1/*
2 * Copyright (c) 2016 Thomas Pornin <pornin@bolet.org>
3 *
4 * Permission is hereby granted, free of charge, to any person obtaining
5 * a copy of this software and associated documentation files (the
6 * "Software"), to deal in the Software without restriction, including
7 * without limitation the rights to use, copy, modify, merge, publish,
8 * distribute, sublicense, and/or sell copies of the Software, and to
9 * permit persons to whom the Software is furnished to do so, subject to
10 * the following conditions:
11 *
12 * The above copyright notice and this permission notice shall be
13 * included in all copies or substantial portions of the Software.
14 *
15 * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
16 * EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
17 * MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
18 * NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS
19 * BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN
20 * ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
21 * CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
22 * SOFTWARE.
23 */
24
25#include "bearssl.h"
26
27/*
28 * A "profile" is an initialisation function for a SSL context, that
29 * configures a list of cipher suites and algorithm implementations.
30 * While BearSSL comes with a few predefined profiles, you might one
31 * to define you own, using the example below as guidance.
32 *
33 * Each individual initialisation call sets a parameter or an algorithm
34 * support. Setting a specific algorithm pulls in the implementation of
35 * that algorithm in the compiled binary, as per static linking
36 * behaviour. Removing some of this calls will then reduce total code
37 * footprint, but also mechanically prevents some features to be
38 * supported (protocol versions and cipher suites).
39 *
40 * The two below define profiles for the client and the server contexts,
41 * respectively. Of course, in a typical size-constrained application,
42 * you would use one or the other, not both, to avoid pulling in code
43 * for both.
44 */
45
46void
47example_client_profile(br_ssl_client_context *cc
48	/* and possibly some other arguments */)
49{
50	/*
51	 * A list of cipher suites, by preference (first is most
52	 * preferred). The list below contains all cipher suites supported
53	 * by BearSSL; trim it done to your needs.
54	 */
55	static const uint16_t suites[] = {
56		BR_TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256,
57		BR_TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256,
58		BR_TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
59		BR_TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
60		BR_TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
61		BR_TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
62		BR_TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,
63		BR_TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,
64		BR_TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384,
65		BR_TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,
66		BR_TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,
67		BR_TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
68		BR_TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,
69		BR_TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,
70		BR_TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256,
71		BR_TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256,
72		BR_TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384,
73		BR_TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384,
74		BR_TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256,
75		BR_TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256,
76		BR_TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384,
77		BR_TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384,
78		BR_TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA,
79		BR_TLS_ECDH_RSA_WITH_AES_128_CBC_SHA,
80		BR_TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA,
81		BR_TLS_ECDH_RSA_WITH_AES_256_CBC_SHA,
82		BR_TLS_RSA_WITH_AES_128_GCM_SHA256,
83		BR_TLS_RSA_WITH_AES_256_GCM_SHA384,
84		BR_TLS_RSA_WITH_AES_128_CBC_SHA256,
85		BR_TLS_RSA_WITH_AES_256_CBC_SHA256,
86		BR_TLS_RSA_WITH_AES_128_CBC_SHA,
87		BR_TLS_RSA_WITH_AES_256_CBC_SHA,
88		BR_TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA,
89		BR_TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,
90		BR_TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA,
91		BR_TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA,
92		BR_TLS_RSA_WITH_3DES_EDE_CBC_SHA
93	};
94
95	/*
96	 * Client context must be cleared at some point. This sets
97	 * every value and pointer to 0 or NULL.
98	 */
99	br_ssl_client_zero(cc);
100
101	/*
102	 * Define minimum and maximum protocol versions. Supported
103	 * versions are:
104	 *    BR_TLS10    TLS 1.0
105	 *    BR_TLS11    TLS 1.1
106	 *    BR_TLS12    TLS 1.2
107	 */
108	br_ssl_engine_set_versions(&cc->eng, BR_TLS10, BR_TLS12);
109
110	/*
111	 * Set the PRF implementation(s).
112	 * For TLS 1.0 and 1.1, the "prf10" is needed.
