xref: /freebsd/contrib/bearssl/samples/custom_profile.c (revision 924226fba12cc9a228c73b956e1b7fa24c60b055)
1 /*
2  * Copyright (c) 2016 Thomas Pornin <pornin@bolet.org>
3  *
4  * Permission is hereby granted, free of charge, to any person obtaining
5  * a copy of this software and associated documentation files (the
6  * "Software"), to deal in the Software without restriction, including
7  * without limitation the rights to use, copy, modify, merge, publish,
8  * distribute, sublicense, and/or sell copies of the Software, and to
9  * permit persons to whom the Software is furnished to do so, subject to
10  * the following conditions:
11  *
12  * The above copyright notice and this permission notice shall be
13  * included in all copies or substantial portions of the Software.
14  *
15  * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
16  * EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
17  * MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
18  * NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS
19  * BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN
20  * ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
21  * CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
22  * SOFTWARE.
23  */
24 
25 #include "bearssl.h"
26 
27 /*
28  * A "profile" is an initialisation function for a SSL context, that
29  * configures a list of cipher suites and algorithm implementations.
30  * While BearSSL comes with a few predefined profiles, you might one
31  * to define you own, using the example below as guidance.
32  *
33  * Each individual initialisation call sets a parameter or an algorithm
34  * support. Setting a specific algorithm pulls in the implementation of
35  * that algorithm in the compiled binary, as per static linking
36  * behaviour. Removing some of this calls will then reduce total code
37  * footprint, but also mechanically prevents some features to be
38  * supported (protocol versions and cipher suites).
39  *
40  * The two below define profiles for the client and the server contexts,
41  * respectively. Of course, in a typical size-constrained application,
42  * you would use one or the other, not both, to avoid pulling in code
43  * for both.
44  */
45 
46 void
47 example_client_profile(br_ssl_client_context *cc
48 	/* and possibly some other arguments */)
49 {
50 	/*
51 	 * A list of cipher suites, by preference (first is most
52 	 * preferred). The list below contains all cipher suites supported
53 	 * by BearSSL; trim it done to your needs.
54 	 */
55 	static const uint16_t suites[] = {
56 		BR_TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256,
57 		BR_TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256,
58 		BR_TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
59 		BR_TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
60 		BR_TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
61 		BR_TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
62 		BR_TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,
63 		BR_TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,
64 		BR_TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384,
65 		BR_TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,
66 		BR_TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,
67 		BR_TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
68 		BR_TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,
69 		BR_TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,
70 		BR_TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256,
71 		BR_TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256,
72 		BR_TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384,
73 		BR_TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384,
74 		BR_TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256,
75 		BR_TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256,
76 		BR_TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384,
77 		BR_TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384,
78 		BR_TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA,
79 		BR_TLS_ECDH_RSA_WITH_AES_128_CBC_SHA,
80 		BR_TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA,
81 		BR_TLS_ECDH_RSA_WITH_AES_256_CBC_SHA,
82 		BR_TLS_RSA_WITH_AES_128_GCM_SHA256,
83 		BR_TLS_RSA_WITH_AES_256_GCM_SHA384,
84 		BR_TLS_RSA_WITH_AES_128_CBC_SHA256,
85 		BR_TLS_RSA_WITH_AES_256_CBC_SHA256,
86 		BR_TLS_RSA_WITH_AES_128_CBC_SHA,
87 		BR_TLS_RSA_WITH_AES_256_CBC_SHA,
88 		BR_TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA,
89 		BR_TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,
90 		BR_TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA,
91 		BR_TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA,
92 		BR_TLS_RSA_WITH_3DES_EDE_CBC_SHA
93 	};
94 
95 	/*
96 	 * Client context must be cleared at some point. This sets
97 	 * every value and pointer to 0 or NULL.
98 	 */
99 	br_ssl_client_zero(cc);
100 
101 	/*
102 	 * Define minimum and maximum protocol versions. Supported
103 	 * versions are:
104 	 *    BR_TLS10    TLS 1.0
105 	 *    BR_TLS11    TLS 1.1
106 	 *    BR_TLS12    TLS 1.2
107 	 */
108 	br_ssl_engine_set_versions(&cc->eng, BR_TLS10, BR_TLS12);
109 
110 	/*
111 	 * Set the PRF implementation(s).
