES_192_CBC3_SHA, NULL, 0,
272
        SSL_kDHE, SSL_aDSS, SSL_3DES, SSL_SHA1, 0, 0, 0, 0, SSL_HIGH | SSL_FIPS },
273
    { 0, SSL3_TXT_EDH_RSA_DES_192_CBC3_SHA, NULL, 0,
274
        SSL_kDHE, SSL_aRSA, SSL_3DES, SSL_SHA1, 0, 0, 0, 0, SSL_HIGH | SSL_FIPS },
275

276
};
277

278
/*
279
 * Search for public key algorithm with given name and return its pkey_id if
280
 * it is available. Otherwise return 0
281
 */
282
#ifdef OPENSSL_NO_ENGINE
283

284
static int get_optional_pkey_id(const char *pkey_name)
285
{
286
    const EVP_PKEY_ASN1_METHOD *ameth;
287
    int pkey_id = 0;
288
    ameth = EVP_PKEY_asn1_find_str(NULL, pkey_name, -1);
289
    if (ameth && EVP_PKEY_asn1_get0_info(&pkey_id, NULL, NULL, NULL, NULL, ameth) > 0)
290
        return pkey_id;
291
    return 0;
292
}
293

294
#else
295

296
static int get_optional_pkey_id(const char *pkey_name)
297
{
298
    const EVP_PKEY_ASN1_METHOD *ameth;
299
    ENGINE *tmpeng = NULL;
300
    int pkey_id = 0;
301
    ameth = EVP_PKEY_asn1_find_str(&tmpeng, pkey_name, -1);
302
    if (ameth) {
303
        if (EVP_PKEY_asn1_get0_info(&pkey_id, NULL, NULL, NULL, NULL,
304
                ameth)
305
            <= 0)
306
            pkey_id = 0;
307
    }
308
    tls_engine_finish(tmpeng);
309
    return pkey_id;
310
}
311

312
#endif
313

314
int ssl_load_ciphers(SSL_CTX *ctx)
315
{
316
    size_t i;
317
    const ssl_cipher_table *t;
318
    EVP_KEYEXCH *kex = NULL;
319
    EVP_SIGNATURE *sig = NULL;
320

321
    ctx->disabled_enc_mask = 0;
322
    for (i = 0, t = ssl_cipher_table_cipher; i < SSL_ENC_NUM_IDX; i++, t++) {
323
        if (t->nid != NID_undef) {
324
            const EVP_CIPHER *cipher
325
                = ssl_evp_cipher_fetch(ctx->libctx, t->nid, ctx->propq);
326

327
            ctx->ssl_cipher_methods[i] = cipher;
328
            if (cipher == NULL)
329
                ctx->disabled_enc_mask |= t->mask;
330
        }
331
    }
332
    ctx->disabled_mac_mask = 0;
333
    for (i = 0, t = ssl_cipher_table_mac; i < SSL_MD_NUM_IDX; i++, t++) {
334
        const EVP_MD *md
335
            = ssl_evp_md_fetch(ctx->libctx, t->nid, ctx->propq);
336

337
        ctx->ssl_digest_methods[i] = md;
338
        if (md == NULL) {
339
            ctx->disabled_mac_mask |= t->mask;
340
        } else {
341
            int tmpsize = EVP_MD_get_size(md);
342

343
            if (!ossl_assert(tmpsize > 0))
344
                return 0;
345
            ctx->ssl_mac_secret_size[i] = tmpsize;
346
        }
347
    }
348

349
    ctx->disabled_mkey_mask = 0;
350
    ctx->disabled_auth_mask = 0;
351

352
    /*
353
     * We ignore any errors from the fetches below. They are expected to fail
354
     * if these algorithms are not available.
355
     */
356
    ERR_set_mark();
357
    sig = EVP_SIGNATURE_fetch(ctx->libctx, "DSA", ctx->propq);
358
    if (sig == NULL)
359
        ctx->disabled_auth_mask |= SSL_aDSS;
360
    else
361
        EVP_SIGNATURE_free(sig);
362
    kex = EVP_KEYEXCH_fetch(ctx->libctx, "DH", ctx->propq);
363
    if (kex == NULL)
364
        ctx->disabled_mkey_mask |= SSL_kDHE | SSL_kDHEPSK;
365
    else
366
        EVP_KEYEXCH_free(kex);
367
    kex = EVP_KEYEXCH_fetch(ctx->libctx, "ECDH", ctx->propq);
368
    if (kex == NULL)
369
        ctx->disabled_mkey_mask |= SSL_kECDHE | SSL_kECDHEPSK;
370
    else
371
        EVP_KEYEXCH_free(kex);
372
    sig = EVP_SIGNATURE_fetch(ctx->libctx, "ECDSA", ctx->propq);
373
    if (sig == NULL)
374
        ctx->disabled_auth_mask |= SSL_aECDSA;
375
    else
376
        EVP_SIGNATURE_free(sig);
377
    ERR_pop_to_mark();
378

379
#ifdef OPENSSL_NO_PSK
380
    ctx->disabled_mkey_mask |= SSL_PSK;
381
    ctx->disabled_auth_mask |= SSL_aPSK;
382
#endif
383
#ifdef OPENSSL_NO_SRP
384
    ctx->disabled_mkey_mask |= SSL_kSRP;
385
#endif
386

387
    /*
388
     * Check for presence of GOST 34.10 algorithms, and if they are not
389
     * present, disable appropriate auth and key exchange
390
     */
391
    memcpy(ctx->ssl_mac_pkey_id, default_mac_pkey_id,
392
        sizeof(ctx->ssl_mac_pkey_id));
393

394
    ctx->ssl_mac_pkey_id[SSL_MD_GOST89MAC_IDX] = get_optional_pkey_id(SN_id_Gost28147_89_MAC);
395
    if (ctx->ssl_mac_pkey_id[SSL_MD_GOST89MAC_IDX])
396
        ctx->ssl_mac_secret_size[SSL_MD_GOST89MAC_IDX] = 32;
397
    else
398
        ctx->disabled_mac_mask |= SSL_GOST89MAC;
399

400
    ctx->ssl_mac_pkey_id[SSL_MD_GOST89MAC12_IDX] = get_optional_pkey_id(SN_gost_mac_12);
401
    if (ctx->ssl_mac_pkey_id[SSL_MD_GOST89MAC12_IDX])
402
        ctx->ssl_mac_secret_size[SSL_MD_GOST89MAC12_IDX] = 32;
403
    else
404
        ctx->disabled_mac_mask |= SSL_GOST89MAC12;
405

406
    ctx->ssl_mac_pkey_id[SSL_MD_MAGMAOMAC_IDX] = get_optional_pkey_id(SN_magma_mac);
407
    if (ctx->ssl_mac_pkey_id[SSL_MD_MAGMAOMAC_IDX])
408
        ctx->ssl_mac_secret_size[SSL_MD_MAGMAOMAC_IDX] = 32;
409
    else
410
        ctx->disabled_mac_mask |= SSL_MAGMAOMAC;
411

412
    ctx->ssl_mac_pkey_id[SSL_MD_KUZNYECHIKOMAC_IDX] = get_optional_pkey_id(SN_kuznyechik_mac);
413
    if (ctx->ssl_mac_pkey_id[SSL_MD_KUZNYECHIKOMAC_IDX])
414
        ctx->ssl_mac_secret_size[SSL_MD_KUZNYECHIKOMAC_IDX] = 32;
415
    else
416
        ctx->disabled_mac_mask |= SSL_KUZNYECHIKOMAC;
417

418
    if (!get_optional_pkey_id(SN_id_GostR3410_2001))
419
        ctx->disabled_auth_mask |= SSL_aGOST01 | SSL_aGOST12;
420
    if (!get_optional_pkey_id(SN_id_GostR3410_2012_256))
421
        ctx->disabled_auth_mask |= SSL_aGOST12;
422
    if (!get_optional_pkey_id(SN_id_GostR3410_2012_512))
423
        ctx->disabled_auth_mask |= SSL_aGOST12;
424
    /*
425
     * Disable GOST key exchange if no GOST signature algs are available *
426
     */
427
    if ((ctx->disabled_auth_mask & (SSL_aGOST01 | SSL_aGOST12)) == (SSL_aGOST01 | SSL_aGOST12))
428
        ctx->disabled_mkey_mask |= SSL_kGOST;
429

430
    if ((ctx->disabled_auth_mask & SSL_aGOST12) == SSL_aGOST12)
431
        ctx->disabled_mkey_mask |= SSL_kGOST18;
432

433
    return 1;
434
}
435

436
int ssl_cipher_get_evp_cipher(SSL_CTX *ctx, const SSL_CIPHER *sslc,
437
    const EVP_CIPHER **enc)
438
{
439
    int i = ssl_cipher_info_lookup(ssl_cipher_table_cipher,
440
        sslc->algorithm_enc);
441

442
    if (i == -1) {
443
        *enc = NULL;
444
    } else {
445
        if (i == SSL_ENC_NULL_IDX) {
446
            /*
447
             * We assume we don't care about this coming from an ENGINE so
448
             * just do a normal EVP_CIPHER_fetch instead of
449
             * ssl_evp_cipher_fetch()
450
             */
451
            *enc = EVP_CIPHER_fetch(ctx->libctx, "NULL", ctx->propq);
452
            if (*enc == NULL)
453
                return 0;
454
        } else {
455
            const EVP_CIPHER *cipher = ctx->ssl_cipher_methods[i];
456

457
            if (cipher == NULL
458
                || !ssl_evp_cipher_up_ref(cipher))
459
                return 0;
460
            *enc = ctx->ssl_cipher_methods[i];
461
        }
462
    }
463
    return 1;
464
}
465

466
int ssl_cipher_get_evp_md_mac(SSL_CTX *ctx, const SSL_CIPHER *sslc,
467
    const EVP_MD **md,
468
    int *mac_pkey_type, size_t *mac_secret_size)
469
{
470
    int i = ssl_cipher_info_lookup(ssl_cipher_table_mac, sslc->algorithm_mac);
471