113	 * For TLS 1.2, this depends on the cipher suite:
114	 *  -- cipher suites with a name ending in "SHA384" need "prf_sha384";
115	 *  -- all others need "prf_sha256".
116	 *
117	 * Note that a cipher suite like TLS_RSA_WITH_AES_128_CBC_SHA will
118	 * use SHA-1 for the per-record MAC (that's what the final "SHA"
119	 * means), but still SHA-256 for the PRF when selected along with
120	 * the TLS-1.2 protocol version.
121	 */
122	br_ssl_engine_set_prf10(&cc->eng, &br_tls10_prf);
123	br_ssl_engine_set_prf_sha256(&cc->eng, &br_tls12_sha256_prf);
124	br_ssl_engine_set_prf_sha384(&cc->eng, &br_tls12_sha384_prf);
125
126	/*
127	 * Set hash functions for the engine. Required hash functions
128	 * depend on the protocol and cipher suite:
129	 *
130	 * -- TLS 1.0 and 1.1 require both MD5 and SHA-1.
131	 * -- With TLS 1.2, cipher suites with a name ending in "SHA384"
132	 *    require SHA-384.
133	 * -- With TLS 1.2, cipher suites with a name ending in "SHA256"
134	 *    require SHA-256.
135	 * -- With TLS 1.2, cipher suites with a name ending in "SHA"
136	 *    require both SHA-256 and SHA-1.
137	 *
138	 * Moreover, these hash functions are also used to compute
139	 * hashes supporting signatures on the server side (for ECDHE_*
140	 * cipher suites), and on the client side (for client
141	 * certificates, except in the case of full static ECDH). In TLS
142	 * 1.0 and 1.1, SHA-1 (and also MD5) will be used, but with TLS
143	 * 1.2 these hash functions are negotiated between client and
144	 * server; SHA-256 and/or SHA-384 should be sufficient in
145	 * practice.
146	 *
147	 * Note that with current implementations, SHA-224 and SHA-256
148	 * share the same file, so if you use one, you may have the other
149	 * one with no additional overhead. Similarly, SHA-384 and SHA-512
150	 * share the same implementation code.
151	 */
152	br_ssl_engine_set_hash(&cc->eng, br_md5_ID, &br_md5_vtable);
153	br_ssl_engine_set_hash(&cc->eng, br_sha1_ID, &br_sha1_vtable);
154	br_ssl_engine_set_hash(&cc->eng, br_sha224_ID, &br_sha224_vtable);
155	br_ssl_engine_set_hash(&cc->eng, br_sha256_ID, &br_sha256_vtable);
156	br_ssl_engine_set_hash(&cc->eng, br_sha384_ID, &br_sha384_vtable);
157	br_ssl_engine_set_hash(&cc->eng, br_sha512_ID, &br_sha512_vtable);
158
159	/*
160	 * Set the cipher suites. All specified cipher suite MUST be
161	 * supported, and the relevant algorithms MUST have been
162	 * configured (failure to provide needed implementations may
163	 * trigger unwanted behaviours like segfaults or overflows).
164	 */
165	br_ssl_engine_set_suites(&cc->eng, suites,
166		(sizeof suites) / (sizeof suites[0]));
167
168	/*
169	 * Public-key algorithm implementations.
170	 *
171	 * -- RSA public core ("rsapub") is needed for "RSA" key exchange
172	 *    (cipher suites whose name starts with TLS_RSA).
173	 *
174	 * -- RSA signature verification ("rsavrfy") is needed for
175	 *    "ECDHE_RSA" cipher suites (not ECDH_RSA).
176	 *
177	 * -- Elliptic curve implementation ("ec") is needed for cipher
178	 *    suites that use elliptic curves (both "ECDH" and "ECDHE"
179	 *    cipher suites).
180	 *
181	 * -- ECDSA signature verification is needed for "ECDHE_ECDSA"
182	 *    cipher suites (but not for ECDHE_RSA, ECDH_ECDSA or ECDH_RSA).