112 	 * For TLS 1.0 and 1.1, the "prf10" is needed.
113 	 * For TLS 1.2, this depends on the cipher suite:
114 	 *  -- cipher suites with a name ending in "SHA384" need "prf_sha384";
115 	 *  -- all others need "prf_sha256".
116 	 *
117 	 * Note that a cipher suite like TLS_RSA_WITH_AES_128_CBC_SHA will
118 	 * use SHA-1 for the per-record MAC (that's what the final "SHA"
119 	 * means), but still SHA-256 for the PRF when selected along with
120 	 * the TLS-1.2 protocol version.
121 	 */
122 	br_ssl_engine_set_prf10(&cc->eng, &br_tls10_prf);
123 	br_ssl_engine_set_prf_sha256(&cc->eng, &br_tls12_sha256_prf);
124 	br_ssl_engine_set_prf_sha384(&cc->eng, &br_tls12_sha384_prf);
125 
126 	/*
127 	 * Set hash functions for the engine. Required hash functions
128 	 * depend on the protocol and cipher suite:
129 	 *
130 	 * -- TLS 1.0 and 1.1 require both MD5 and SHA-1.
131 	 * -- With TLS 1.2, cipher suites with a name ending in "SHA384"
132 	 *    require SHA-384.
133 	 * -- With TLS 1.2, cipher suites with a name ending in "SHA256"
134 	 *    require SHA-256.
135 	 * -- With TLS 1.2, cipher suites with a name ending in "SHA"
136 	 *    require both SHA-256 and SHA-1.
137 	 *
138 	 * Moreover, these hash functions are also used to compute
139 	 * hashes supporting signatures on the server side (for ECDHE_*
140 	 * cipher suites), and on the client side (for client
141 	 * certificates, except in the case of full static ECDH). In TLS
142 	 * 1.0 and 1.1, SHA-1 (and also MD5) will be used, but with TLS
143 	 * 1.2 these hash functions are negotiated between client and
144 	 * server; SHA-256 and/or SHA-384 should be sufficient in
145 	 * practice.
146 	 *
147 	 * Note that with current implementations, SHA-224 and SHA-256
148 	 * share the same file, so if you use one, you may have the other
149 	 * one with no additional overhead. Similarly, SHA-384 and SHA-512
150 	 * share the same implementation code.
151 	 */
152 	br_ssl_engine_set_hash(&cc->eng, br_md5_ID, &br_md5_vtable);
153 	br_ssl_engine_set_hash(&cc->eng, br_sha1_ID, &br_sha1_vtable);
154 	br_ssl_engine_set_hash(&cc->eng, br_sha224_ID, &br_sha224_vtable);
155 	br_ssl_engine_set_hash(&cc->eng, br_sha256_ID, &br_sha256_vtable);
156 	br_ssl_engine_set_hash(&cc->eng, br_sha384_ID, &br_sha384_vtable);
157 	br_ssl_engine_set_hash(&cc->eng, br_sha512_ID, &br_sha512_vtable);
158 
159 	/*
160 	 * Set the cipher suites. All specified cipher suite MUST be
161 	 * supported, and the relevant algorithms MUST have been
162 	 * configured (failure to provide needed implementations may
163 	 * trigger unwanted behaviours like segfaults or overflows).
164 	 */
165 	br_ssl_engine_set_suites(&cc->eng, suites,
166 		(sizeof suites) / (sizeof suites[0]));
167 
168 	/*
169 	 * Public-key algorithm implementations.
170 	 *
171 	 * -- RSA public core ("rsapub") is needed for "RSA" key exchange
172 	 *    (cipher suites whose name starts with TLS_RSA).
173 	 *
174 	 * -- RSA signature verification ("rsavrfy") is needed for
175 	 *    "ECDHE_RSA" cipher suites (not ECDH_RSA).
176 	 *
177 	 * -- Elliptic curve implementation ("ec") is needed for cipher
178 	 *    suites that use elliptic curves (both "ECDH" and "ECDHE"
179 	 *    cipher suites).
180 	 *
181 	 * -- ECDSA signature verification is needed for "ECDHE_ECDSA"
182 	 *    cipher suites (but not for ECDHE_RSA, ECDH_ECDSA or ECDH_RSA).
