grpc 1.0.1 → 1.1.2

data/third_party/boringssl/ssl/ssl_cipher.c

@@ -141,7 +141,6 @@
 #include <openssl/ssl.h>
 
 #include <assert.h>
-#include <stdio.h>
 #include <string.h>
 
 #include <openssl/buf.h>
@@ -152,6 +151,7 @@
 #include <openssl/stack.h>
 
 #include "internal.h"
+#include "../crypto/internal.h"
 
 
 /* kCiphers is an array of all supported ciphers, sorted by id. */
@@ -168,28 +168,6 @@ static const SSL_CIPHER kCiphers[] = {
      SSL_HANDSHAKE_MAC_DEFAULT,
     },
 
-    /* Cipher 04 */
-    {
-     SSL3_TXT_RSA_RC4_128_MD5,
-     SSL3_CK_RSA_RC4_128_MD5,
-     SSL_kRSA,
-     SSL_aRSA,
-     SSL_RC4,
-     SSL_MD5,
-     SSL_HANDSHAKE_MAC_DEFAULT,
-    },
-
-    /* Cipher 05 */
-    {
-     SSL3_TXT_RSA_RC4_128_SHA,
-     SSL3_CK_RSA_RC4_128_SHA,
-     SSL_kRSA,
-     SSL_aRSA,
-     SSL_RC4,
-     SSL_SHA1,
-     SSL_HANDSHAKE_MAC_DEFAULT,
-    },
-
     /* Cipher 0A */
     {
      SSL3_TXT_RSA_DES_192_CBC3_SHA,
@@ -297,17 +275,6 @@ static const SSL_CIPHER kCiphers[] = {
 
     /* PSK cipher suites. */
 
-    /* Cipher 8A */
-    {
-     TLS1_TXT_PSK_WITH_RC4_128_SHA,
-     TLS1_CK_PSK_WITH_RC4_128_SHA,
-     SSL_kPSK,
-     SSL_aPSK,
-     SSL_RC4,
-     SSL_SHA1,
-     SSL_HANDSHAKE_MAC_DEFAULT,
-    },
-
     /* Cipher 8C */
     {
      TLS1_TXT_PSK_WITH_AES_128_CBC_SHA,
@@ -376,15 +343,50 @@ static const SSL_CIPHER kCiphers[] = {
      SSL_HANDSHAKE_MAC_SHA384,
     },
 
-    /* Cipher C007 */
+    /* CECPQ1 (combined elliptic curve + post-quantum) suites. */
+
+    /* Cipher 16B7 */
     {
-     TLS1_TXT_ECDHE_ECDSA_WITH_RC4_128_SHA,
-     TLS1_CK_ECDHE_ECDSA_WITH_RC4_128_SHA,
-     SSL_kECDHE,
+     TLS1_TXT_CECPQ1_RSA_WITH_CHACHA20_POLY1305_SHA256,
+     TLS1_CK_CECPQ1_RSA_WITH_CHACHA20_POLY1305_SHA256,
+     SSL_kCECPQ1,
+     SSL_aRSA,
+     SSL_CHACHA20POLY1305,
+     SSL_AEAD,
+     SSL_HANDSHAKE_MAC_SHA256,
+    },
+
+    /* Cipher 16B8 */
+    {
+     TLS1_TXT_CECPQ1_ECDSA_WITH_CHACHA20_POLY1305_SHA256,
+     TLS1_CK_CECPQ1_ECDSA_WITH_CHACHA20_POLY1305_SHA256,
+     SSL_kCECPQ1,
      SSL_aECDSA,
-     SSL_RC4,
-     SSL_SHA1,
-     SSL_HANDSHAKE_MAC_DEFAULT,
+     SSL_CHACHA20POLY1305,
+     SSL_AEAD,
+     SSL_HANDSHAKE_MAC_SHA256,
+    },
+
+    /* Cipher 16B9 */
+    {
+     TLS1_TXT_CECPQ1_RSA_WITH_AES_256_GCM_SHA384,
+     TLS1_CK_CECPQ1_RSA_WITH_AES_256_GCM_SHA384,
+     SSL_kCECPQ1,
+     SSL_aRSA,
+     SSL_AES256GCM,
+     SSL_AEAD,
+     SSL_HANDSHAKE_MAC_SHA384,
+    },
+
+    /* Cipher 16BA */
+    {
+     TLS1_TXT_CECPQ1_ECDSA_WITH_AES_256_GCM_SHA384,
+     TLS1_CK_CECPQ1_ECDSA_WITH_AES_256_GCM_SHA384,
+     SSL_kCECPQ1,
+     SSL_aECDSA,
+     SSL_AES256GCM,
+     SSL_AEAD,
+     SSL_HANDSHAKE_MAC_SHA384,
     },
 