183	 *
184	 * Normally, you use the "default" implementations, obtained
185	 * through relevant function calls. These functions return
186	 * implementations that are deemed "best" for the current
187	 * platform, where "best" means "fastest within constant-time
188	 * implementations". Selecting the default implementation is a
189	 * mixture of compile-time and runtime checks.
190	 *
191	 * Nevertheless, specific implementations may be selected
192	 * explicitly, e.g. to use code which is slower but with a
193	 * smaller footprint.
194	 *
195	 * The RSA code comes in three variants, called "i15", "i31" and
196	 * "i32". The "i31" code is somewhat faster than the "i32" code.
197	 * Usually, "i31" is faster than "i15", except on some specific
198	 * architectures (ARM Cortex M0, M0+, M1 and M3) where the "i15"
199	 * should be preferred (the "i15" code is constant-time, while
200	 * the "i31" is not, and the "i15" code is faster anyway).
201	 *
202	 * ECDSA code also comes in "i15" and "i31" variants. As in the
203	 * case of RSA, the "i31" code is faster, except on the small
204	 * ARM Cortex M, where the "i15" code is faster and safer.
205	 *
206	 * There are no less than 10 elliptic curve implementations:
207	 *
208	 *  - ec_c25519_i15, ec_c25519_i31, ec_c25519_m15 and ec_c25519_m31
209	 *    implement Curve25519.
210	 *
211	 *  - ec_p256_m15 and ec_p256_m31 implement NIST curve P-256.
212	 *
213	 *  - ec_prime_i15 and ec_prime_i31 implement NIST curves P-256,
214	 *    P-384 and P-521.
215	 *
216	 *  - ec_all_m15 is an aggregate implementation that uses
217	 *    ec_c25519_m15, ec_p256_m15 and ec_prime_i15.
218	 *
219	 *  - ec_all_m31 is an aggregate implementation that uses
220	 *    ec_c25519_m31, ec_p256_m31 and ec_prime_i31.
221	 *
222	 * For a given curve, "m15" is faster than "i15" (but possibly
223	 * with a larger code footprint) and "m31" is faster than "i31"
224	 * (there again with a larger code footprint). For best
225	 * performance, use ec_all_m31, except on the small ARM Cortex M
226	 * where ec_all_m15 should be used. Referencing the other
227	 * implementations directly will result in smaller code, but
228	 * support for fewer curves and possibly lower performance.
229	 */
230	br_ssl_client_set_default_rsapub(cc);
231	br_ssl_engine_set_default_rsavrfy(&cc->eng);
232	br_ssl_engine_set_default_ecdsa(&cc->eng);
233	/* Alternate: set implementations explicitly.
234	br_ssl_client_set_rsapub(cc, &br_rsa_i31_public);
235	br_ssl_client_set_rsavrfy(cc, &br_rsa_i31_pkcs1_vrfy);
236	br_ssl_engine_set_ec(&cc->eng, &br_ec_all_m31);
237	br_ssl_engine_set_ecdsa(&cc->eng, &br_ecdsa_i31_vrfy_asn1);
238	*/
239
240	/*
241	 * Record handler:
242	 * -- Cipher suites in AES_128_CBC, AES_256_CBC and 3DES_EDE_CBC
243	 *    need the CBC record handler ("set_cbc").
244	 * -- Cipher suites in AES_128_GCM and AES_256_GCM need the GCM
245	 *    record handler ("set_gcm").
246	 * -- Cipher suites in CHACHA20_POLY1305 need the ChaCha20+Poly1305
247	 *    record handler ("set_chapol").
248	 */
249	br_ssl_engine_set_cbc(&cc->eng,
250		&br_sslrec_in_cbc_vtable,
251		&br_sslrec_out_cbc_vtable);
252	br_ssl_engine_set_gcm(&cc->eng,
253		&br_sslrec_in_gcm_vtable,
254		&br_sslrec_out_gcm_vtable);
255	br_ssl_engine_set_chapol(&cc->eng,
256		&br_sslrec_in_chapol_vtable,
257		&br_sslrec_out_chapol_vtable);
258
259	/*
260	 * Symmetric encryption:
261	 * -- AES_128_CBC and AES_256_CBC require an "aes_cbc" implementation
262	 *    (actually two implementations, for encryption and decryption).