183 	 *
184 	 * Normally, you use the "default" implementations, obtained
185 	 * through relevant function calls. These functions return
186 	 * implementations that are deemed "best" for the current
187 	 * platform, where "best" means "fastest within constant-time
188 	 * implementations". Selecting the default implementation is a
189 	 * mixture of compile-time and runtime checks.
190 	 *
191 	 * Nevertheless, specific implementations may be selected
192 	 * explicitly, e.g. to use code which is slower but with a
193 	 * smaller footprint.
194 	 *
195 	 * The RSA code comes in three variants, called "i15", "i31" and
196 	 * "i32". The "i31" code is somewhat faster than the "i32" code.
197 	 * Usually, "i31" is faster than "i15", except on some specific
198 	 * architectures (ARM Cortex M0, M0+, M1 and M3) where the "i15"
199 	 * should be preferred (the "i15" code is constant-time, while
200 	 * the "i31" is not, and the "i15" code is faster anyway).
201 	 *
202 	 * ECDSA code also comes in "i15" and "i31" variants. As in the
203 	 * case of RSA, the "i31" code is faster, except on the small
204 	 * ARM Cortex M, where the "i15" code is faster and safer.
205 	 *
206 	 * There are no less than 10 elliptic curve implementations:
207 	 *
208 	 *  - ec_c25519_i15, ec_c25519_i31, ec_c25519_m15 and ec_c25519_m31
209 	 *    implement Curve25519.
210 	 *
211 	 *  - ec_p256_m15 and ec_p256_m31 implement NIST curve P-256.
212 	 *
213 	 *  - ec_prime_i15 and ec_prime_i31 implement NIST curves P-256,
214 	 *    P-384 and P-521.
215 	 *
216 	 *  - ec_all_m15 is an aggregate implementation that uses
217 	 *    ec_c25519_m15, ec_p256_m15 and ec_prime_i15.
218 	 *
219 	 *  - ec_all_m31 is an aggregate implementation that uses
220 	 *    ec_c25519_m31, ec_p256_m31 and ec_prime_i31.
221 	 *
222 	 * For a given curve, "m15" is faster than "i15" (but possibly
223 	 * with a larger code footprint) and "m31" is faster than "i31"
224 	 * (there again with a larger code footprint). For best
225 	 * performance, use ec_all_m31, except on the small ARM Cortex M
226 	 * where ec_all_m15 should be used. Referencing the other
227 	 * implementations directly will result in smaller code, but
228 	 * support for fewer curves and possibly lower performance.
229 	 */
230 	br_ssl_client_set_default_rsapub(cc);
231 	br_ssl_engine_set_default_rsavrfy(&cc->eng);
232 	br_ssl_engine_set_default_ecdsa(&cc->eng);
233 	/* Alternate: set implementations explicitly.
234 	br_ssl_client_set_rsapub(cc, &br_rsa_i31_public);
235 	br_ssl_client_set_rsavrfy(cc, &br_rsa_i31_pkcs1_vrfy);
236 	br_ssl_engine_set_ec(&cc->eng, &br_ec_all_m31);
237 	br_ssl_engine_set_ecdsa(&cc->eng, &br_ecdsa_i31_vrfy_asn1);
238 	*/
239 
240 	/*
241 	 * Record handler:
242 	 * -- Cipher suites in AES_128_CBC, AES_256_CBC and 3DES_EDE_CBC
243 	 *    need the CBC record handler ("set_cbc").
244 	 * -- Cipher suites in AES_128_GCM and AES_256_GCM need the GCM
245 	 *    record handler ("set_gcm").
246 	 * -- Cipher suites in CHACHA20_POLY1305 need the ChaCha20+Poly1305
247 	 *    record handler ("set_chapol").
248 	 */
249 	br_ssl_engine_set_cbc(&cc->eng,
250 		&br_sslrec_in_cbc_vtable,
251 		&br_sslrec_out_cbc_vtable);
252 	br_ssl_engine_set_gcm(&cc->eng,
253 		&br_sslrec_in_gcm_vtable,
254 		&br_sslrec_out_gcm_vtable);
255 	br_ssl_engine_set_chapol(&cc->eng,
256 		&br_sslrec_in_chapol_vtable,
257 		&br_sslrec_out_chapol_vtable);
258 
259 	/*
260 	 * Symmetric encryption:
261 	 * -- AES_128_CBC and AES_256_CBC require an "aes_cbc" implementation
262 	 *    (actually two implementations, for encryption and decryption).