     /* Cipher C009 */
@@ -409,17 +411,6 @@ static const SSL_CIPHER kCiphers[] = {
      SSL_HANDSHAKE_MAC_DEFAULT,
     },
 
-    /* Cipher C011 */
-    {
-     TLS1_TXT_ECDHE_RSA_WITH_RC4_128_SHA,
-     TLS1_CK_ECDHE_RSA_WITH_RC4_128_SHA,
-     SSL_kECDHE,
-     SSL_aRSA,
-     SSL_RC4,
-     SSL_SHA1,
-     SSL_HANDSHAKE_MAC_DEFAULT,
-    },
-
     /* Cipher C013 */
     {
      TLS1_TXT_ECDHE_RSA_WITH_AES_128_CBC_SHA,
@@ -616,9 +607,32 @@ static const SSL_CIPHER kCiphers[] = {
      SSL_AEAD,
      SSL_HANDSHAKE_MAC_SHA256,
     },
+
+    /* Cipher D001 */
+    {
+     TLS1_TXT_ECDHE_PSK_WITH_AES_128_GCM_SHA256,
+     TLS1_CK_ECDHE_PSK_WITH_AES_128_GCM_SHA256,
+     SSL_kECDHE,
+     SSL_aPSK,
+     SSL_AES128GCM,
+     SSL_AEAD,
+     SSL_HANDSHAKE_MAC_SHA256,
+    },
+
+    /* Cipher D002 */
+    {
+     TLS1_TXT_ECDHE_PSK_WITH_AES_256_GCM_SHA384,
+     TLS1_CK_ECDHE_PSK_WITH_AES_256_GCM_SHA384,
+     SSL_kECDHE,
+     SSL_aPSK,
+     SSL_AES256GCM,
+     SSL_AEAD,
+     SSL_HANDSHAKE_MAC_SHA384,
+    },
+
 };
 
-static const size_t kCiphersLen = sizeof(kCiphers) / sizeof(kCiphers[0]);
+static const size_t kCiphersLen = OPENSSL_ARRAY_SIZE(kCiphers);
 
 #define CIPHER_ADD 1
 #define CIPHER_KILL 2
@@ -652,8 +666,9 @@ typedef struct cipher_alias_st {
 } CIPHER_ALIAS;
 
 static const CIPHER_ALIAS kCipherAliases[] = {
-    /* "ALL" doesn't include eNULL (must be specifically enabled) */
-    {"ALL", ~0u, ~0u, ~SSL_eNULL, ~0u, 0},
+    /* "ALL" doesn't include eNULL nor kCECPQ1. These must be explicitly
+     * enabled. */
+    {"ALL", ~SSL_kCECPQ1, ~0u, ~SSL_eNULL, ~0u, 0},
 
     /* The "COMPLEMENTOFDEFAULT" rule is omitted. It matches nothing. */
 
@@ -668,15 +683,16 @@ static const CIPHER_ALIAS kCipherAliases[] = {
     {"DH", SSL_kDHE, ~0u, ~0u, ~0u, 0},
 
     {"kECDHE", SSL_kECDHE, ~0u, ~0u, ~0u, 0},
+    {"kCECPQ1", SSL_kCECPQ1, ~0u, ~0u, ~0u, 0},
     {"kEECDH", SSL_kECDHE, ~0u, ~0u, ~0u, 0},
     {"ECDH", SSL_kECDHE, ~0u, ~0u, ~0u, 0},
 