263	 * -- 3DES_EDE_CBC requires a "des_cbc" implementation
264	 *    (actually two implementations, for encryption and decryption).
265	 * -- AES_128_GCM and AES_256_GCM require an "aes_ctr" imeplementation
266	 *    and also a GHASH implementation.
267	 *
268	 * Two 3DES implementations are provided:
269	 *
270	 *    des_tab     Classical table-based implementation; it is
271	 *                not constant-time.
272	 *
273	 *    dest_ct     Constant-time DES/3DES implementation. It is
274	 *                slower than des_tab.
275	 *
276	 * Four AES implementations are provided:
277	 *
278	 *    aes_ct      Constant-time AES implementation, for 32-bit
279	 *                systems.
280	 *
281	 *    aes_ct64    Constant-time AES implementation, for 64-bit
282	 *                systems. It actually also runs on 32-bit systems,
283	 *                but, on such systems, it yields larger code and
284	 *                slightly worse performance. On 64-bit systems,
285	 *                aes_ct64 is about twice faster than aes_ct for
286	 *                CTR processing (GCM encryption and decryption),
287	 *                and for CBC (decryption only).
288	 *
289	 *    aes_small   Smallest implementation provided, but also the
290	 *                slowest, and it is not constant-time. Use it
291	 *                only if desperate for code size.
292	 *
293	 *    aes_big     Classical table-based AES implementation. This
294	 *                is decently fast and still resonably compact,
295	 *                but it is not constant-time.
296	 *
297	 *    aes_x86ni   Very fast implementation that uses the AES-NI
298	 *                opcodes on recent x86 CPU. But it may not be
299	 *                compiled in the library if the compiler or
300	 *                architecture is not supported; and the CPU
301	 *                may also not support the opcodes. Selection
302	 *                functions are provided to test for availability
303	 *                of the code and the opcodes.
304	 *
305	 * Whether having constant-time implementations is absolutely
306	 * required for security depends on the context (in particular
307	 * whether the target architecture actually has cache memory),
308	 * and while side-channel analysis for non-constant-time AES
309	 * code has been demonstrated in lab conditions, it certainly
310	 * does not apply to all actual usages, and it has never been
311	 * spotted in the wild. It is still considered cautious to use
312	 * constant-time code by default, and to consider the other
313	 * implementations only if duly measured performance issues make
314	 * it mandatory.
315	 */
316	br_ssl_engine_set_aes_cbc(&cc->eng,
317		&br_aes_ct_cbcenc_vtable,
318		&br_aes_ct_cbcdec_vtable);
319	br_ssl_engine_set_aes_ctr(&cc->eng,
320		&br_aes_ct_ctr_vtable);
321	/* Alternate: aes_ct64
322	br_ssl_engine_set_aes_cbc(&cc->eng,
323		&br_aes_ct64_cbcenc_vtable,
324		&br_aes_ct64_cbcdec_vtable);
325	br_ssl_engine_set_aes_ctr(&cc->eng,
326		&br_aes_ct64_ctr_vtable);
327	*/
328	/* Alternate: aes_small
329	br_ssl_engine_set_aes_cbc(&cc->eng,
330		&br_aes_small_cbcenc_vtable,
331		&br_aes_small_cbcdec_vtable);
332	br_ssl_engine_set_aes_ctr(&cc->eng,
333		&br_aes_small_ctr_vtable);
334	*/
335	/* Alternate: aes_big
336	br_ssl_engine_set_aes_cbc(&cc->eng,
337		&br_aes_big_cbcenc_vtable,
338		&br_aes_big_cbcdec_vtable);
339	br_ssl_engine_set_aes_ctr(&cc->eng,
340		&br_aes_big_ctr_vtable);
341	*/
342	br_ssl_engine_set_des_cbc(&cc->eng,
343		&br_des_ct_cbcenc_vtable,
344		&br_des_ct_cbcdec_vtable);
345	/* Alternate: des_tab
346	br_ssl_engine_set_des_cbc(&cc->eng,
347		&br_des_tab_cbcenc_vtable,
348		&br_des_tab_cbcdec_vtable);
349	*/
350
351	/*
352	 * GHASH is needed for AES_128_GCM and AES_256_GCM. Three
353	 * implementations are provided:
354	 *
355	 *    ctmul     Uses 32-bit multiplications with a 64-bit result.