263 	 * -- 3DES_EDE_CBC requires a "des_cbc" implementation
264 	 *    (actually two implementations, for encryption and decryption).
265 	 * -- AES_128_GCM and AES_256_GCM require an "aes_ctr" imeplementation
266 	 *    and also a GHASH implementation.
267 	 *
268 	 * Two 3DES implementations are provided:
269 	 *
270 	 *    des_tab     Classical table-based implementation; it is
271 	 *                not constant-time.
272 	 *
273 	 *    dest_ct     Constant-time DES/3DES implementation. It is
274 	 *                slower than des_tab.
275 	 *
276 	 * Four AES implementations are provided:
277 	 *
278 	 *    aes_ct      Constant-time AES implementation, for 32-bit
279 	 *                systems.
280 	 *
281 	 *    aes_ct64    Constant-time AES implementation, for 64-bit
282 	 *                systems. It actually also runs on 32-bit systems,
283 	 *                but, on such systems, it yields larger code and
284 	 *                slightly worse performance. On 64-bit systems,
285 	 *                aes_ct64 is about twice faster than aes_ct for
286 	 *                CTR processing (GCM encryption and decryption),
287 	 *                and for CBC (decryption only).
288 	 *
289 	 *    aes_small   Smallest implementation provided, but also the
290 	 *                slowest, and it is not constant-time. Use it
291 	 *                only if desperate for code size.
292 	 *
293 	 *    aes_big     Classical table-based AES implementation. This
294 	 *                is decently fast and still resonably compact,
295 	 *                but it is not constant-time.
296 	 *
297 	 *    aes_x86ni   Very fast implementation that uses the AES-NI
298 	 *                opcodes on recent x86 CPU. But it may not be
299 	 *                compiled in the library if the compiler or
300 	 *                architecture is not supported; and the CPU
301 	 *                may also not support the opcodes. Selection
302 	 *                functions are provided to test for availability
303 	 *                of the code and the opcodes.
304 	 *
305 	 * Whether having constant-time implementations is absolutely
306 	 * required for security depends on the context (in particular
307 	 * whether the target architecture actually has cache memory),
308 	 * and while side-channel analysis for non-constant-time AES
309 	 * code has been demonstrated in lab conditions, it certainly
310 	 * does not apply to all actual usages, and it has never been
311 	 * spotted in the wild. It is still considered cautious to use
312 	 * constant-time code by default, and to consider the other
313 	 * implementations only if duly measured performance issues make
314 	 * it mandatory.
315 	 */
316 	br_ssl_engine_set_aes_cbc(&cc->eng,
317 		&br_aes_ct_cbcenc_vtable,
318 		&br_aes_ct_cbcdec_vtable);
319 	br_ssl_engine_set_aes_ctr(&cc->eng,
320 		&br_aes_ct_ctr_vtable);
321 	/* Alternate: aes_ct64
322 	br_ssl_engine_set_aes_cbc(&cc->eng,
323 		&br_aes_ct64_cbcenc_vtable,
324 		&br_aes_ct64_cbcdec_vtable);
325 	br_ssl_engine_set_aes_ctr(&cc->eng,
326 		&br_aes_ct64_ctr_vtable);
327 	*/
328 	/* Alternate: aes_small
329 	br_ssl_engine_set_aes_cbc(&cc->eng,
330 		&br_aes_small_cbcenc_vtable,
331 		&br_aes_small_cbcdec_vtable);
332 	br_ssl_engine_set_aes_ctr(&cc->eng,
333 		&br_aes_small_ctr_vtable);
334 	*/
335 	/* Alternate: aes_big
336 	br_ssl_engine_set_aes_cbc(&cc->eng,
337 		&br_aes_big_cbcenc_vtable,
338 		&br_aes_big_cbcdec_vtable);
339 	br_ssl_engine_set_aes_ctr(&cc->eng,
340 		&br_aes_big_ctr_vtable);
341 	*/
342 	br_ssl_engine_set_des_cbc(&cc->eng,
343 		&br_des_ct_cbcenc_vtable,
344 		&br_des_ct_cbcdec_vtable);
345 	/* Alternate: des_tab
346 	br_ssl_engine_set_des_cbc(&cc->eng,
347 		&br_des_tab_cbcenc_vtable,
348 		&br_des_tab_cbcdec_vtable);
349 	*/
350 
351 	/*
352 	 * GHASH is needed for AES_128_GCM and AES_256_GCM. Three
353 	 * implementations are provided:
354 	 *
355 	 *    ctmul     Uses 32-bit multiplications with a 64-bit result.