     {"kPSK", SSL_kPSK, ~0u, ~0u, ~0u, 0},
 
     /* server authentication aliases */
-    {"aRSA", ~0u, SSL_aRSA, ~SSL_eNULL, ~0u, 0},
-    {"aECDSA", ~0u, SSL_aECDSA, ~0u, ~0u, 0},
-    {"ECDSA", ~0u, SSL_aECDSA, ~0u, ~0u, 0},
+    {"aRSA", ~SSL_kCECPQ1, SSL_aRSA, ~SSL_eNULL, ~0u, 0},
+    {"aECDSA", ~SSL_kCECPQ1, SSL_aECDSA, ~0u, ~0u, 0},
+    {"ECDSA", ~SSL_kCECPQ1, SSL_aECDSA, ~0u, ~0u, 0},
     {"aPSK", ~0u, SSL_aPSK, ~0u, ~0u, 0},
 
     /* aliases combining key exchange and server authentication */
@@ -689,35 +705,32 @@ static const CIPHER_ALIAS kCipherAliases[] = {
 
     /* symmetric encryption aliases */
     {"3DES", ~0u, ~0u, SSL_3DES, ~0u, 0},
-    {"RC4", ~0u, ~0u, SSL_RC4, ~0u, 0},
     {"AES128", ~0u, ~0u, SSL_AES128 | SSL_AES128GCM, ~0u, 0},
-    {"AES256", ~0u, ~0u, SSL_AES256 | SSL_AES256GCM, ~0u, 0},
-    {"AES", ~0u, ~0u, SSL_AES, ~0u, 0},
-    {"AESGCM", ~0u, ~0u, SSL_AES128GCM | SSL_AES256GCM, ~0u, 0},
-    {"CHACHA20", ~0u, ~0u, SSL_CHACHA20POLY1305 | SSL_CHACHA20POLY1305_OLD, ~0u,
+    {"AES256", ~SSL_kCECPQ1, ~0u, SSL_AES256 | SSL_AES256GCM, ~0u, 0},
+    {"AES", ~SSL_kCECPQ1, ~0u, SSL_AES, ~0u, 0},
+    {"AESGCM", ~SSL_kCECPQ1, ~0u, SSL_AES128GCM | SSL_AES256GCM, ~0u, 0},
+    {"CHACHA20", ~SSL_kCECPQ1, ~0u, SSL_CHACHA20POLY1305 | SSL_CHACHA20POLY1305_OLD, ~0u,
      0},
 
     /* MAC aliases */
     {"MD5", ~0u, ~0u, ~0u, SSL_MD5, 0},
     {"SHA1", ~0u, ~0u, ~SSL_eNULL, SSL_SHA1, 0},
     {"SHA", ~0u, ~0u, ~SSL_eNULL, SSL_SHA1, 0},
-    {"SHA256", ~0u, ~0u, ~0u, SSL_SHA256, 0},
-    {"SHA384", ~0u, ~0u, ~0u, SSL_SHA384, 0},
+    {"SHA256", ~SSL_kCECPQ1, ~0u, ~0u, SSL_SHA256, 0},
+    {"SHA384", ~SSL_kCECPQ1, ~0u, ~0u, SSL_SHA384, 0},
 
     /* Legacy protocol minimum version aliases. "TLSv1" is intentionally the
      * same as "SSLv3". */
-    {"SSLv3", ~0u, ~0u, ~SSL_eNULL, ~0u, SSL3_VERSION},
-    {"TLSv1", ~0u, ~0u, ~SSL_eNULL, ~0u, SSL3_VERSION},
-    {"TLSv1.2", ~0u, ~0u, ~SSL_eNULL, ~0u, TLS1_2_VERSION},
+    {"SSLv3", ~SSL_kCECPQ1, ~0u, ~SSL_eNULL, ~0u, SSL3_VERSION},
+    {"TLSv1", ~SSL_kCECPQ1, ~0u, ~SSL_eNULL, ~0u, SSL3_VERSION},
+    {"TLSv1.2", ~SSL_kCECPQ1, ~0u, ~SSL_eNULL, ~0u, TLS1_2_VERSION},
 