356	 *
357	 *    ctmul32   Uses 32-bit multiplications with a 32-bit result.
358	 *
359	 *    ctmul64   Uses 64-bit multiplications with a 64-bit result.
360	 *
361	 * On 64-bit platforms, ctmul64 is the smallest and fastest of
362	 * the three. On 32-bit systems, ctmul should be preferred. The
363	 * ctmul32 implementation is meant to be used for the specific
364	 * 32-bit systems that do not have a 32x32->64 multiplier (i.e.
365	 * the ARM Cortex-M0 and Cortex-M0+).
366	 *
367	 * These implementations are all constant-time as long as the
368	 * underlying multiplication opcode is constant-time (which is
369	 * true for all modern systems, but not for older architectures
370	 * such that ARM9 or 80486).
371	 */
372	br_ssl_engine_set_ghash(&cc->eng,
373		&br_ghash_ctmul);
374	/* Alternate: ghash_ctmul32
375	br_ssl_engine_set_ghash(&cc->eng,
376		&br_ghash_ctmul32);
377	*/
378	/* Alternate: ghash_ctmul64
379	br_ssl_engine_set_ghash(&cc->eng,
380		&br_ghash_ctmul64);
381	*/
382
383#if 0
384	/*
385	 * For a client, the normal case is to validate the server
386	 * certificate with regards to a set of trust anchors. This
387	 * entails using a br_x509_minimal_context structure, configured
388	 * with the relevant algorithms, as shown below.
389	 *
390	 * Alternatively, the client could "know" the intended server
391	 * public key through an out-of-band mechanism, in which case
392	 * a br_x509_knownkey_context is appropriate, for a much reduced
393	 * code footprint.
394	 *
395	 * We assume here that the following extra parameters have been
396	 * provided:
397	 *
398	 *   xc                  engine context (br_x509_minimal_context *)
399	 *   trust_anchors       trust anchors (br_x509_trust_anchor *)
400	 *   trust_anchors_num   number of trust anchors (size_t)
401	 */
402
403	/*
404	 * The X.509 engine needs a hash function for processing the
405	 * subject and issuer DN of certificates and trust anchors. Any
406	 * supported hash function is appropriate; here we use SHA-256.
407	 * The trust an
408	 */
409	br_x509_minimal_init(xc, &br_sha256_vtable,
410		trust_anchors, trust_anchors_num);
411
412	/*
413	 * Set suites and asymmetric crypto implementations. We use the
414	 * "i31" code for RSA (it is somewhat faster than the "i32"
415	 * implementation). These implementations are used for
416	 * signature verification on certificates, but not for the
417	 * SSL-specific usage of the server's public key. For instance,
418	 * if the server has an EC public key but the rest of the chain
419	 * (intermediate CA, root...) use RSA, then you would need only
420	 * the RSA verification function below.
421	 */
422	br_x509_minimal_set_rsa(xc, &br_rsa_i31_pkcs1_vrfy);
423	br_x509_minimal_set_ecdsa(xc,
424		&br_ec_prime_i31, &br_ecdsa_i31_vrfy_asn1);
425
426	/*
427	 * Set supported hash functions. These are for signatures on
428	 * certificates. There again, you only need the hash functions
429	 * that are actually used in certificates, but if a given
430	 * function was included for the SSL engine, you may as well
431	 * add it here.
432	 *
433	 * Note: the engine explicitly rejects signatures that use MD5.
434	 * Thus, there is no need for MD5 here.