356 	 *
357 	 *    ctmul32   Uses 32-bit multiplications with a 32-bit result.
358 	 *
359 	 *    ctmul64   Uses 64-bit multiplications with a 64-bit result.
360 	 *
361 	 * On 64-bit platforms, ctmul64 is the smallest and fastest of
362 	 * the three. On 32-bit systems, ctmul should be preferred. The
363 	 * ctmul32 implementation is meant to be used for the specific
364 	 * 32-bit systems that do not have a 32x32->64 multiplier (i.e.
365 	 * the ARM Cortex-M0 and Cortex-M0+).
366 	 *
367 	 * These implementations are all constant-time as long as the
368 	 * underlying multiplication opcode is constant-time (which is
369 	 * true for all modern systems, but not for older architectures
370 	 * such that ARM9 or 80486).
371 	 */
372 	br_ssl_engine_set_ghash(&cc->eng,
373 		&br_ghash_ctmul);
374 	/* Alternate: ghash_ctmul32
375 	br_ssl_engine_set_ghash(&cc->eng,
376 		&br_ghash_ctmul32);
377 	*/
378 	/* Alternate: ghash_ctmul64
379 	br_ssl_engine_set_ghash(&cc->eng,
380 		&br_ghash_ctmul64);
381 	*/
382 
383 #if 0
384 	/*
385 	 * For a client, the normal case is to validate the server
386 	 * certificate with regards to a set of trust anchors. This
387 	 * entails using a br_x509_minimal_context structure, configured
388 	 * with the relevant algorithms, as shown below.
389 	 *
390 	 * Alternatively, the client could "know" the intended server
391 	 * public key through an out-of-band mechanism, in which case
392 	 * a br_x509_knownkey_context is appropriate, for a much reduced
393 	 * code footprint.
394 	 *
395 	 * We assume here that the following extra parameters have been
396 	 * provided:
397 	 *
398 	 *   xc                  engine context (br_x509_minimal_context *)
399 	 *   trust_anchors       trust anchors (br_x509_trust_anchor *)
400 	 *   trust_anchors_num   number of trust anchors (size_t)
401 	 */
402 
403 	/*
404 	 * The X.509 engine needs a hash function for processing the
405 	 * subject and issuer DN of certificates and trust anchors. Any
406 	 * supported hash function is appropriate; here we use SHA-256.
407 	 * The trust an
408 	 */
409 	br_x509_minimal_init(xc, &br_sha256_vtable,
410 		trust_anchors, trust_anchors_num);
411 
412 	/*
413 	 * Set suites and asymmetric crypto implementations. We use the
414 	 * "i31" code for RSA (it is somewhat faster than the "i32"
415 	 * implementation). These implementations are used for
416 	 * signature verification on certificates, but not for the
417 	 * SSL-specific usage of the server's public key. For instance,
418 	 * if the server has an EC public key but the rest of the chain
419 	 * (intermediate CA, root...) use RSA, then you would need only
420 	 * the RSA verification function below.
421 	 */
422 	br_x509_minimal_set_rsa(xc, &br_rsa_i31_pkcs1_vrfy);
423 	br_x509_minimal_set_ecdsa(xc,
424 		&br_ec_prime_i31, &br_ecdsa_i31_vrfy_asn1);
425 
426 	/*
427 	 * Set supported hash functions. These are for signatures on
428 	 * certificates. There again, you only need the hash functions
429 	 * that are actually used in certificates, but if a given
430 	 * function was included for the SSL engine, you may as well
431 	 * add it here.
432 	 *
433 	 * Note: the engine explicitly rejects signatures that use MD5.
434 	 * Thus, there is no need for MD5 here.