     /* Legacy strength classes. */
-    {"MEDIUM", ~0u, ~0u, SSL_RC4, ~0u, 0},
-    {"HIGH", ~0u, ~0u, ~(SSL_eNULL|SSL_RC4), ~0u, 0},
-    {"FIPS", ~0u, ~0u, ~(SSL_eNULL|SSL_RC4), ~0u, 0},
+    {"HIGH", ~SSL_kCECPQ1, ~0u, ~SSL_eNULL, ~0u, 0},
+    {"FIPS", ~SSL_kCECPQ1, ~0u, ~SSL_eNULL, ~0u, 0},
 };
 
-static const size_t kCipherAliasesLen =
-    sizeof(kCipherAliases) / sizeof(kCipherAliases[0]);
+static const size_t kCipherAliasesLen = OPENSSL_ARRAY_SIZE(kCipherAliases);
 
 static int ssl_cipher_id_cmp(const void *in_a, const void *in_b) {
   const SSL_CIPHER *a = in_a;
@@ -756,46 +769,24 @@ int ssl_cipher_get_evp_aead(const EVP_AEAD **out_aead,
     case SSL_AES128GCM:
       *out_aead = EVP_aead_aes_128_gcm();
       *out_fixed_iv_len = 4;
-      return 1;
+      break;
 
     case SSL_AES256GCM:
       *out_aead = EVP_aead_aes_256_gcm();
       *out_fixed_iv_len = 4;
-      return 1;
+      break;
 
 #if !defined(BORINGSSL_ANDROID_SYSTEM)
     case SSL_CHACHA20POLY1305_OLD:
       *out_aead = EVP_aead_chacha20_poly1305_old();
       *out_fixed_iv_len = 0;
-      return 1;
+      break;
 #endif
 
     case SSL_CHACHA20POLY1305:
       *out_aead = EVP_aead_chacha20_poly1305();
       *out_fixed_iv_len = 12;
-      return 1;
-
-    case SSL_RC4:
-      switch (cipher->algorithm_mac) {
-        case SSL_MD5:
-          if (version == SSL3_VERSION) {
-            *out_aead = EVP_aead_rc4_md5_ssl3();
-          } else {
-            *out_aead = EVP_aead_rc4_md5_tls();
-          }
-          *out_mac_secret_len = MD5_DIGEST_LENGTH;
-          return 1;
-        case SSL_SHA1:
-          if (version == SSL3_VERSION) {
-            *out_aead = EVP_aead_rc4_sha1_ssl3();
-          } else {
-            *out_aead = EVP_aead_rc4_sha1_tls();
-          }
-          *out_mac_secret_len = SHA_DIGEST_LENGTH;
-          return 1;
-        default:
-          return 0;
-      }
+      break;
 
     case SSL_AES128:
       switch (cipher->algorithm_mac) {
@@ -810,14 +801,15 @@ int ssl_cipher_get_evp_aead(const EVP_AEAD **out_aead,
             *out_aead = EVP_aead_aes_128_cbc_sha1_tls();
           }
           *out_mac_secret_len = SHA_DIGEST_LENGTH;
-          return 1;
+          break;
         case SSL_SHA256:
           *out_aead = EVP_aead_aes_128_cbc_sha256_tls();
           *out_mac_secret_len = SHA256_DIGEST_LENGTH;
-          return 1;
+          break;
         default:
           return 0;
       }
+      break;
 
     case SSL_AES256:
       switch (cipher->algorithm_mac) {
@@ -832,18 +824,19 @@ int ssl_cipher_get_evp_aead(const EVP_AEAD **out_aead,
             *out_aead = EVP_aead_aes_256_cbc_sha1_tls();
           }
           *out_mac_secret_len = SHA_DIGEST_LENGTH;
-          return 1;
+          break;
         case SSL_SHA256:
           *out_aead = EVP_aead_aes_256_cbc_sha256_tls();
           *out_mac_secret_len = SHA256_DIGEST_LENGTH;
-          return 1;
+          break;
         case SSL_SHA384:
           *out_aead = EVP_aead_aes_256_cbc_sha384_tls();
           *out_mac_secret_len = SHA384_DIGEST_LENGTH;
-          return 1;
+          break;
         default:
           return 0;
       }
+      break;
 