472
    if (i == -1) {
473
        *md = NULL;
474
        if (mac_pkey_type != NULL)
475
            *mac_pkey_type = NID_undef;
476
        if (mac_secret_size != NULL)
477
            *mac_secret_size = 0;
478
    } else {
479
        const EVP_MD *digest = ctx->ssl_digest_methods[i];
480

481
        if (digest == NULL || !ssl_evp_md_up_ref(digest))
482
            return 0;
483

484
        *md = digest;
485
        if (mac_pkey_type != NULL)
486
            *mac_pkey_type = ctx->ssl_mac_pkey_id[i];
487
        if (mac_secret_size != NULL)
488
            *mac_secret_size = ctx->ssl_mac_secret_size[i];
489
    }
490
    return 1;
491
}
492

493
int ssl_cipher_get_evp(SSL_CTX *ctx, const SSL_SESSION *s,
494
    const EVP_CIPHER **enc, const EVP_MD **md,
495
    int *mac_pkey_type, size_t *mac_secret_size,
496
    SSL_COMP **comp, int use_etm)
497
{
498
    int i;
499
    const SSL_CIPHER *c;
500

501
    c = s->cipher;
502
    if (c == NULL)
503
        return 0;
504
    if (comp != NULL) {
505
        SSL_COMP ctmp;
506
        STACK_OF(SSL_COMP) *comp_methods;
507

508
        *comp = NULL;
509
        ctmp.id = s->compress_meth;
510
        comp_methods = SSL_COMP_get_compression_methods();
511
        if (comp_methods != NULL) {
512
            i = sk_SSL_COMP_find(comp_methods, &ctmp);
513
            if (i >= 0)
514
                *comp = sk_SSL_COMP_value(comp_methods, i);
515
        }
516
        /* If were only interested in comp then return success */
517
        if ((enc == NULL) && (md == NULL))
518
            return 1;
519
    }
520

521
    if ((enc == NULL) || (md == NULL))
522
        return 0;
523

524
    if (!ssl_cipher_get_evp_cipher(ctx, c, enc))
525
        return 0;
526

527
    if (!ssl_cipher_get_evp_md_mac(ctx, c, md, mac_pkey_type,
528
            mac_secret_size)) {
529
        ssl_evp_cipher_free(*enc);
530
        return 0;
531
    }
532

533
    if ((*enc != NULL)
534
        && (*md != NULL
535
            || (EVP_CIPHER_get_flags(*enc) & EVP_CIPH_FLAG_AEAD_CIPHER))
536
        && (c->algorithm_mac == SSL_AEAD
537
            || mac_pkey_type == NULL || *mac_pkey_type != NID_undef)) {
538
        const EVP_CIPHER *evp = NULL;
539

540
        if (use_etm
541
            || s->ssl_version >> 8 != TLS1_VERSION_MAJOR
542
            || s->ssl_version < TLS1_VERSION)
543
            return 1;
544

545
        if (c->algorithm_enc == SSL_RC4
546
            && c->algorithm_mac == SSL_MD5)
547
            evp = ssl_evp_cipher_fetch(ctx->libctx, NID_rc4_hmac_md5,
548
                ctx->propq);
549
        else if (c->algorithm_enc == SSL_AES128
550
            && c->algorithm_mac == SSL_SHA1)
551
            evp = ssl_evp_cipher_fetch(ctx->libctx,
552
                NID_aes_128_cbc_hmac_sha1,
553
                ctx->propq);
554
        else if (c->algorithm_enc == SSL_AES256
555
            && c->algorithm_mac == SSL_SHA1)
556
            evp = ssl_evp_cipher_fetch(ctx->libctx,
557
                NID_aes_256_cbc_hmac_sha1,
558
                ctx->propq);
559
        else if (c->algorithm_enc == SSL_AES128
560
            && c->algorithm_mac == SSL_SHA256)
561
            evp = ssl_evp_cipher_fetch(ctx->libctx,
562
                NID_aes_128_cbc_hmac_sha256,
563
                ctx->propq);
564
        else if (c->algorithm_enc == SSL_AES256
565
            && c->algorithm_mac == SSL_SHA256)
566
            evp = ssl_evp_cipher_fetch(ctx->libctx,
567
                NID_aes_256_cbc_hmac_sha256,
568
                ctx->propq);
569

570
        if (evp != NULL) {
571
            ssl_evp_cipher_free(*enc);
572
            ssl_evp_md_free(*md);
573
            *enc = evp;
574
            *md = NULL;
575
        }
576
        return 1;
577
    }
578

579
    return 0;
580
}
581

582
const EVP_MD *ssl_md(SSL_CTX *ctx, int idx)
583
{
584
    idx &= SSL_HANDSHAKE_MAC_MASK;
585
    if (idx < 0 || idx >= SSL_MD_NUM_IDX)
586
        return NULL;
587
    return ctx->ssl_digest_methods[idx];
588
}
589

590
const EVP_MD *ssl_handshake_md(SSL_CONNECTION *s)
591
{
592
    return ssl_md(SSL_CONNECTION_GET_CTX(s), ssl_get_algorithm2(s));
593
}
594

595
const EVP_MD *ssl_prf_md(SSL_CONNECTION *s)
596
{
597
    return ssl_md(SSL_CONNECTION_GET_CTX(s),
598
        ssl_get_algorithm2(s) >> TLS1_PRF_DGST_SHIFT);
599
}
600

601
#define ITEM_SEP(a) \
602
    (((a) == ':') || ((a) == ' ') || ((a) == ';') || ((a) == ','))
603

604
static void ll_append_tail(CIPHER_ORDER **head, CIPHER_ORDER *curr,
605
    CIPHER_ORDER **tail)
606
{
607
    if (curr == *tail)
608
        return;
609
    if (curr == *head)
610
        *head = curr->next;
611
    if (curr->prev != NULL)
612
        curr->prev->next = curr->next;
613
    if (curr->next != NULL)
614
        curr->next->prev = curr->prev;
615
    (*tail)->next = curr;
616
    curr->prev = *tail;
617
    curr->next = NULL;
618
    *tail = curr;
619
}
620

621
static void ll_append_head(CIPHER_ORDER **head, CIPHER_ORDER *curr,
622
    CIPHER_ORDER **tail)
623
{
624
    if (curr == *head)
625
        return;
626
    if (curr == *tail)
627
        *tail = curr->prev;
628
    if (curr->next != NULL)
629
        curr->next->prev = curr->prev;
630
    if (curr->prev != NULL)
631
        curr->prev->next = curr->next;
632
    (*head)->prev = curr;
633
    curr->next = *head;
634
    curr->prev = NULL;
635
    *head = curr;
636
}
637

638
static void ssl_cipher_collect_ciphers(const SSL_METHOD *ssl_method,
639
    int num_of_ciphers,
640
    uint32_t disabled_mkey,
641
    uint32_t disabled_auth,
642
    uint32_t disabled_enc,
643
    uint32_t disabled_mac,
644
    CIPHER_ORDER *co_list,
645
    CIPHER_ORDER **head_p,
646
    CIPHER_ORDER **tail_p)
647
{
648
    int i, co_list_num;
649
    const SSL_CIPHER *c;
650

651
    /*
652
     * We have num_of_ciphers descriptions compiled in, depending on the
653
     * method selected (SSLv3, TLSv1 etc).
654
     * These will later be sorted in a linked list with at most num
655
     * entries.
656
     */
657

658
    /* Get the initial list of ciphers */
659
    co_list_num = 0; /* actual count of ciphers */
660
    for (i = 0; i < num_of_ciphers; i++) {
661
        c = ssl_method->get_cipher(i);
662
        /* drop those that use any of that is not available */
663
        if (c == NULL || !c->valid)
664
            continue;
665
        if ((c->algorithm_mkey & disabled_mkey) || (c->algorithm_auth & disabled_auth) || (c->algorithm_enc & disabled_enc) || (c->algorithm_mac & disabled_mac))
666
            continue;
667
        if (((ssl_method->ssl3_enc->enc_flags & SSL_ENC_FLAG_DTLS) == 0) && c->min_tls == 0)
668
            continue;
669
        if (((ssl_method->ssl3_enc->enc_flags & SSL_ENC_FLAG_DTLS) != 0) && c->min_dtls == 0)
670
            continue;
671

672
        co_list[co_list_num].cipher = c;
673
        co_list[co_list_num].next = NULL;
674
        co_list[co_list_num].prev = NULL;
675
        co_list[co_list_num].active = 0;
676
        co_list_num++;
677
    }
678

679
    /*
680
     * Prepare linked list from list entries
681
     */
682
    if (co_list_num > 0) {
683
        co_list[0].prev = NULL;
684

685
        if (co_list_num > 1) {
686
            co_list[0].next = &co_list[1];
687

688
            for (i = 1; i < co_list_num - 1; i++) {
689
                co_list[i].prev = &co_list[i - 1];
690
                co_list[i].next = &co_list[i + 1];
691
            }
692

693
            co_list[co_list_num - 1].prev = &co_list[co_list_num - 2];
694
        }
695

696
        co_list[co_list_num - 1].next = NULL;
697

698
        *head_p = &co_list[0];
699
        *tail_p = &co_list[co_list_num - 1];
700
    }
701
}
702

703
static void ssl_cipher_collect_aliases(const SSL_CIPHER **ca_list,
704
    int num_of_group_aliases,
705
    uint32_t disabled_mkey,
706
    uint32_t disabled_auth,
707
    uint32_t disabled_enc,
708
    uint32_t disabled_mac,
709
    CIPHER_ORDER *head)
710
{
711
    CIPHER_ORDER *ciph_curr;
712
    const SSL_CIPHER **ca_curr;
713
    int i;
714
    uint32_t mask_mkey = ~disabled_mkey;
715
    uint32_t mask_auth = ~disabled_auth;
716
    uint32_t mask_enc = ~disabled_enc;
717
    uint32_t mask_mac = ~disabled_mac;
718

719
    /*
720
     * First, add the real ciphers as already collected
721
     */
722
    ciph_curr = head;
723
    ca_curr = ca_list;
724
    while (ciph_curr != NULL) {
725
        *ca_curr = ciph_curr->cipher;
726
        ca_curr++;
727
        ciph_curr = ciph_curr->next;
728
    }
729