435 	 */
436 	br_ssl_engine_set_hash(xc, br_sha1_ID, &br_sha1_vtable);
437 	br_ssl_engine_set_hash(xc, br_sha224_ID, &br_sha224_vtable);
438 	br_ssl_engine_set_hash(xc, br_sha256_ID, &br_sha256_vtable);
439 	br_ssl_engine_set_hash(xc, br_sha384_ID, &br_sha384_vtable);
440 	br_ssl_engine_set_hash(xc, br_sha512_ID, &br_sha512_vtable);
441 
442 	/*
443 	 * Link the X.509 engine in the SSL engine.
444 	 */
445 	br_ssl_engine_set_x509(&cc->eng, &xc->vtable);
446 #endif
447 }
448 
449 /*
450  * Example server profile. Most of it is shared with the client
451  * profile, so see the comments in the client function for details.
452  *
453  * This example function assumes a server with a (unique) RSA private
454  * key, so the list of cipher suites is trimmed down for RSA.
455  */
456 void
457 example_server_profile(br_ssl_server_context *cc,
458 	const br_x509_certificate *chain, size_t chain_len,
459 	const br_rsa_private_key *sk)
460 {
461 	static const uint16_t suites[] = {
462 		BR_TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
463 		BR_TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
464 		BR_TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,
465 		BR_TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,
466 		BR_TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
467 		BR_TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,
468 		BR_TLS_RSA_WITH_AES_128_GCM_SHA256,
469 		BR_TLS_RSA_WITH_AES_256_GCM_SHA384,
470 		BR_TLS_RSA_WITH_AES_128_CBC_SHA256,
471 		BR_TLS_RSA_WITH_AES_256_CBC_SHA256,
472 		BR_TLS_RSA_WITH_AES_128_CBC_SHA,
473 		BR_TLS_RSA_WITH_AES_256_CBC_SHA,
474 		BR_TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,
475 		BR_TLS_RSA_WITH_3DES_EDE_CBC_SHA
476 	};
477 
478 	br_ssl_server_zero(cc);
479 	br_ssl_engine_set_versions(&cc->eng, BR_TLS10, BR_TLS12);
480 
481 	br_ssl_engine_set_prf10(&cc->eng, &br_tls10_prf);
482 	br_ssl_engine_set_prf_sha256(&cc->eng, &br_tls12_sha256_prf);
483 	br_ssl_engine_set_prf_sha384(&cc->eng, &br_tls12_sha384_prf);
484 
485 	/*
486 	 * Apart from the requirements listed in the client side, these
487 	 * hash functions are also used by the server to compute its
488 	 * signature on ECDHE parameters. Which functions are needed
489 	 * depends on what the client may support; furthermore, the
490 	 * client may fail to send the relevant extension, in which
491 	 * case the server will default to whatever it can (as per the
492 	 * standard, it should be SHA-1 in that case).
493 	 */
494 	br_ssl_engine_set_hash(&cc->eng, br_md5_ID, &br_md5_vtable);
495 	br_ssl_engine_set_hash(&cc->eng, br_sha1_ID, &br_sha1_vtable);
496 	br_ssl_engine_set_hash(&cc->eng, br_sha224_ID, &br_sha224_vtable);
497 	br_ssl_engine_set_hash(&cc->eng, br_sha256_ID, &br_sha256_vtable);
498 	br_ssl_engine_set_hash(&cc->eng, br_sha384_ID, &br_sha384_vtable);
499 	br_ssl_engine_set_hash(&cc->eng, br_sha512_ID, &br_sha512_vtable);
500 
501 	br_ssl_engine_set_suites(&cc->eng, suites,
502 		(sizeof suites) / (sizeof suites[0]));
503 
504 	/*
505 	 * Elliptic curve implementation is used for ECDHE suites (but
506 	 * not for ECDH).
507 	 */
508 	br_ssl_engine_set_ec(&cc->eng, &br_ec_prime_i31);
509 
510 	/*
511 	 * Set the "server policy": handler for the certificate chain
512 	 * and private key operations. Here, we indicate that the RSA
513 	 * private key is fit for both signing and decrypting, and we
514 	 * provide the two relevant implementations.
515 
516 	 * BR_KEYTYPE_KEYX allows TLS_RSA_*, BR_KEYTYPE_SIGN allows
517 	 * TLS_ECDHE_RSA_*.