435	 */
436	br_ssl_engine_set_hash(xc, br_sha1_ID, &br_sha1_vtable);
437	br_ssl_engine_set_hash(xc, br_sha224_ID, &br_sha224_vtable);
438	br_ssl_engine_set_hash(xc, br_sha256_ID, &br_sha256_vtable);
439	br_ssl_engine_set_hash(xc, br_sha384_ID, &br_sha384_vtable);
440	br_ssl_engine_set_hash(xc, br_sha512_ID, &br_sha512_vtable);
441
442	/*
443	 * Link the X.509 engine in the SSL engine.
444	 */
445	br_ssl_engine_set_x509(&cc->eng, &xc->vtable);
446#endif
447}
448
449/*
450 * Example server profile. Most of it is shared with the client
451 * profile, so see the comments in the client function for details.
452 *
453 * This example function assumes a server with a (unique) RSA private
454 * key, so the list of cipher suites is trimmed down for RSA.
455 */
456void
457example_server_profile(br_ssl_server_context *cc,
458	const br_x509_certificate *chain, size_t chain_len,
459	const br_rsa_private_key *sk)
460{
461	static const uint16_t suites[] = {
462		BR_TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
463		BR_TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
464		BR_TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,
465		BR_TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,
466		BR_TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
467		BR_TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,
468		BR_TLS_RSA_WITH_AES_128_GCM_SHA256,
469		BR_TLS_RSA_WITH_AES_256_GCM_SHA384,
470		BR_TLS_RSA_WITH_AES_128_CBC_SHA256,
471		BR_TLS_RSA_WITH_AES_256_CBC_SHA256,
472		BR_TLS_RSA_WITH_AES_128_CBC_SHA,
473		BR_TLS_RSA_WITH_AES_256_CBC_SHA,
474		BR_TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,
475		BR_TLS_RSA_WITH_3DES_EDE_CBC_SHA
476	};
477
478	br_ssl_server_zero(cc);
479	br_ssl_engine_set_versions(&cc->eng, BR_TLS10, BR_TLS12);
480
481	br_ssl_engine_set_prf10(&cc->eng, &br_tls10_prf);
482	br_ssl_engine_set_prf_sha256(&cc->eng, &br_tls12_sha256_prf);
483	br_ssl_engine_set_prf_sha384(&cc->eng, &br_tls12_sha384_prf);
484
485	/*
486	 * Apart from the requirements listed in the client side, these
487	 * hash functions are also used by the server to compute its
488	 * signature on ECDHE parameters. Which functions are needed
489	 * depends on what the client may support; furthermore, the
490	 * client may fail to send the relevant extension, in which
491	 * case the server will default to whatever it can (as per the
492	 * standard, it should be SHA-1 in that case).
493	 */
494	br_ssl_engine_set_hash(&cc->eng, br_md5_ID, &br_md5_vtable);
495	br_ssl_engine_set_hash(&cc->eng, br_sha1_ID, &br_sha1_vtable);
496	br_ssl_engine_set_hash(&cc->eng, br_sha224_ID, &br_sha224_vtable);
497	br_ssl_engine_set_hash(&cc->eng, br_sha256_ID, &br_sha256_vtable);
498	br_ssl_engine_set_hash(&cc->eng, br_sha384_ID, &br_sha384_vtable);
499	br_ssl_engine_set_hash(&cc->eng, br_sha512_ID, &br_sha512_vtable);
500
501	br_ssl_engine_set_suites(&cc->eng, suites,
502		(sizeof suites) / (sizeof suites[0]));
503
504	/*
505	 * Elliptic curve implementation is used for ECDHE suites (but
506	 * not for ECDH).
507	 */
508	br_ssl_engine_set_ec(&cc->eng, &br_ec_prime_i31);
509
510	/*
511	 * Set the "server policy": handler for the certificate chain
512	 * and private key operations. Here, we indicate that the RSA
513	 * private key is fit for both signing and decrypting, and we
514	 * provide the two relevant implementations.
515
516	 * BR_KEYTYPE_KEYX allows TLS_RSA_*, BR_KEYTYPE_SIGN allows
517	 * TLS_ECDHE_RSA_*.