730
    /*
731
     * Now we add the available ones from the cipher_aliases[] table.
732
     * They represent either one or more algorithms, some of which
733
     * in any affected category must be supported (set in enabled_mask),
734
     * or represent a cipher strength value (will be added in any case because algorithms=0).
735
     */
736
    for (i = 0; i < num_of_group_aliases; i++) {
737
        uint32_t algorithm_mkey = cipher_aliases[i].algorithm_mkey;
738
        uint32_t algorithm_auth = cipher_aliases[i].algorithm_auth;
739
        uint32_t algorithm_enc = cipher_aliases[i].algorithm_enc;
740
        uint32_t algorithm_mac = cipher_aliases[i].algorithm_mac;
741

742
        if (algorithm_mkey)
743
            if ((algorithm_mkey & mask_mkey) == 0)
744
                continue;
745

746
        if (algorithm_auth)
747
            if ((algorithm_auth & mask_auth) == 0)
748
                continue;
749

750
        if (algorithm_enc)
751
            if ((algorithm_enc & mask_enc) == 0)
752
                continue;
753

754
        if (algorithm_mac)
755
            if ((algorithm_mac & mask_mac) == 0)
756
                continue;
757

758
        *ca_curr = (SSL_CIPHER *)(cipher_aliases + i);
759
        ca_curr++;
760
    }
761

762
    *ca_curr = NULL; /* end of list */
763
}
764

765
static void ssl_cipher_apply_rule(uint32_t cipher_id, uint32_t alg_mkey,
766
    uint32_t alg_auth, uint32_t alg_enc,
767
    uint32_t alg_mac, int min_tls,
768
    uint32_t algo_strength, int rule,
769
    int32_t strength_bits, CIPHER_ORDER **head_p,
770
    CIPHER_ORDER **tail_p)
771
{
772
    CIPHER_ORDER *head, *tail, *curr, *next, *last;
773
    const SSL_CIPHER *cp;
774
    int reverse = 0;
775

776
    OSSL_TRACE_BEGIN(TLS_CIPHER)
777
    {
778
        BIO_printf(trc_out,
779
            "Applying rule %d with %08x/%08x/%08x/%08x/%08x %08x (%d)\n",
780
            rule, (unsigned int)alg_mkey, (unsigned int)alg_auth,
781
            (unsigned int)alg_enc, (unsigned int)alg_mac, min_tls,
782
            (unsigned int)algo_strength, (int)strength_bits);
783
    }
784

785
    if (rule == CIPHER_DEL || rule == CIPHER_BUMP)
786
        reverse = 1; /* needed to maintain sorting between currently
787
                      * deleted ciphers */
788

789
    head = *head_p;
790
    tail = *tail_p;
791

792
    if (reverse) {
793
        next = tail;
794
        last = head;
795
    } else {
796
        next = head;
797
        last = tail;
798
    }
799

800
    curr = NULL;
801
    for (;;) {
802
        if (curr == last)
803
            break;
804

805
        curr = next;
806

807
        if (curr == NULL)
808
            break;
809

810
        next = reverse ? curr->prev : curr->next;
811

812
        cp = curr->cipher;
813

814
        /*
815
         * Selection criteria is either the value of strength_bits
816
         * or the algorithms used.
817
         */
818
        if (strength_bits >= 0) {
819
            if (strength_bits != cp->strength_bits)
820
                continue;
821
        } else {
822
            if (trc_out != NULL) {
823
                BIO_printf(trc_out,
824
                    "\nName: %s:"
825
                    "\nAlgo = %08x/%08x/%08x/%08x/%08x Algo_strength = %08x\n",
826
                    cp->name,
827
                    (unsigned int)cp->algorithm_mkey,
828
                    (unsigned int)cp->algorithm_auth,
829
                    (unsigned int)cp->algorithm_enc,
830
                    (unsigned int)cp->algorithm_mac,
831
                    cp->min_tls,
832
                    (unsigned int)cp->algo_strength);
833
            }
834
            if (cipher_id != 0 && (cipher_id != cp->id))
835
                continue;
836
            if (alg_mkey && !(alg_mkey & cp->algorithm_mkey))
837
                continue;
838
            if (alg_auth && !(alg_auth & cp->algorithm_auth))
839
                continue;
840
            if (alg_enc && !(alg_enc & cp->algorithm_enc))
841
                continue;
842
            if (alg_mac && !(alg_mac & cp->algorithm_mac))
843
                continue;
844
            if (min_tls && (min_tls != cp->min_tls))
845
                continue;
846
            if ((algo_strength & SSL_STRONG_MASK)
847
                && !(algo_strength & SSL_STRONG_MASK & cp->algo_strength))
848
                continue;
849
            if ((algo_strength & SSL_DEFAULT_MASK)
850
                && !(algo_strength & SSL_DEFAULT_MASK & cp->algo_strength))
851
                continue;
852
        }
853

854
        if (trc_out != NULL)
855
            BIO_printf(trc_out, "Action = %d\n", rule);
856

857
        /* add the cipher if it has not been added yet. */
858
        if (rule == CIPHER_ADD) {
859
            /* reverse == 0 */
860
            if (!curr->active) {
861
                ll_append_tail(&head, curr, &tail);
862
                curr->active = 1;
863
            }
864
        }
865
        /* Move the added cipher to this location */
866
        else if (rule == CIPHER_ORD) {
867
            /* reverse == 0 */
868
            if (curr->active) {
869
                ll_append_tail(&head, curr, &tail);
870
            }
871
        } else if (rule == CIPHER_DEL) {
872
            /* reverse == 1 */
873
            if (curr->active) {
874
                /*
875
                 * most recently deleted ciphersuites get best positions for
876
                 * any future CIPHER_ADD (note that the CIPHER_DEL loop works
877
                 * in reverse to maintain the order)
878
                 */
879
                ll_append_head(&head, curr, &tail);
880
                curr->active = 0;
881
            }
882
        } else if (rule == CIPHER_BUMP) {
883
            if (curr->active)
884
                ll_append_head(&head, curr, &tail);
885
        } else if (rule == CIPHER_KILL) {
886
            /* reverse == 0 */
887
            if (head == curr)
888
                head = curr->next;
889
            else
890
                curr->prev->next = curr->next;
891
            if (tail == curr)
892
                tail = curr->prev;
893
            curr->active = 0;
894
            if (curr->next != NULL)
895
                curr->next->prev = curr->prev;
896
            if (curr->prev != NULL)
897
                curr->prev->next = curr->next;
898
            curr->next = NULL;
899
            curr->prev = NULL;
900
        }
901
    }
902

903
    *head_p = head;
904
    *tail_p = tail;
905

906
    OSSL_TRACE_END(TLS_CIPHER);
907
}
908

909
static int ssl_cipher_strength_sort(CIPHER_ORDER **head_p,
910
    CIPHER_ORDER **tail_p)
911
{
912
    int32_t max_strength_bits;
913
    int i, *number_uses;
914
    CIPHER_ORDER *curr;
915

916
    /*
917
     * This routine sorts the ciphers with descending strength. The sorting
918
     * must keep the pre-sorted sequence, so we apply the normal sorting
919
     * routine as '+' movement to the end of the list.
920
     */
921
    max_strength_bits = 0;
922
    curr = *head_p;
923
    while (curr != NULL) {
924
        if (curr->active && (curr->cipher->strength_bits > max_strength_bits))
925
            max_strength_bits = curr->cipher->strength_bits;
926
        curr = curr->next;
927
    }
928

929
    number_uses = OPENSSL_zalloc(sizeof(int) * (max_strength_bits + 1));
930
    if (number_uses == NULL)
931
        return 0;
932

933
    /*
934
     * Now find the strength_bits values actually used
935
     */
936
    curr = *head_p;
937
    while (curr != NULL) {
938
        if (curr->active)
939
            number_uses[curr->cipher->strength_bits]++;
940
        curr = curr->next;
941
    }
942
    /*
943
     * Go through the list of used strength_bits values in descending
944
     * order.
945
     */
946
    for (i = max_strength_bits; i >= 0; i--)
947
        if (number_uses[i] > 0)
948
            ssl_cipher_apply_rule(0, 0, 0, 0, 0, 0, 0, CIPHER_ORD, i, head_p,
949
                tail_p);
950

951
    OPENSSL_free(number_uses);
952
    return 1;
953
}
954

955
static int ssl_cipher_process_rulestr(const char *rule_str,
956
    CIPHER_ORDER **head_p,
957
    CIPHER_ORDER **tail_p,
958
    const SSL_CIPHER **ca_list, CERT *c)
959
{
960
    uint32_t alg_mkey, alg_auth, alg_enc, alg_mac, algo_strength;
961
    int min_tls;
962
    const char *l, *buf;
963
    int j, multi, found, rule, retval, ok, buflen;
964
    uint32_t cipher_id = 0;
965
    char ch;
966

967
    retval = 1;
968
    l = rule_str;
969
    for (;;) {
970
        ch = *l;
971

972
        if (ch == '\0')
973
            break; /* done */
974
        if (ch == '-') {
975
            rule = CIPHER_DEL;
976
            l++;
977
        } else if (ch == '+') {
978
            rule = CIPHER_ORD;
979
            l++;
980
        } else if (ch == '!') {
981
            rule = CIPHER_KILL;
982
            l++;
983
        } else if (ch == '@') {
984
            rule = CIPHER_SPECIAL;
985
            l++;
986
        } else {
987
            rule = CIPHER_ADD;
988
        }
989

990
        if (ITEM_SEP(ch)) {
991
            l++;
992
            continue;
993
        }
994

995
        alg_mkey = 0;
996
        alg_auth = 0;
997
        alg_enc = 0;
998
        alg_mac = 0;
999
        min_tls = 0;
1000
        algo_strength = 0;
1001

1002
        for (;;) {
1003
            ch = *l;
1004
            buf = l;
1005
            buflen = 0;
1006
#ifndef CHARSET_EBCDIC
1007
            while (((ch >= 'A') && (ch <= 'Z')) || ((ch >= '0') && (ch <= '9')) || ((ch >= 'a') && (ch <= 'z')) || (ch == '-') || (ch == '_') || (ch == '.') || (ch == '='))
1008
#else
1009
            while (isalnum((unsigned char)ch) || (ch == '-') || (ch == '_') || (ch == '.')
1010
                || (ch == '='))
1011
#endif
1012
            {
1013
                ch = *(++l);
1014
                buflen++;
1015
            }
1016