     case SSL_3DES:
       switch (cipher->algorithm_mac) {
@@ -858,10 +851,11 @@ int ssl_cipher_get_evp_aead(const EVP_AEAD **out_aead,
             *out_aead = EVP_aead_des_ede3_cbc_sha1_tls();
           }
           *out_mac_secret_len = SHA_DIGEST_LENGTH;
-          return 1;
+          break;
         default:
           return 0;
       }
+      break;
 
     case SSL_eNULL:
       switch (cipher->algorithm_mac) {
@@ -872,14 +866,25 @@ int ssl_cipher_get_evp_aead(const EVP_AEAD **out_aead,
             *out_aead = EVP_aead_null_sha1_tls();
           }
           *out_mac_secret_len = SHA_DIGEST_LENGTH;
-          return 1;
+          break;
         default:
           return 0;
       }
+      break;
 
     default:
       return 0;
   }
+
+  /* In TLS 1.3, the iv_len is equal to the AEAD nonce length whereas the code
+   * above computes the TLS 1.2 construction.
+   *
+   * TODO(davidben,svaldez): Avoid computing the wrong value and fixing it. */
+  if (version >= TLS1_3_VERSION) {
+    *out_fixed_iv_len = EVP_AEAD_nonce_length(*out_aead);
+    assert(*out_fixed_iv_len >= 8);
+  }
+  return 1;
 }
 
 const EVP_MD *ssl_get_handshake_digest(uint32_t algorithm_prf) {
@@ -952,8 +957,7 @@ static void ssl_cipher_collect_ciphers(const SSL_PROTOCOL_METHOD *ssl_method,
   /* The set of ciphers is static, but some subset may be unsupported by
    * |ssl_method|, so the list may be smaller. */
   size_t co_list_num = 0;
-  size_t i;
-  for (i = 0; i < kCiphersLen; i++) {
+  for (size_t i = 0; i < kCiphersLen; i++) {
     const SSL_CIPHER *cipher = &kCiphers[i];
     if (ssl_method->supports_cipher(cipher)) {
       co_list[co_list_num].cipher = cipher;
@@ -972,7 +976,7 @@ static void ssl_cipher_collect_ciphers(const SSL_PROTOCOL_METHOD *ssl_method,
     if (co_list_num > 1) {
       co_list[0].next = &co_list[1];
 
-      for (i = 1; i < co_list_num - 1; i++) {
+      for (size_t i = 1; i < co_list_num - 1; i++) {
         co_list[i].prev = &co_list[i - 1];
         co_list[i].next = &co_list[i + 1];
       }
@@ -1051,13 +1055,22 @@ static void ssl_cipher_apply_rule(
       if (strength_bits != SSL_CIPHER_get_bits(cp, NULL)) {
         continue;
       }
-    } else if (!(alg_mkey & cp->algorithm_mkey) ||
-               !(alg_auth & cp->algorithm_auth) ||
-               !(alg_enc & cp->algorithm_enc) ||
-               !(alg_mac & cp->algorithm_mac) ||
-               (min_version != 0 &&
-                SSL_CIPHER_get_min_version(cp) != min_version)) {
-      continue;
+    } else {
+      if (!(alg_mkey & cp->algorithm_mkey) ||
+          !(alg_auth & cp->algorithm_auth) ||
+          !(alg_enc & cp->algorithm_enc) ||
+          !(alg_mac & cp->algorithm_mac) ||
+          (min_version != 0 && SSL_CIPHER_get_min_version(cp) != min_version)) {
+        continue;
+      }
+
+      /* The following ciphers are internal implementation details of TLS 1.3
+       * resumption but are not yet finalized. Disable them by default until
+       * then. */
+      if (cp->id == TLS1_CK_ECDHE_PSK_WITH_AES_128_GCM_SHA256 ||
+          cp->id == TLS1_CK_ECDHE_PSK_WITH_AES_256_GCM_SHA384) {
+        continue;
+      }
     }
 
     /* add the cipher if it has not been added yet. */
@@ -1405,6 +1418,7 @@ ssl_create_cipher_list(const SSL_PROTOCOL_METHOD *ssl_method,
 