518	 */
519	br_ssl_server_set_single_rsa(cc, chain, chain_len, sk,
520		BR_KEYTYPE_KEYX | BR_KEYTYPE_SIGN,
521		br_rsa_i31_private, br_rsa_i31_pkcs1_sign);
522	/*
523	 * If the server used an EC private key, this call would look
524	 * like this:
525
526	br_ssl_server_set_single_ec(cc, chain, chain_len, sk,
527		BR_KEYTYPE_KEYX | BR_KEYTYPE_SIGN,
528		cert_issuer_key_type,
529		&br_ec_prime_i31, br_ecdsa_i31_sign_asn1);
530
531	 * Note the tricky points:
532	 *
533	 * -- "ECDH" cipher suites use only the EC code (&br_ec_prime_i31);
534	 *    the ECDHE_ECDSA cipher suites need both the EC code and
535	 *    the ECDSA signature implementation.
536	 *
537	 * -- For "ECDH" (not "ECDHE") cipher suites, the engine must
538	 *    know the key type (RSA or EC) for the intermediate CA that
539	 *    issued the server's certificate; this is an artefact of
540	 *    how the protocol is defined. BearSSL won't try to decode
541	 *    the server's certificate to obtain that information (it
542	 *    could do that, the code is there, but it would increase the
543	 *    footprint). So this must be provided by the caller.
544	 *
545	 * -- BR_KEYTYPE_KEYX allows ECDH, BR_KEYTYPE_SIGN allows
546	 *    ECDHE_ECDSA.
547	 */
548
549	br_ssl_engine_set_cbc(&cc->eng,
550		&br_sslrec_in_cbc_vtable,
551		&br_sslrec_out_cbc_vtable);
552	br_ssl_engine_set_gcm(&cc->eng,
553		&br_sslrec_in_gcm_vtable,
554		&br_sslrec_out_gcm_vtable);
555
556	br_ssl_engine_set_aes_cbc(&cc->eng,
557		&br_aes_ct_cbcenc_vtable,
558		&br_aes_ct_cbcdec_vtable);
559	br_ssl_engine_set_aes_ctr(&cc->eng,
560		&br_aes_ct_ctr_vtable);
561	/* Alternate: aes_ct64
562	br_ssl_engine_set_aes_cbc(&cc->eng,
563		&br_aes_ct64_cbcenc_vtable,
564		&br_aes_ct64_cbcdec_vtable);
565	br_ssl_engine_set_aes_ctr(&cc->eng,
566		&br_aes_ct64_ctr_vtable);
567	*/
568	/* Alternate: aes_small
569	br_ssl_engine_set_aes_cbc(&cc->eng,
570		&br_aes_small_cbcenc_vtable,
571		&br_aes_small_cbcdec_vtable);
572	br_ssl_engine_set_aes_ctr(&cc->eng,
573		&br_aes_small_ctr_vtable);
574	*/
575	/* Alternate: aes_big
576	br_ssl_engine_set_aes_cbc(&cc->eng,
577		&br_aes_big_cbcenc_vtable,
578		&br_aes_big_cbcdec_vtable);
579	br_ssl_engine_set_aes_ctr(&cc->eng,
580		&br_aes_big_ctr_vtable);
581	*/
582	br_ssl_engine_set_des_cbc(&cc->eng,
583		&br_des_ct_cbcenc_vtable,
584		&br_des_ct_cbcdec_vtable);
585	/* Alternate: des_tab
586	br_ssl_engine_set_des_cbc(&cc->eng,
587		&br_des_tab_cbcenc_vtable,
588		&br_des_tab_cbcdec_vtable);
589	*/
590
591	br_ssl_engine_set_ghash(&cc->eng,
592		&br_ghash_ctmul);
593	/* Alternate: ghash_ctmul32
594	br_ssl_engine_set_ghash(&cc->eng,
595		&br_ghash_ctmul32);
596	*/
597	/* Alternate: ghash_ctmul64
598	br_ssl_engine_set_ghash(&cc->eng,
599		&br_ghash_ctmul64);
600	*/
601}
602