1017
            if (buflen == 0) {
1018
                /*
1019
                 * We hit something we cannot deal with,
1020
                 * it is no command or separator nor
1021
                 * alphanumeric, so we call this an error.
1022
                 */
1023
                ERR_raise(ERR_LIB_SSL, SSL_R_INVALID_COMMAND);
1024
                return 0;
1025
            }
1026

1027
            if (rule == CIPHER_SPECIAL) {
1028
                found = 0; /* unused -- avoid compiler warning */
1029
                break; /* special treatment */
1030
            }
1031

1032
            /* check for multi-part specification */
1033
            if (ch == '+') {
1034
                multi = 1;
1035
                l++;
1036
            } else {
1037
                multi = 0;
1038
            }
1039

1040
            /*
1041
             * Now search for the cipher alias in the ca_list. Be careful
1042
             * with the strncmp, because the "buflen" limitation
1043
             * will make the rule "ADH:SOME" and the cipher
1044
             * "ADH-MY-CIPHER" look like a match for buflen=3.
1045
             * So additionally check whether the cipher name found
1046
             * has the correct length. We can save a strlen() call:
1047
             * just checking for the '\0' at the right place is
1048
             * sufficient, we have to strncmp() anyway. (We cannot
1049
             * use strcmp(), because buf is not '\0' terminated.)
1050
             */
1051
            j = found = 0;
1052
            cipher_id = 0;
1053
            while (ca_list[j]) {
1054
                if (strncmp(buf, ca_list[j]->name, buflen) == 0
1055
                    && (ca_list[j]->name[buflen] == '\0')) {
1056
                    found = 1;
1057
                    break;
1058
                } else if (ca_list[j]->stdname != NULL
1059
                    && strncmp(buf, ca_list[j]->stdname, buflen) == 0
1060
                    && ca_list[j]->stdname[buflen] == '\0') {
1061
                    found = 1;
1062
                    break;
1063
                } else
1064
                    j++;
1065
            }
1066

1067
            if (!found)
1068
                break; /* ignore this entry */
1069

1070
            if (ca_list[j]->algorithm_mkey) {
1071
                if (alg_mkey) {
1072
                    alg_mkey &= ca_list[j]->algorithm_mkey;
1073
                    if (!alg_mkey) {
1074
                        found = 0;
1075
                        break;
1076
                    }
1077
                } else {
1078
                    alg_mkey = ca_list[j]->algorithm_mkey;
1079
                }
1080
            }
1081

1082
            if (ca_list[j]->algorithm_auth) {
1083
                if (alg_auth) {
1084
                    alg_auth &= ca_list[j]->algorithm_auth;
1085
                    if (!alg_auth) {
1086
                        found = 0;
1087
                        break;
1088
                    }
1089
                } else {
1090
                    alg_auth = ca_list[j]->algorithm_auth;
1091
                }
1092
            }
1093

1094
            if (ca_list[j]->algorithm_enc) {
1095
                if (alg_enc) {
1096
                    alg_enc &= ca_list[j]->algorithm_enc;
1097
                    if (!alg_enc) {
1098
                        found = 0;
1099
                        break;
1100
                    }
1101
                } else {
1102
                    alg_enc = ca_list[j]->algorithm_enc;
1103
                }
1104
            }
1105

1106
            if (ca_list[j]->algorithm_mac) {
1107
                if (alg_mac) {
1108
                    alg_mac &= ca_list[j]->algorithm_mac;
1109
                    if (!alg_mac) {
1110
                        found = 0;
1111
                        break;
1112
                    }
1113
                } else {
1114
                    alg_mac = ca_list[j]->algorithm_mac;
1115
                }
1116
            }
1117

1118
            if (ca_list[j]->algo_strength & SSL_STRONG_MASK) {
1119
                if (algo_strength & SSL_STRONG_MASK) {
1120
                    algo_strength &= (ca_list[j]->algo_strength & SSL_STRONG_MASK) | ~SSL_STRONG_MASK;
1121
                    if (!(algo_strength & SSL_STRONG_MASK)) {
1122
                        found = 0;
1123
                        break;
1124
                    }
1125
                } else {
1126
                    algo_strength = ca_list[j]->algo_strength & SSL_STRONG_MASK;
1127
                }
1128
            }
1129

1130
            if (ca_list[j]->algo_strength & SSL_DEFAULT_MASK) {
1131
                if (algo_strength & SSL_DEFAULT_MASK) {
1132
                    algo_strength &= (ca_list[j]->algo_strength & SSL_DEFAULT_MASK) | ~SSL_DEFAULT_MASK;
1133
                    if (!(algo_strength & SSL_DEFAULT_MASK)) {
1134
                        found = 0;
1135
                        break;
1136
                    }
1137
                } else {
1138
                    algo_strength |= ca_list[j]->algo_strength & SSL_DEFAULT_MASK;
1139
                }
1140
            }
1141

1142
            if (ca_list[j]->valid) {
1143
                /*
1144
                 * explicit ciphersuite found; its protocol version does not
1145
                 * become part of the search pattern!
1146
                 */
1147

1148
                cipher_id = ca_list[j]->id;
1149
            } else {
1150
                /*
1151
                 * not an explicit ciphersuite; only in this case, the
1152
                 * protocol version is considered part of the search pattern
1153
                 */
1154

1155
                if (ca_list[j]->min_tls) {
1156
                    if (min_tls != 0 && min_tls != ca_list[j]->min_tls) {
1157
                        found = 0;
1158
                        break;
1159
                    } else {
1160
                        min_tls = ca_list[j]->min_tls;
1161
                    }
1162
                }
1163
            }
1164

1165
            if (!multi)
1166
                break;
1167
        }
1168

1169
        /*
1170
         * Ok, we have the rule, now apply it
1171
         */
1172
        if (rule == CIPHER_SPECIAL) { /* special command */
1173
            ok = 0;
1174
            if ((buflen == 8) && HAS_PREFIX(buf, "STRENGTH")) {
1175
                ok = ssl_cipher_strength_sort(head_p, tail_p);
1176
            } else if (buflen == 10 && CHECK_AND_SKIP_PREFIX(buf, "SECLEVEL=")) {
1177
                int level = *buf - '0';
1178
                if (level < 0 || level > 5) {
1179
                    ERR_raise(ERR_LIB_SSL, SSL_R_INVALID_COMMAND);
1180
                } else {
1181
                    c->sec_level = level;
1182
                    ok = 1;
1183
                }
1184
            } else {
1185
                ERR_raise(ERR_LIB_SSL, SSL_R_INVALID_COMMAND);
1186
            }
1187
            if (ok == 0)
1188
                retval = 0;
1189
            /*
1190
             * We do not support any "multi" options
1191
             * together with "@", so throw away the
1192
             * rest of the command, if any left, until
1193
             * end or ':' is found.
1194
             */
1195
            while ((*l != '\0') && !ITEM_SEP(*l))
1196
                l++;
1197
        } else if (found) {
1198
            ssl_cipher_apply_rule(cipher_id,
1199
                alg_mkey, alg_auth, alg_enc, alg_mac,
1200
                min_tls, algo_strength, rule, -1, head_p,
1201
                tail_p);
1202
        } else {
1203
            while ((*l != '\0') && !ITEM_SEP(*l))
1204
                l++;
1205
        }
1206
        if (*l == '\0')
1207
            break; /* done */
1208
    }
1209

1210
    return retval;
1211
}
1212

1213
static int check_suiteb_cipher_list(const SSL_METHOD *meth, CERT *c,
1214
    const char **prule_str)
1215
{
1216
    unsigned int suiteb_flags = 0, suiteb_comb2 = 0;
1217
    if (HAS_PREFIX(*prule_str, "SUITEB128ONLY")) {
1218
        suiteb_flags = SSL_CERT_FLAG_SUITEB_128_LOS_ONLY;
1219
    } else if (HAS_PREFIX(*prule_str, "SUITEB128C2")) {
1220
        suiteb_comb2 = 1;
1221
        suiteb_flags = SSL_CERT_FLAG_SUITEB_128_LOS;
1222
    } else if (HAS_PREFIX(*prule_str, "SUITEB128")) {
1223
        suiteb_flags = SSL_CERT_FLAG_SUITEB_128_LOS;
1224
    } else if (HAS_PREFIX(*prule_str, "SUITEB192")) {
1225
        suiteb_flags = SSL_CERT_FLAG_SUITEB_192_LOS;
1226
    }
1227

1228
    if (suiteb_flags) {
1229
        c->cert_flags &= ~SSL_CERT_FLAG_SUITEB_128_LOS;
1230
        c->cert_flags |= suiteb_flags;
1231
    } else {
1232
        suiteb_flags = c->cert_flags & SSL_CERT_FLAG_SUITEB_128_LOS;
1233
    }
1234

1235
    if (!suiteb_flags)
1236
        return 1;
1237
    /* Check version: if TLS 1.2 ciphers allowed we can use Suite B */
1238

1239
    if (!(meth->ssl3_enc->enc_flags & SSL_ENC_FLAG_TLS1_2_CIPHERS)) {
1240
        ERR_raise(ERR_LIB_SSL, SSL_R_AT_LEAST_TLS_1_2_NEEDED_IN_SUITEB_MODE);
1241
        return 0;
1242
    }
1243

1244
    switch (suiteb_flags) {
1245
    case SSL_CERT_FLAG_SUITEB_128_LOS:
1246
        if (suiteb_comb2)
1247
            *prule_str = "ECDHE-ECDSA-AES256-GCM-SHA384";
1248
        else
1249
            *prule_str = "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384";
1250
        break;
1251
    case SSL_CERT_FLAG_SUITEB_128_LOS_ONLY:
1252
        *prule_str = "ECDHE-ECDSA-AES128-GCM-SHA256";
1253
        break;
1254
    case SSL_CERT_FLAG_SUITEB_192_LOS:
1255
        *prule_str = "ECDHE-ECDSA-AES256-GCM-SHA384";
1256
        break;
1257
    }
1258
    return 1;
1259
}
1260