   /* Everything else being equal, prefer ECDHE_ECDSA then ECDHE_RSA over other
    * key exchange mechanisms */
+
   ssl_cipher_apply_rule(0, SSL_kECDHE, SSL_aECDSA, ~0u, ~0u, 0, CIPHER_ADD, -1,
                         0, &head, &tail);
   ssl_cipher_apply_rule(0, SSL_kECDHE, ~0u, ~0u, ~0u, 0, CIPHER_ADD, -1, 0,
@@ -1417,10 +1431,10 @@ ssl_create_cipher_list(const SSL_PROTOCOL_METHOD *ssl_method,
    * AES_GCM. Of the two CHACHA20 variants, the new one is preferred over the
    * old one. */
   if (EVP_has_aes_hardware()) {
-    ssl_cipher_apply_rule(0, ~0u, ~0u, SSL_AES256GCM, ~0u, 0, CIPHER_ADD, -1, 0,
-                          &head, &tail);
     ssl_cipher_apply_rule(0, ~0u, ~0u, SSL_AES128GCM, ~0u, 0, CIPHER_ADD, -1, 0,
                           &head, &tail);
+    ssl_cipher_apply_rule(0, ~0u, ~0u, SSL_AES256GCM, ~0u, 0, CIPHER_ADD, -1, 0,
+                          &head, &tail);
     ssl_cipher_apply_rule(0, ~0u, ~0u, SSL_CHACHA20POLY1305, ~0u, 0, CIPHER_ADD,
                           -1, 0, &head, &tail);
     ssl_cipher_apply_rule(0, ~0u, ~0u, SSL_CHACHA20POLY1305_OLD, ~0u, 0,
@@ -1430,21 +1444,17 @@ ssl_create_cipher_list(const SSL_PROTOCOL_METHOD *ssl_method,
                           -1, 0, &head, &tail);
     ssl_cipher_apply_rule(0, ~0u, ~0u, SSL_CHACHA20POLY1305_OLD, ~0u, 0,
                           CIPHER_ADD, -1, 0, &head, &tail);
-    ssl_cipher_apply_rule(0, ~0u, ~0u, SSL_AES256GCM, ~0u, 0, CIPHER_ADD, -1, 0,
-                          &head, &tail);
     ssl_cipher_apply_rule(0, ~0u, ~0u, SSL_AES128GCM, ~0u, 0, CIPHER_ADD, -1, 0,
                           &head, &tail);
+    ssl_cipher_apply_rule(0, ~0u, ~0u, SSL_AES256GCM, ~0u, 0, CIPHER_ADD, -1, 0,
+                          &head, &tail);
   }
 
-  /* Then the legacy non-AEAD ciphers: AES_256_CBC, AES-128_CBC, RC4_128_SHA,
-   * RC4_128_MD5, 3DES_EDE_CBC_SHA. */
-  ssl_cipher_apply_rule(0, ~0u, ~0u, SSL_AES256, ~0u, 0, CIPHER_ADD, -1, 0,
-                        &head, &tail);
+  /* Then the legacy non-AEAD ciphers: AES_128_CBC, AES_256_CBC,
+   * 3DES_EDE_CBC_SHA. */
   ssl_cipher_apply_rule(0, ~0u, ~0u, SSL_AES128, ~0u, 0, CIPHER_ADD, -1, 0,
                         &head, &tail);
-  ssl_cipher_apply_rule(0, ~0u, ~0u, SSL_RC4, ~SSL_MD5, 0, CIPHER_ADD, -1, 0,
-                        &head, &tail);
-  ssl_cipher_apply_rule(0, ~0u, ~0u, SSL_RC4, SSL_MD5, 0, CIPHER_ADD, -1, 0,
+  ssl_cipher_apply_rule(0, ~0u, ~0u, SSL_AES256, ~0u, 0, CIPHER_ADD, -1, 0,
                         &head, &tail);
   ssl_cipher_apply_rule(0, ~0u, ~0u, SSL_3DES, ~0u, 0, CIPHER_ADD, -1, 0, &head,
                         &tail);
@@ -1565,6 +1575,30 @@ uint16_t ssl_cipher_get_value(const SSL_CIPHER *cipher) {
   return id & 0xffff;
 }
 