518 	 */
519 	br_ssl_server_set_single_rsa(cc, chain, chain_len, sk,
520 		BR_KEYTYPE_KEYX | BR_KEYTYPE_SIGN,
521 		br_rsa_i31_private, br_rsa_i31_pkcs1_sign);
522 	/*
523 	 * If the server used an EC private key, this call would look
524 	 * like this:
525 
526 	br_ssl_server_set_single_ec(cc, chain, chain_len, sk,
527 		BR_KEYTYPE_KEYX | BR_KEYTYPE_SIGN,
528 		cert_issuer_key_type,
529 		&br_ec_prime_i31, br_ecdsa_i31_sign_asn1);
530 
531 	 * Note the tricky points:
532 	 *
533 	 * -- "ECDH" cipher suites use only the EC code (&br_ec_prime_i31);
534 	 *    the ECDHE_ECDSA cipher suites need both the EC code and
535 	 *    the ECDSA signature implementation.
536 	 *
537 	 * -- For "ECDH" (not "ECDHE") cipher suites, the engine must
538 	 *    know the key type (RSA or EC) for the intermediate CA that
539 	 *    issued the server's certificate; this is an artefact of
540 	 *    how the protocol is defined. BearSSL won't try to decode
541 	 *    the server's certificate to obtain that information (it
542 	 *    could do that, the code is there, but it would increase the
543 	 *    footprint). So this must be provided by the caller.
544 	 *
545 	 * -- BR_KEYTYPE_KEYX allows ECDH, BR_KEYTYPE_SIGN allows
546 	 *    ECDHE_ECDSA.
547 	 */
548 
549 	br_ssl_engine_set_cbc(&cc->eng,
550 		&br_sslrec_in_cbc_vtable,
551 		&br_sslrec_out_cbc_vtable);
552 	br_ssl_engine_set_gcm(&cc->eng,
553 		&br_sslrec_in_gcm_vtable,
554 		&br_sslrec_out_gcm_vtable);
555 
556 	br_ssl_engine_set_aes_cbc(&cc->eng,
557 		&br_aes_ct_cbcenc_vtable,
558 		&br_aes_ct_cbcdec_vtable);
559 	br_ssl_engine_set_aes_ctr(&cc->eng,
560 		&br_aes_ct_ctr_vtable);
561 	/* Alternate: aes_ct64
562 	br_ssl_engine_set_aes_cbc(&cc->eng,
563 		&br_aes_ct64_cbcenc_vtable,
564 		&br_aes_ct64_cbcdec_vtable);
565 	br_ssl_engine_set_aes_ctr(&cc->eng,
566 		&br_aes_ct64_ctr_vtable);
567 	*/
568 	/* Alternate: aes_small
569 	br_ssl_engine_set_aes_cbc(&cc->eng,
570 		&br_aes_small_cbcenc_vtable,
571 		&br_aes_small_cbcdec_vtable);
572 	br_ssl_engine_set_aes_ctr(&cc->eng,
573 		&br_aes_small_ctr_vtable);
574 	*/
575 	/* Alternate: aes_big
576 	br_ssl_engine_set_aes_cbc(&cc->eng,
577 		&br_aes_big_cbcenc_vtable,
578 		&br_aes_big_cbcdec_vtable);
579 	br_ssl_engine_set_aes_ctr(&cc->eng,
580 		&br_aes_big_ctr_vtable);
581 	*/
582 	br_ssl_engine_set_des_cbc(&cc->eng,
583 		&br_des_ct_cbcenc_vtable,
584 		&br_des_ct_cbcdec_vtable);
585 	/* Alternate: des_tab
586 	br_ssl_engine_set_des_cbc(&cc->eng,
587 		&br_des_tab_cbcenc_vtable,
588 		&br_des_tab_cbcdec_vtable);
589 	*/
590 
591 	br_ssl_engine_set_ghash(&cc->eng,
592 		&br_ghash_ctmul);
593 	/* Alternate: ghash_ctmul32
594 	br_ssl_engine_set_ghash(&cc->eng,
595 		&br_ghash_ctmul32);
596 	*/
597 	/* Alternate: ghash_ctmul64
598 	br_ssl_engine_set_ghash(&cc->eng,
599 		&br_ghash_ctmul64);
600 	*/
601 }
602