1261
static int ciphersuite_cb(const char *elem, int len, void *arg)
1262
{
1263
    STACK_OF(SSL_CIPHER) *ciphersuites = (STACK_OF(SSL_CIPHER) *)arg;
1264
    const SSL_CIPHER *cipher;
1265
    /* Arbitrary sized temp buffer for the cipher name. Should be big enough */
1266
    char name[80];
1267

1268
    if (len > (int)(sizeof(name) - 1))
1269
        /* Anyway return 1 so we can parse rest of the list */
1270
        return 1;
1271

1272
    memcpy(name, elem, len);
1273
    name[len] = '\0';
1274

1275
    cipher = ssl3_get_cipher_by_std_name(name);
1276
    if (cipher == NULL)
1277
        /* Ciphersuite not found but return 1 to parse rest of the list */
1278
        return 1;
1279

1280
    if (!sk_SSL_CIPHER_push(ciphersuites, cipher)) {
1281
        ERR_raise(ERR_LIB_SSL, ERR_R_INTERNAL_ERROR);
1282
        return 0;
1283
    }
1284

1285
    return 1;
1286
}
1287

1288
static __owur int set_ciphersuites(STACK_OF(SSL_CIPHER) **currciphers, const char *str)
1289
{
1290
    STACK_OF(SSL_CIPHER) *newciphers = sk_SSL_CIPHER_new_null();
1291

1292
    if (newciphers == NULL)
1293
        return 0;
1294

1295
    /* Parse the list. We explicitly allow an empty list */
1296
    if (*str != '\0'
1297
        && (CONF_parse_list(str, ':', 1, ciphersuite_cb, newciphers) <= 0
1298
            || sk_SSL_CIPHER_num(newciphers) == 0)) {
1299
        ERR_raise(ERR_LIB_SSL, SSL_R_NO_CIPHER_MATCH);
1300
        sk_SSL_CIPHER_free(newciphers);
1301
        return 0;
1302
    }
1303
    sk_SSL_CIPHER_free(*currciphers);
1304
    *currciphers = newciphers;
1305

1306
    return 1;
1307
}
1308

1309
static int update_cipher_list_by_id(STACK_OF(SSL_CIPHER) **cipher_list_by_id,
1310
    STACK_OF(SSL_CIPHER) *cipherstack)
1311
{
1312
    STACK_OF(SSL_CIPHER) *tmp_cipher_list = sk_SSL_CIPHER_dup(cipherstack);
1313

1314
    if (tmp_cipher_list == NULL) {
1315
        return 0;
1316
    }
1317

1318
    sk_SSL_CIPHER_free(*cipher_list_by_id);
1319
    *cipher_list_by_id = tmp_cipher_list;
1320

1321
    (void)sk_SSL_CIPHER_set_cmp_func(*cipher_list_by_id, ssl_cipher_ptr_id_cmp);
1322
    sk_SSL_CIPHER_sort(*cipher_list_by_id);
1323

1324
    return 1;
1325
}
1326

1327
static int update_cipher_list(SSL_CTX *ctx,
1328
    STACK_OF(SSL_CIPHER) **cipher_list,
1329
    STACK_OF(SSL_CIPHER) **cipher_list_by_id,
1330
    STACK_OF(SSL_CIPHER) *tls13_ciphersuites)
1331
{
1332
    int i;
1333
    STACK_OF(SSL_CIPHER) *tmp_cipher_list = sk_SSL_CIPHER_dup(*cipher_list);
1334

1335
    if (tmp_cipher_list == NULL)
1336
        return 0;
1337

1338
    /*
1339
     * Delete any existing TLSv1.3 ciphersuites. These are always first in the
1340
     * list.
1341
     */
1342
    while (sk_SSL_CIPHER_num(tmp_cipher_list) > 0
1343
        && sk_SSL_CIPHER_value(tmp_cipher_list, 0)->min_tls
1344
            == TLS1_3_VERSION)
1345
        (void)sk_SSL_CIPHER_delete(tmp_cipher_list, 0);
1346

1347
    /* Insert the new TLSv1.3 ciphersuites */
1348
    for (i = sk_SSL_CIPHER_num(tls13_ciphersuites) - 1; i >= 0; i--) {
1349
        const SSL_CIPHER *sslc = sk_SSL_CIPHER_value(tls13_ciphersuites, i);
1350

1351
        /* Don't include any TLSv1.3 ciphersuites that are disabled */
1352
        if ((sslc->algorithm_enc & ctx->disabled_enc_mask) == 0
1353
            && (ssl_cipher_table_mac[sslc->algorithm2
1354
                    & SSL_HANDSHAKE_MAC_MASK]
1355
                       .mask
1356
                   & ctx->disabled_mac_mask)
1357
                == 0) {
1358
            sk_SSL_CIPHER_unshift(tmp_cipher_list, sslc);
1359
        }
1360
    }
1361

1362
    if (!update_cipher_list_by_id(cipher_list_by_id, tmp_cipher_list)) {
1363
        sk_SSL_CIPHER_free(tmp_cipher_list);
1364
        return 0;
1365
    }
1366

1367
    sk_SSL_CIPHER_free(*cipher_list);
1368
    *cipher_list = tmp_cipher_list;
1369

1370
    return 1;
1371
}
1372

1373
int SSL_CTX_set_ciphersuites(SSL_CTX *ctx, const char *str)
1374
{
1375
    int ret = set_ciphersuites(&(ctx->tls13_ciphersuites), str);
1376

1377
    if (ret && ctx->cipher_list != NULL)
1378
        return update_cipher_list(ctx, &ctx->cipher_list, &ctx->cipher_list_by_id,
1379
            ctx->tls13_ciphersuites);
1380

1381
    return ret;
1382
}
1383

1384
int SSL_set_ciphersuites(SSL *s, const char *str)
1385
{
1386
    STACK_OF(SSL_CIPHER) *cipher_list;
1387
    SSL_CONNECTION *sc = SSL_CONNECTION_FROM_SSL(s);
1388
    int ret;
1389

1390
    if (sc == NULL)
1391
        return 0;
1392

1393
    ret = set_ciphersuites(&(sc->tls13_ciphersuites), str);
1394

1395
    if (sc->cipher_list == NULL) {
1396
        if ((cipher_list = SSL_get_ciphers(s)) != NULL)
1397
            sc->cipher_list = sk_SSL_CIPHER_dup(cipher_list);
1398
    }
1399
    if (ret && sc->cipher_list != NULL)
1400
        return update_cipher_list(s->ctx, &sc->cipher_list,
1401
            &sc->cipher_list_by_id,
1402
            sc->tls13_ciphersuites);
1403

1404
    return ret;
1405
}
1406

1407
STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(SSL_CTX *ctx,
1408
    STACK_OF(SSL_CIPHER) *tls13_ciphersuites,
1409
    STACK_OF(SSL_CIPHER) **cipher_list,
1410
    STACK_OF(SSL_CIPHER) **cipher_list_by_id,
1411
    const char *rule_str,
1412
    CERT *c)
1413
{
1414
    int ok, num_of_ciphers, num_of_alias_max, num_of_group_aliases, i;
1415
    uint32_t disabled_mkey, disabled_auth, disabled_enc, disabled_mac;
1416
    STACK_OF(SSL_CIPHER) *cipherstack;
1417
    const char *rule_p;
1418
    CIPHER_ORDER *co_list = NULL, *head = NULL, *tail = NULL, *curr;
1419
    const SSL_CIPHER **ca_list = NULL;
1420
    const SSL_METHOD *ssl_method = ctx->method;
1421

1422
    /*
1423
     * Return with error if nothing to do.
1424
     */
1425
    if (rule_str == NULL || cipher_list == NULL || cipher_list_by_id == NULL)
1426
        return NULL;
1427

1428
    if (!check_suiteb_cipher_list(ssl_method, c, &rule_str))
1429
        return NULL;
1430

1431
    /*
1432
     * To reduce the work to do we only want to process the compiled
1433
     * in algorithms, so we first get the mask of disabled ciphers.
1434
     */
1435

1436
    disabled_mkey = ctx->disabled_mkey_mask;
1437
    disabled_auth = ctx->disabled_auth_mask;
1438
    disabled_enc = ctx->disabled_enc_mask;
1439
    disabled_mac = ctx->disabled_mac_mask;
1440

1441
    /*
1442
     * Now we have to collect the available ciphers from the compiled
1443
     * in ciphers. We cannot get more than the number compiled in, so
1444
     * it is used for allocation.
1445
     */
1446
    num_of_ciphers = ssl_method->num_ciphers();
1447

1448
    if (num_of_ciphers > 0) {
1449
        co_list = OPENSSL_malloc(sizeof(*co_list) * num_of_ciphers);
1450
        if (co_list == NULL)
1451
            return NULL; /* Failure */
1452
    }
1453

1454
    ssl_cipher_collect_ciphers(ssl_method, num_of_ciphers,
1455
        disabled_mkey, disabled_auth, disabled_enc,
1456
        disabled_mac, co_list, &head, &tail);
1457

1458
    /* Now arrange all ciphers by preference. */
1459

1460
    /*
1461
     * Everything else being equal, prefer ephemeral ECDH over other key
1462
     * exchange mechanisms.
1463
     * For consistency, prefer ECDSA over RSA (though this only matters if the
1464
     * server has both certificates, and is using the DEFAULT, or a client
1465
     * preference).
1466
     */
1467
    ssl_cipher_apply_rule(0, SSL_kECDHE, SSL_aECDSA, 0, 0, 0, 0, CIPHER_ADD,
1468
        -1, &head, &tail);
1469
    ssl_cipher_apply_rule(0, SSL_kECDHE, 0, 0, 0, 0, 0, CIPHER_ADD, -1, &head,
1470
        &tail);
1471
    ssl_cipher_apply_rule(0, SSL_kECDHE, 0, 0, 0, 0, 0, CIPHER_DEL, -1, &head,
1472
        &tail);
1473