+int ssl_cipher_get_ecdhe_psk_cipher(const SSL_CIPHER *cipher,
+                                    uint16_t *out_cipher) {
+  switch (cipher->id) {
+    case TLS1_CK_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256:
+    case TLS1_CK_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256:
+    case TLS1_CK_ECDHE_PSK_WITH_CHACHA20_POLY1305_SHA256:
+      *out_cipher = TLS1_CK_ECDHE_PSK_WITH_CHACHA20_POLY1305_SHA256 & 0xffff;
+      return 1;
+
+    case TLS1_CK_ECDHE_RSA_WITH_AES_128_GCM_SHA256:
+    case TLS1_CK_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256:
+    case TLS1_CK_ECDHE_PSK_WITH_AES_128_GCM_SHA256:
+      *out_cipher = TLS1_CK_ECDHE_PSK_WITH_AES_128_GCM_SHA256 & 0xffff;
+      return 1;
+
+    case TLS1_CK_ECDHE_RSA_WITH_AES_256_GCM_SHA384:
+    case TLS1_CK_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384:
+    case TLS1_CK_ECDHE_PSK_WITH_AES_256_GCM_SHA384:
+      *out_cipher = TLS1_CK_ECDHE_PSK_WITH_AES_256_GCM_SHA384 & 0xffff;
+      return 1;
+  }
+  return 0;
+}
+
 int SSL_CIPHER_is_AES(const SSL_CIPHER *cipher) {
   return (cipher->algorithm_enc & SSL_AES) != 0;
 }
@@ -1577,6 +1611,10 @@ int SSL_CIPHER_has_SHA1_HMAC(const SSL_CIPHER *cipher) {
   return (cipher->algorithm_mac & SSL_SHA1) != 0;
 }
 
+int SSL_CIPHER_has_SHA256_HMAC(const SSL_CIPHER *cipher) {
+  return (cipher->algorithm_mac & SSL_SHA256) != 0;
+}
+
 int SSL_CIPHER_is_AESGCM(const SSL_CIPHER *cipher) {
   return (cipher->algorithm_enc & (SSL_AES128GCM | SSL_AES256GCM)) != 0;
 }
@@ -1602,13 +1640,8 @@ int SSL_CIPHER_is_NULL(const SSL_CIPHER *cipher) {
   return (cipher->algorithm_enc & SSL_eNULL) != 0;
 }
 
-int SSL_CIPHER_is_RC4(const SSL_CIPHER *cipher) {
-  return (cipher->algorithm_enc & SSL_RC4) != 0;
-}
-
 int SSL_CIPHER_is_block_cipher(const SSL_CIPHER *cipher) {
-  /* Neither stream cipher nor AEAD. */
-  return (cipher->algorithm_enc & (SSL_RC4 | SSL_eNULL)) == 0 &&
+  return (cipher->algorithm_enc & SSL_eNULL) == 0 &&
       cipher->algorithm_mac != SSL_AEAD;
 }
 
@@ -1616,10 +1649,18 @@ int SSL_CIPHER_is_ECDSA(const SSL_CIPHER *cipher) {
   return (cipher->algorithm_auth & SSL_aECDSA) != 0;
 }
 
+int SSL_CIPHER_is_DHE(const SSL_CIPHER *cipher) {
+  return (cipher->algorithm_mkey & SSL_kDHE) != 0;
+}
+
 int SSL_CIPHER_is_ECDHE(const SSL_CIPHER *cipher) {
   return (cipher->algorithm_mkey & SSL_kECDHE) != 0;
 }
 
+int SSL_CIPHER_is_CECPQ1(const SSL_CIPHER *cipher) {
+  return (cipher->algorithm_mkey & SSL_kCECPQ1) != 0;
+}
+
 uint16_t SSL_CIPHER_get_min_version(const SSL_CIPHER *cipher) {
   if (cipher->algorithm_prf != SSL_HANDSHAKE_MAC_DEFAULT) {
     /* Cipher suites before TLS 1.2 use the default PRF, while all those added
@@ -1629,6 +1670,17 @@ uint16_t SSL_CIPHER_get_min_version(const SSL_CIPHER *cipher) {
   return SSL3_VERSION;
 }
 