1474
    /* Within each strength group, we prefer GCM over CHACHA... */
1475
    ssl_cipher_apply_rule(0, 0, 0, SSL_AESGCM, 0, 0, 0, CIPHER_ADD, -1,
1476
        &head, &tail);
1477
    ssl_cipher_apply_rule(0, 0, 0, SSL_CHACHA20, 0, 0, 0, CIPHER_ADD, -1,
1478
        &head, &tail);
1479

1480
    /*
1481
     * ...and generally, our preferred cipher is AES.
1482
     * Note that AEADs will be bumped to take preference after sorting by
1483
     * strength.
1484
     */
1485
    ssl_cipher_apply_rule(0, 0, 0, SSL_AES ^ SSL_AESGCM, 0, 0, 0, CIPHER_ADD,
1486
        -1, &head, &tail);
1487

1488
    /* Temporarily enable everything else for sorting */
1489
    ssl_cipher_apply_rule(0, 0, 0, 0, 0, 0, 0, CIPHER_ADD, -1, &head, &tail);
1490

1491
    /* Low priority for MD5 */
1492
    ssl_cipher_apply_rule(0, 0, 0, 0, SSL_MD5, 0, 0, CIPHER_ORD, -1, &head,
1493
        &tail);
1494

1495
    /*
1496
     * Move anonymous ciphers to the end.  Usually, these will remain
1497
     * disabled. (For applications that allow them, they aren't too bad, but
1498
     * we prefer authenticated ciphers.)
1499
     */
1500
    ssl_cipher_apply_rule(0, 0, SSL_aNULL, 0, 0, 0, 0, CIPHER_ORD, -1, &head,
1501
        &tail);
1502

1503
    ssl_cipher_apply_rule(0, SSL_kRSA, 0, 0, 0, 0, 0, CIPHER_ORD, -1, &head,
1504
        &tail);
1505
    ssl_cipher_apply_rule(0, SSL_kPSK, 0, 0, 0, 0, 0, CIPHER_ORD, -1, &head,
1506
        &tail);
1507

1508
    /* RC4 is sort-of broken -- move to the end */
1509
    ssl_cipher_apply_rule(0, 0, 0, SSL_RC4, 0, 0, 0, CIPHER_ORD, -1, &head,
1510
        &tail);
1511

1512
    /*
1513
     * Now sort by symmetric encryption strength.  The above ordering remains
1514
     * in force within each class
1515
     */
1516
    if (!ssl_cipher_strength_sort(&head, &tail)) {
1517
        OPENSSL_free(co_list);
1518
        return NULL;
1519
    }
1520

1521
    /*
1522
     * Partially overrule strength sort to prefer TLS 1.2 ciphers/PRFs.
1523
     */
1524
    ssl_cipher_apply_rule(0, 0, 0, 0, 0, TLS1_2_VERSION, 0, CIPHER_BUMP, -1,
1525
        &head, &tail);
1526

1527
    /*
1528
     * Irrespective of strength, enforce the following order:
1529
     * (EC)DHE + AEAD > (EC)DHE > rest of AEAD > rest.
1530
     * Within each group, ciphers remain sorted by strength and previous
1531
     * preference, i.e.,
1532
     * 1) ECDHE > DHE
1533
     * 2) GCM > CHACHA
1534
     * 3) AES > rest
1535
     * 4) TLS 1.2 > legacy
1536
     *
1537
     * Because we now bump ciphers to the top of the list, we proceed in
1538
     * reverse order of preference.
1539
     */
1540
    ssl_cipher_apply_rule(0, 0, 0, 0, SSL_AEAD, 0, 0, CIPHER_BUMP, -1,
1541
        &head, &tail);
1542
    ssl_cipher_apply_rule(0, SSL_kDHE | SSL_kECDHE, 0, 0, 0, 0, 0,
1543
        CIPHER_BUMP, -1, &head, &tail);
1544
    ssl_cipher_apply_rule(0, SSL_kDHE | SSL_kECDHE, 0, 0, SSL_AEAD, 0, 0,
1545
        CIPHER_BUMP, -1, &head, &tail);
1546

1547
    /* Now disable everything (maintaining the ordering!) */
1548
    ssl_cipher_apply_rule(0, 0, 0, 0, 0, 0, 0, CIPHER_DEL, -1, &head, &tail);
1549

1550
    /*
1551
     * We also need cipher aliases for selecting based on the rule_str.
1552
     * There might be two types of entries in the rule_str: 1) names
1553
     * of ciphers themselves 2) aliases for groups of ciphers.
1554
     * For 1) we need the available ciphers and for 2) the cipher
1555
     * groups of cipher_aliases added together in one list (otherwise
1556
     * we would be happy with just the cipher_aliases table).
1557
     */
1558
    num_of_group_aliases = OSSL_NELEM(cipher_aliases);
1559
    num_of_alias_max = num_of_ciphers + num_of_group_aliases + 1;
1560
    ca_list = OPENSSL_malloc(sizeof(*ca_list) * num_of_alias_max);
1561
    if (ca_list == NULL) {
1562
        OPENSSL_free(co_list);
1563
        return NULL; /* Failure */
1564
    }
1565
    ssl_cipher_collect_aliases(ca_list, num_of_group_aliases,
1566
        disabled_mkey, disabled_auth, disabled_enc,
1567
        disabled_mac, head);
1568

1569
    /*
1570
     * If the rule_string begins with DEFAULT, apply the default rule
1571
     * before using the (possibly available) additional rules.
1572
     */
1573
    ok = 1;
1574
    rule_p = rule_str;
1575
    if (HAS_PREFIX(rule_str, "DEFAULT")) {
1576
        ok = ssl_cipher_process_rulestr(OSSL_default_cipher_list(),
1577
            &head, &tail, ca_list, c);
1578
        rule_p += 7;
1579
        if (*rule_p == ':')
1580
            rule_p++;
1581
    }
1582

1583
    if (ok && (rule_p[0] != '\0'))
1584
        ok = ssl_cipher_process_rulestr(rule_p, &head, &tail, ca_list, c);
1585

1586
    OPENSSL_free(ca_list); /* Not needed anymore */
1587

1588
    if (!ok) { /* Rule processing failure */
1589
        OPENSSL_free(co_list);
1590
        return NULL;
1591
    }
1592

1593
    /*
1594
     * Allocate new "cipherstack" for the result, return with error
1595
     * if we cannot get one.
1596
     */
1597
    if ((cipherstack = sk_SSL_CIPHER_new_null()) == NULL) {
1598
        OPENSSL_free(co_list);
1599
        return NULL;
1600
    }
1601

1602
    /* Add TLSv1.3 ciphers first - we always prefer those if possible */
1603
    for (i = 0; i < sk_SSL_CIPHER_num(tls13_ciphersuites); i++) {
1604
        const SSL_CIPHER *sslc = sk_SSL_CIPHER_value(tls13_ciphersuites, i);
1605

1606
        /* Don't include any TLSv1.3 ciphers that are disabled */
1607
        if ((sslc->algorithm_enc & disabled_enc) != 0
1608
            || (ssl_cipher_table_mac[sslc->algorithm2
1609
                    & SSL_HANDSHAKE_MAC_MASK]
1610
                       .mask
1611
                   & ctx->disabled_mac_mask)
1612
                != 0) {
1613
            sk_SSL_CIPHER_delete(tls13_ciphersuites, i);
1614
            i--;
1615
            continue;
1616
        }
1617

1618
        if (!sk_SSL_CIPHER_push(cipherstack, sslc)) {
1619
            OPENSSL_free(co_list);
1620
            sk_SSL_CIPHER_free(cipherstack);
1621
            return NULL;
1622
        }
1623
    }
1624

1625
    OSSL_TRACE_BEGIN(TLS_CIPHER)
1626
    {
1627
        BIO_printf(trc_out, "cipher selection:\n");
1628
    }
1629
    /*
1630
     * The cipher selection for the list is done. The ciphers are added
1631
     * to the resulting precedence to the STACK_OF(SSL_CIPHER).
1632
     */
1633
    for (curr = head; curr != NULL; curr = curr->next) {
1634
        if (curr->active) {
1635
            if (!sk_SSL_CIPHER_push(cipherstack, curr->cipher)) {
1636
                OPENSSL_free(co_list);
1637
                sk_SSL_CIPHER_free(cipherstack);
1638
                OSSL_TRACE_CANCEL(TLS_CIPHER);
1639
                return NULL;
1640
            }
1641
            if (trc_out != NULL)
1642
                BIO_printf(trc_out, "<%s>\n", curr->cipher->name);
1643
        }
1644
    }
1645
    OPENSSL_free(co_list); /* Not needed any longer */
1646
    OSSL_TRACE_END(TLS_CIPHER);
1647

1648
    if (!update_cipher_list_by_id(cipher_list_by_id, cipherstack)) {
1649
        sk_SSL_CIPHER_free(cipherstack);
1650
        return NULL;
1651
    }
1652
    sk_SSL_CIPHER_free(*cipher_list);
1653
    *cipher_list = cipherstack;
1654

1655
    return cipherstack;
1656
}
1657

1658
char *SSL_CIPHER_description(const SSL_CIPHER *cipher, char *buf, int len)
1659
{
1660
    const char *ver;
1661
    const char *kx, *au, *enc, *mac;
1662
    uint32_t alg_mkey, alg_auth, alg_enc, alg_mac;
1663
    static const char *const format = "%-30s %-7s Kx=%-8s Au=%-5s Enc=%-22s Mac=%-4s\n";
1664

1665
    if (buf == NULL) {
1666
        len = 128;
1667
        if ((buf = OPENSSL_malloc(len)) == NULL)
1668
            return NULL;
1669
    } else if (len < 128) {
1670
        return NULL;
1671
    }
1672

1673
    alg_mkey = cipher->algorithm_mkey;
1674
    alg_auth = cipher->algorithm_auth;
1675
    alg_enc = cipher->algorithm_enc;
1676
    alg_mac = cipher->algorithm_mac;
1677

1678
    ver = ssl_protocol_to_string(cipher->min_tls);
1679

1680
    switch (alg_mkey) {
1681
    case SSL_kRSA:
1682
        kx = "RSA";
1683
        break;
1684
    case SSL_kDHE:
1685
        kx = "DH";
1686
        break;
1687
    case SSL_kECDHE:
1688
        kx = "ECDH";
1689
        break;
1690
    case SSL_kPSK:
1691
        kx = "PSK";
1692
        break;
1693
    case SSL_kRSAPSK:
1694
        kx = "RSAPSK";
1695
        break;
1696
    case SSL_kECDHEPSK:
1697
        kx = "ECDHEPSK";
1698
        break;
1699
    case SSL_kDHEPSK:
1700
        kx = "DHEPSK";
1701
        break;
1702
    case SSL_kSRP:
1703
        kx = "SRP";
1704
        break;
1705
    case SSL_kGOST:
1706
        kx = "GOST";
1707
        break;
1708
    case SSL_kGOST18:
1709
        kx = "GOST18";
1710
        break;
1711
    case SSL_kANY:
1712
        kx = "any";
1713
        break;
1714
    default:
1715
        kx = "unknown";
1716
    }
1717

1718
    switch (alg_auth) {
1719
    case SSL_aRSA:
1720
        au = "RSA";
1721
        break;
1722
    case SSL_aDSS:
1723
        au = "DSS";
1724
        break;
1725
    case SSL_aNULL:
1726
        au = "None";
1727
        break;
1728
    case SSL_aECDSA:
1729
        au = "ECDSA";
1730
        break;
1731
    case SSL_aPSK:
1732
        au = "PSK";
1733
        break;
1734
    case SSL_aSRP:
1735
        au = "SRP";
1736
        break;
1737
    case SSL_aGOST01:
1738
        au = "GOST01";
1739
        break;
1740
    /* New GOST ciphersuites have both SSL_aGOST12 and SSL_aGOST01 bits */
1741
    case (SSL_aGOST12 | SSL_aGOST01):
1742
        au = "GOST12";
1743
        break;
1744
    case SSL_aANY:
1745
        au = "any";
1746
        break;
1747
    default:
1748
        au = "unknown";
1749
        break;
1750
    }
1751

1752
    switch (alg_enc) {
1753
    case SSL_DES:
1754
        enc = "DES(56)";
1755
        break;
1756
    case SSL_3DES:
1757
        enc = "3DES(168)";
1758
        break;
1759
    case SSL_RC4:
1760
        enc = "RC4(128)";
1761
        break;
1762
    case SSL_RC2:
1763
        enc = "RC2(128)";
1764
        break;
1765
    case SSL_IDEA:
1766
        enc = "IDEA(128)";
1767
        break;
1768
    case SSL_eNULL:
1769
        enc = "None";
1770
        break;
1771
    case SSL_AES128:
1772
        enc = "AES(128)";
1773
        break;
1774
    case SSL_AES256:
1775
        enc = "AES(256)";
1776
        break;
1777
    case SSL_AES128GCM:
1778
        enc = "AESGCM(128)";
1779
        break;
1780
    case SSL_AES256GCM:
1781
        enc = "AESGCM(256)";
1782
        break;
1783
    case SSL_AES128CCM:
1784
        enc = "AESCCM(128)";
1785
        break;
1786
    case SSL_AES256CCM:
1787
        enc = "AESCCM(256)";
1788
        break;
1789
    case SSL_AES128CCM8:
1790
        enc = "AESCCM8(128)";
1791
        break;
1792
    case SSL_AES256CCM8:
1793
        enc = "AESCCM8(256)";
1794
        break;
1795
    case SSL_CAMELLIA128:
1796
        enc = "Camellia(128)";
1797
        break;
1798
    case SSL_CAMELLIA256:
1799
        enc = "Camellia(256)";
1800
        break;
1801
    case SSL_ARIA128GCM:
1802
        enc = "ARIAGCM(128)";
1803
        break;
1804
    case SSL_ARIA256GCM:
1805
        enc = "ARIAGCM(256)";
1806
        break;
1807
    case SSL_SEED:
1808
        enc = "SEED(128)";
1809
        break;
1810
    case SSL_eGOST2814789CNT:
1811
    case SSL_eGOST2814789CNT12:
1812
        enc = "GOST89(256)";
1813
        break;
1814
    case SSL_MAGMA:
1815
        enc = "MAGMA";
1816
        break;
1817
    case SSL_KUZNYECHIK:
1818
        enc = "KUZNYECHIK";
1819
        break;
1820
    case SSL_CHACHA20POLY1305:
1821
        enc = "CHACHA20/POLY1305(256)";
1822
        break;
1823
    default:
1824
        enc = "unknown";
1825
        break;
1826
    }
1827

1828
    switch (alg_mac) {
1829
    case SSL_MD5:
1830
        mac = "MD5";
1831
        break;
1832
    case SSL_SHA1:
1833
        mac = "SHA1";
1834
        break;
1835
    case SSL_SHA256:
1836
        mac = "SHA256";
1837
        break;
1838
    case SSL_SHA384:
1839
        mac = "SHA384";
1840
        break;
1841
    case SSL_AEAD:
1842
        mac = "AEAD";
1843
        break;
1844
    case SSL_GOST89MAC:
1845
    case SSL_GOST89MAC12:
1846
        mac = "GOST89";
1847
        break;
1848
    case SSL_GOST94:
1849
        mac = "GOST94";
1850
        break;
1851
    case SSL_GOST12_256:
1852
    case SSL_GOST12_512:
1853
        mac = "GOST2012";
1854
        break;
1855
    default:
1856
        mac = "unknown";
1857
        break;
1858
    }
1859

1860
    BIO_snprintf(buf, len, format, cipher->name, ver, kx, au, enc, mac);
1861

1862
    return buf;
1863
}
1864

1865
const char *SSL_CIPHER_get_version(const SSL_CIPHER *c)
1866
{
1867
    if (c == NULL)
1868
        return "(NONE)";
1869

1870
    /*
1871
     * Backwards-compatibility crutch.  In almost all contexts we report TLS
1872
     * 1.0 as "TLSv1", but for ciphers we report "TLSv1.0".
1873
     */
1874
    if (c->min_tls == TLS1_VERSION)
1875
        return "TLSv1.0";
1876
    return ssl_protocol_to_string(c->min_tls);
1877
}
1878

1879
/* return the actual cipher being used */
1880
const char *SSL_CIPHER_get_name(const SSL_CIPHER *c)
1881
{
1882
    if (c != NULL)
1883
        return c->name;
1884
    return "(NONE)";
1885
}
1886

1887
/* return the actual cipher being used in RFC standard name */
1888
const char *SSL_CIPHER_standard_name(const SSL_CIPHER *c)
1889
{
1890
    if (c != NULL)
1891
        return c->stdname;
1892
    return "(NONE)";
1893
}
1894

1895
/* return the OpenSSL name based on given RFC standard name */
1896
const char *OPENSSL_cipher_name(const char *stdname)
1897
{
1898
    const SSL_CIPHER *c;
1899

1900
    if (stdname == NULL)
1901
        return "(NONE)";
1902
    c = ssl3_get_cipher_by_std_name(stdname);
1903
    return SSL_CIPHER_get_name(c);
1904
}
1905

1906
/* number of bits for symmetric cipher */
1907
int SSL_CIPHER_get_bits(const SSL_CIPHER *c, int *alg_bits)
1908
{
1909
    int ret = 0;
1910

1911
    if (c != NULL) {
1912
        if (alg_bits != NULL)
1913
            *alg_bits = (int)c->alg_bits;
1914
        ret = (int)c->strength_bits;
1915
    }
1916
    return ret;
1917
}
1918

1919
uint32_t SSL_CIPHER_get_id(const SSL_CIPHER *c)
1920
{
1921
    return c->id;
1922
}
1923

1924
uint16_t SSL_CIPHER_get_protocol_id(const SSL_CIPHER *c)
1925
{
1926
    return c->id & 0xFFFF;
1927
}
1928

1929
SSL_COMP *ssl3_comp_find(STACK_OF(SSL_COMP) *sk, int n)
1930
{
1931
    SSL_COMP *ctmp;
1932
    SSL_COMP srch_key;
1933
    int i;
1934

1935
    if ((n == 0) || (sk == NULL))
1936
        return NULL;
1937
    srch_key.id = n;
1938
    i = sk_SSL_COMP_find(sk, &srch_key);
1939
    if (i >= 0)
1940
        ctmp = sk_SSL_COMP_value(sk, i);
1941
    else
1942
        ctmp = NULL;
1943

1944
    return ctmp;
1945
}
1946

1947
#ifdef OPENSSL_NO_COMP
1948
STACK_OF(SSL_COMP) *SSL_COMP_get_compression_methods(void)
1949
{
1950
    return NULL;
1951
}
1952

1953
STACK_OF(SSL_COMP) *SSL_COMP_set0_compression_methods(STACK_OF(SSL_COMP)
1954
        *meths)
1955
{
1956
    return meths;
1957
}
1958

1959
int SSL_COMP_add_compression_method(int id, COMP_METHOD *cm)
1960
{
1961
    return 1;
1962
}
1963

1964
#else
1965
STACK_OF(SSL_COMP) *SSL_COMP_get_compression_methods(void)
1966
{
1967
    STACK_OF(SSL_COMP) **rv;
1968

1969
    rv = (STACK_OF(SSL_COMP) **)OSSL_LIB_CTX_get_data(NULL,
1970
        OSSL_LIB_CTX_COMP_METHODS);
1971
    if (rv != NULL)
1972
        return *rv;
1973
    else
1974
        return NULL;
1975
}
1976

1977
STACK_OF(SSL_COMP) *SSL_COMP_set0_compression_methods(STACK_OF(SSL_COMP)
1978
        *meths)
1979
{
1980
    STACK_OF(SSL_COMP) **comp_methods;
1981
    STACK_OF(SSL_COMP) *old_meths;
1982

1983
    comp_methods = (STACK_OF(SSL_COMP) **)OSSL_LIB_CTX_get_data(NULL,
1984
        OSSL_LIB_CTX_COMP_METHODS);
1985
    if (comp_methods == NULL) {
1986
        old_meths = meths;
1987
    } else {
1988
        old_meths = *comp_methods;
1989
        *comp_methods = meths;
1990
    }
1991