+uint16_t SSL_CIPHER_get_max_version(const SSL_CIPHER *cipher) {
+  if (cipher->algorithm_mac == SSL_AEAD &&
+      (cipher->algorithm_enc & SSL_CHACHA20POLY1305_OLD) == 0 &&
+      (cipher->algorithm_mkey & SSL_kECDHE) != 0 &&
+      /* TODO(davidben,svaldez): Support PSK-based ciphers in TLS 1.3. */
+      (cipher->algorithm_auth & SSL_aCERT) != 0) {
+    return TLS1_3_VERSION;
+  }
+  return TLS1_2_VERSION;
+}
+
 /* return the actual cipher being used */
 const char *SSL_CIPHER_get_name(const SSL_CIPHER *cipher) {
   if (cipher != NULL) {
@@ -1669,6 +1721,17 @@ const char *SSL_CIPHER_get_kx_name(const SSL_CIPHER *cipher) {
           return "UNKNOWN";
       }
 
+    case SSL_kCECPQ1:
+      switch (cipher->algorithm_auth) {
+        case SSL_aECDSA:
+          return "CECPQ1_ECDSA";
+        case SSL_aRSA:
+          return "CECPQ1_RSA";
+        default:
+          assert(0);
+          return "UNKNOWN";
+      }
+
     case SSL_kPSK:
       assert(cipher->algorithm_auth == SSL_aPSK);
       return "PSK";
@@ -1683,8 +1746,6 @@ static const char *ssl_cipher_get_enc_name(const SSL_CIPHER *cipher) {
   switch (cipher->algorithm_enc) {
     case SSL_3DES:
       return "3DES_EDE_CBC";
-    case SSL_RC4:
-      return "RC4";
     case SSL_AES128:
       return "AES_128_CBC";
     case SSL_AES256:
@@ -1763,7 +1824,6 @@ int SSL_CIPHER_get_bits(const SSL_CIPHER *cipher, int *out_alg_bits) {
   switch (cipher->algorithm_enc) {
     case SSL_AES128:
     case SSL_AES128GCM:
-    case SSL_RC4:
       alg_bits = 128;
       strength_bits = 128;
       break;
@@ -1823,6 +1883,10 @@ const char *SSL_CIPHER_description(const SSL_CIPHER *cipher, char *buf,
       kx = "ECDH";
       break;
 
+    case SSL_kCECPQ1:
+      kx = "CECPQ1";
+      break;
+
     case SSL_kPSK:
       kx = "PSK";
       break;
@@ -1854,10 +1918,6 @@ const char *SSL_CIPHER_description(const SSL_CIPHER *cipher, char *buf,
       enc = "3DES(168)";
       break;
 
-    case SSL_RC4:
-      enc = "RC4(128)";
-      break;
-
     case SSL_AES128:
       enc = "AES(128)";
       break;
@@ -1954,20 +2014,15 @@ int ssl_cipher_get_key_type(const SSL_CIPHER *cipher) {
   return EVP_PKEY_NONE;
 }
 
-int ssl_cipher_has_server_public_key(const SSL_CIPHER *cipher) {
-  /* PSK-authenticated ciphers do not use a certificate. (RSA_PSK is not
-   * supported.) */
-  if (cipher->algorithm_auth & SSL_aPSK) {
-    return 0;
-  }
-
-  /* All other ciphers include it. */
-  return 1;
+int ssl_cipher_uses_certificate_auth(const SSL_CIPHER *cipher) {
+  return (cipher->algorithm_auth & SSL_aCERT) != 0;
 }
 
 int ssl_cipher_requires_server_key_exchange(const SSL_CIPHER *cipher) {
   /* Ephemeral Diffie-Hellman key exchanges require a ServerKeyExchange. */
-  if (cipher->algorithm_mkey & SSL_kDHE || cipher->algorithm_mkey & SSL_kECDHE) {
+  if (cipher->algorithm_mkey & SSL_kDHE ||
+      cipher->algorithm_mkey & SSL_kECDHE ||
+      cipher->algorithm_mkey & SSL_kCECPQ1) {
     return 1;
   }