1992
    return old_meths;
1993
}
1994

1995
int SSL_COMP_add_compression_method(int id, COMP_METHOD *cm)
1996
{
1997
    STACK_OF(SSL_COMP) *comp_methods;
1998
    SSL_COMP *comp;
1999

2000
    comp_methods = SSL_COMP_get_compression_methods();
2001

2002
    if (comp_methods == NULL)
2003
        return 1;
2004

2005
    if (cm == NULL || COMP_get_type(cm) == NID_undef)
2006
        return 1;
2007

2008
    /*-
2009
     * According to draft-ietf-tls-compression-04.txt, the
2010
     * compression number ranges should be the following:
2011
     *
2012
     *   0 to  63:  methods defined by the IETF
2013
     *  64 to 192:  external party methods assigned by IANA
2014
     * 193 to 255:  reserved for private use
2015
     */
2016
    if (id < 193 || id > 255) {
2017
        ERR_raise(ERR_LIB_SSL, SSL_R_COMPRESSION_ID_NOT_WITHIN_PRIVATE_RANGE);
2018
        return 1;
2019
    }
2020

2021
    comp = OPENSSL_malloc(sizeof(*comp));
2022
    if (comp == NULL)
2023
        return 1;
2024

2025
    comp->id = id;
2026
    if (sk_SSL_COMP_find(comp_methods, comp) >= 0) {
2027
        OPENSSL_free(comp);
2028
        ERR_raise(ERR_LIB_SSL, SSL_R_DUPLICATE_COMPRESSION_ID);
2029
        return 1;
2030
    }
2031
    if (!sk_SSL_COMP_push(comp_methods, comp)) {
2032
        OPENSSL_free(comp);
2033
        ERR_raise(ERR_LIB_SSL, ERR_R_CRYPTO_LIB);
2034
        return 1;
2035
    }
2036

2037
    return 0;
2038
}
2039
#endif
2040

2041
const char *SSL_COMP_get_name(const COMP_METHOD *comp)
2042
{
2043
#ifndef OPENSSL_NO_COMP
2044
    return comp ? COMP_get_name(comp) : NULL;
2045
#else
2046
    return NULL;
2047
#endif
2048
}
2049

2050
const char *SSL_COMP_get0_name(const SSL_COMP *comp)
2051
{
2052
#ifndef OPENSSL_NO_COMP
2053
    return comp->name;
2054
#else
2055
    return NULL;
2056
#endif
2057
}
2058

2059
int SSL_COMP_get_id(const SSL_COMP *comp)
2060
{
2061
#ifndef OPENSSL_NO_COMP
2062
    return comp->id;
2063
#else
2064
    return -1;
2065
#endif
2066
}
2067

2068
const SSL_CIPHER *ssl_get_cipher_by_char(SSL_CONNECTION *s,
2069
    const unsigned char *ptr,
2070
    int all)
2071
{
2072
    const SSL_CIPHER *c = SSL_CONNECTION_GET_SSL(s)->method->get_cipher_by_char(ptr);
2073

2074
    if (c == NULL || (!all && c->valid == 0))
2075
        return NULL;
2076
    return c;
2077
}
2078

2079
const SSL_CIPHER *SSL_CIPHER_find(SSL *ssl, const unsigned char *ptr)
2080
{
2081
    return ssl->method->get_cipher_by_char(ptr);
2082
}
2083

2084
int SSL_CIPHER_get_cipher_nid(const SSL_CIPHER *c)
2085
{
2086
    int i;
2087
    if (c == NULL)
2088
        return NID_undef;
2089
    i = ssl_cipher_info_lookup(ssl_cipher_table_cipher, c->algorithm_enc);
2090
    if (i == -1)
2091
        return NID_undef;
2092
    return ssl_cipher_table_cipher[i].nid;
2093
}
2094

2095
int SSL_CIPHER_get_digest_nid(const SSL_CIPHER *c)
2096
{
2097
    int i = ssl_cipher_info_lookup(ssl_cipher_table_mac, c->algorithm_mac);
2098

2099
    if (i == -1)
2100
        return NID_undef;
2101
    return ssl_cipher_table_mac[i].nid;
2102
}
2103

2104
int SSL_CIPHER_get_kx_nid(const SSL_CIPHER *c)
2105
{
2106
    int i = ssl_cipher_info_lookup(ssl_cipher_table_kx, c->algorithm_mkey);
2107

2108
    if (i == -1)
2109
        return NID_undef;
2110
    return ssl_cipher_table_kx[i].nid;
2111
}
2112

2113
int SSL_CIPHER_get_auth_nid(const SSL_CIPHER *c)
2114
{
2115
    int i = ssl_cipher_info_lookup(ssl_cipher_table_auth, c->algorithm_auth);
2116

2117
    if (i == -1)
2118
        return NID_undef;
2119
    return ssl_cipher_table_auth[i].nid;
2120
}
2121

2122
int ssl_get_md_idx(int md_nid)
2123
{
2124
    int i;
2125

2126
    for (i = 0; i < SSL_MD_NUM_IDX; i++) {
2127
        if (md_nid == ssl_cipher_table_mac[i].nid)
2128
            return i;
2129
    }
2130
    return -1;
2131
}
2132

2133
const EVP_MD *SSL_CIPHER_get_handshake_digest(const SSL_CIPHER *c)
2134
{
2135
    int idx = c->algorithm2 & SSL_HANDSHAKE_MAC_MASK;
2136

2137
    if (idx < 0 || idx >= SSL_MD_NUM_IDX)
2138
        return NULL;
2139
    return EVP_get_digestbynid(ssl_cipher_table_mac[idx].nid);
2140
}
2141

2142
int SSL_CIPHER_is_aead(const SSL_CIPHER *c)
2143
{
2144
    return (c->algorithm_mac & SSL_AEAD) ? 1 : 0;
2145
}
2146

2147
int ssl_cipher_get_overhead(const SSL_CIPHER *c, size_t *mac_overhead,
2148
    size_t *int_overhead, size_t *blocksize,
2149
    size_t *ext_overhead)
2150
{
2151
    int mac = 0, in = 0, blk = 0, out = 0;
2152

2153
    /* Some hard-coded numbers for the CCM/Poly1305 MAC overhead
2154
     * because there are no handy #defines for those. */
2155
    if (c->algorithm_enc & (SSL_AESGCM | SSL_ARIAGCM)) {
2156
        out = EVP_GCM_TLS_EXPLICIT_IV_LEN + EVP_GCM_TLS_TAG_LEN;
2157
    } else if (c->algorithm_enc & (SSL_AES128CCM | SSL_AES256CCM)) {
2158
        out = EVP_CCM_TLS_EXPLICIT_IV_LEN + 16;
2159
    } else if (c->algorithm_enc & (SSL_AES128CCM8 | SSL_AES256CCM8)) {
2160
        out = EVP_CCM_TLS_EXPLICIT_IV_LEN + 8;
2161
    } else if (c->algorithm_enc & SSL_CHACHA20POLY1305) {
2162
        out = 16;
2163
    } else if (c->algorithm_mac & SSL_AEAD) {
2164
        /* We're supposed to have handled all the AEAD modes above */
2165
        return 0;
2166
    } else {
2167
        /* Non-AEAD modes. Calculate MAC/cipher overhead separately */
2168
        int digest_nid = SSL_CIPHER_get_digest_nid(c);
2169
        const EVP_MD *e_md = EVP_get_digestbynid(digest_nid);
2170

2171
        if (e_md == NULL)
2172
            return 0;
2173

2174
        mac = EVP_MD_get_size(e_md);
2175
        if (mac <= 0)
2176
            return 0;
2177
        if (c->algorithm_enc != SSL_eNULL) {
2178
            int cipher_nid = SSL_CIPHER_get_cipher_nid(c);
2179
            const EVP_CIPHER *e_ciph = EVP_get_cipherbynid(cipher_nid);
2180

2181
            /* If it wasn't AEAD or SSL_eNULL, we expect it to be a
2182
               known CBC cipher. */
2183
            if (e_ciph == NULL || EVP_CIPHER_get_mode(e_ciph) != EVP_CIPH_CBC_MODE)
2184
                return 0;
2185

2186
            in = 1; /* padding length byte */
2187
            out = EVP_CIPHER_get_iv_length(e_ciph);
2188
            if (out < 0)
2189
                return 0;
2190
            blk = EVP_CIPHER_get_block_size(e_ciph);
2191
            if (blk <= 0)
2192
                return 0;
2193
        }
2194
    }
2195

2196
    *mac_overhead = (size_t)mac;
2197
    *int_overhead = (size_t)in;
2198
    *blocksize = (size_t)blk;
2199
    *ext_overhead = (size_t)out;
2200

2201
    return 1;
2202
}
2203

2204
int ssl_cert_is_disabled(SSL_CTX *ctx, size_t idx)
2205
{
2206
    const SSL_CERT_LOOKUP *cl;
2207

2208
    /* A provider-loaded key type is always enabled */
2209
    if (idx >= SSL_PKEY_NUM)
2210
        return 0;
2211

2212
    cl = ssl_cert_lookup_by_idx(idx, ctx);
2213
    if (cl == NULL || (cl->amask & ctx->disabled_auth_mask) != 0)
2214
        return 1;
2215
    return 0;
2216
}
2217

2218
/*
2219
 * Default list of TLSv1.2 (and earlier) ciphers
2220
 * SSL_DEFAULT_CIPHER_LIST deprecated in 3.0.0
2221
 * Update both macro and function simultaneously
2222
 */
2223
const char *OSSL_default_cipher_list(void)
2224
{
2225
    return "ALL:!COMPLEMENTOFDEFAULT:!eNULL";
2226
}
2227

2228
/*
2229
 * Default list of TLSv1.3 (and later) ciphers
2230
 * TLS_DEFAULT_CIPHERSUITES deprecated in 3.0.0
2231
 * Update both macro and function simultaneously
2232
 */
2233
const char *OSSL_default_ciphersuites(void)
2234
{
2235
    return "TLS_AES_256_GCM_SHA384:"
2236
           "TLS_CHACHA20_POLY1305_SHA256:"
2237
           "TLS_AES_128_GCM_SHA256";
2238
}
2239

2240