1 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
2 * All rights reserved.
3 *
4 * This package is an SSL implementation written
5 * by Eric Young (eay@cryptsoft.com).
6 * The implementation was written so as to conform with Netscapes SSL.
7 *
8 * This library is free for commercial and non-commercial use as long as
9 * the following conditions are aheared to. The following conditions
10 * apply to all code found in this distribution, be it the RC4, RSA,
11 * lhash, DES, etc., code; not just the SSL code. The SSL documentation
12 * included with this distribution is covered by the same copyright terms
13 * except that the holder is Tim Hudson (tjh@cryptsoft.com).
14 *
15 * Copyright remains Eric Young's, and as such any Copyright notices in
16 * the code are not to be removed.
17 * If this package is used in a product, Eric Young should be given attribution
18 * as the author of the parts of the library used.
19 * This can be in the form of a textual message at program startup or
20 * in documentation (online or textual) provided with the package.
21 *
22 * Redistribution and use in source and binary forms, with or without
23 * modification, are permitted provided that the following conditions
24 * are met:
25 * 1. Redistributions of source code must retain the copyright
26 * notice, this list of conditions and the following disclaimer.
27 * 2. Redistributions in binary form must reproduce the above copyright
28 * notice, this list of conditions and the following disclaimer in the
29 * documentation and/or other materials provided with the distribution.
30 * 3. All advertising materials mentioning features or use of this software
31 * must display the following acknowledgement:
32 * "This product includes cryptographic software written by
33 * Eric Young (eay@cryptsoft.com)"
34 * The word 'cryptographic' can be left out if the rouines from the library
35 * being used are not cryptographic related :-).
36 * 4. If you include any Windows specific code (or a derivative thereof) from
37 * the apps directory (application code) you must include an acknowledgement:
38 * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
39 *
40 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
41 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
42 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
43 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
44 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
45 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
46 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
47 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
48 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
49 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
50 * SUCH DAMAGE.
51 *
52 * The licence and distribution terms for any publically available version or
53 * derivative of this code cannot be changed. i.e. this code cannot simply be
54 * copied and put under another distribution licence
55 * [including the GNU Public Licence.]
56 */
57 /* ====================================================================
58 * Copyright (c) 1998-2007 The OpenSSL Project. All rights reserved.
59 *
60 * Redistribution and use in source and binary forms, with or without
61 * modification, are permitted provided that the following conditions
62 * are met:
63 *
64 * 1. Redistributions of source code must retain the above copyright
65 * notice, this list of conditions and the following disclaimer.
66 *
67 * 2. Redistributions in binary form must reproduce the above copyright
68 * notice, this list of conditions and the following disclaimer in
69 * the documentation and/or other materials provided with the
70 * distribution.
71 *
72 * 3. All advertising materials mentioning features or use of this
73 * software must display the following acknowledgment:
74 * "This product includes software developed by the OpenSSL Project
75 * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
76 *
77 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
78 * endorse or promote products derived from this software without
79 * prior written permission. For written permission, please contact
80 * openssl-core@openssl.org.
81 *
82 * 5. Products derived from this software may not be called "OpenSSL"
83 * nor may "OpenSSL" appear in their names without prior written
84 * permission of the OpenSSL Project.
85 *
86 * 6. Redistributions of any form whatsoever must retain the following
87 * acknowledgment:
88 * "This product includes software developed by the OpenSSL Project
89 * for use in the OpenSSL Toolkit (http://www.openssl.org/)"
90 *
91 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
92 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
93 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
94 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
95 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
96 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
97 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
98 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
99 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
100 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
101 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
102 * OF THE POSSIBILITY OF SUCH DAMAGE.
103 * ====================================================================
104 *
105 * This product includes cryptographic software written by Eric Young
106 * (eay@cryptsoft.com). This product includes software written by Tim
107 * Hudson (tjh@cryptsoft.com).
108 *
109 */
110 /* ====================================================================
111 * Copyright 2002 Sun Microsystems, Inc. ALL RIGHTS RESERVED.
112 * ECC cipher suite support in OpenSSL originally developed by
113 * SUN MICROSYSTEMS, INC., and contributed to the OpenSSL project.
114 */
115 /* ====================================================================
116 * Copyright 2005 Nokia. All rights reserved.
117 *
118 * The portions of the attached software ("Contribution") is developed by
119 * Nokia Corporation and is licensed pursuant to the OpenSSL open source
120 * license.
121 *
122 * The Contribution, originally written by Mika Kousa and Pasi Eronen of
123 * Nokia Corporation, consists of the "PSK" (Pre-Shared Key) ciphersuites
124 * support (see RFC 4279) to OpenSSL.
125 *
126 * No patent licenses or other rights except those expressly stated in
127 * the OpenSSL open source license shall be deemed granted or received
128 * expressly, by implication, estoppel, or otherwise.
129 *
130 * No assurances are provided by Nokia that the Contribution does not
131 * infringe the patent or other intellectual property rights of any third
132 * party or that the license provides you with all the necessary rights
133 * to make use of the Contribution.
134 *
135 * THE SOFTWARE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. IN
136 * ADDITION TO THE DISCLAIMERS INCLUDED IN THE LICENSE, NOKIA
137 * SPECIFICALLY DISCLAIMS ANY LIABILITY FOR CLAIMS BROUGHT BY YOU OR ANY
138 * OTHER ENTITY BASED ON INFRINGEMENT OF INTELLECTUAL PROPERTY RIGHTS OR
139 * OTHERWISE. */
140
141 #include <openssl/ssl.h>
142
143 #include <assert.h>
144 #include <string.h>
145
146 #include <openssl/buf.h>
147 #include <openssl/err.h>
148 #include <openssl/md5.h>
149 #include <openssl/mem.h>
150 #include <openssl/sha.h>
151 #include <openssl/stack.h>
152
153 #include "internal.h"
154
155
156 /* kCiphers is an array of all supported ciphers, sorted by id. */
157 static const SSL_CIPHER kCiphers[] = {
158 /* The RSA ciphers */
159 /* Cipher 02 */
160 {
161 SSL3_TXT_RSA_NULL_SHA,
162 SSL3_CK_RSA_NULL_SHA,
163 SSL_kRSA,
164 SSL_aRSA,
165 SSL_eNULL,
166 SSL_SHA1,
167 SSL_HANDSHAKE_MAC_DEFAULT,
168 },
169
170 /* Cipher 04 */
171 {
172 SSL3_TXT_RSA_RC4_128_MD5,
173 SSL3_CK_RSA_RC4_128_MD5,
174 SSL_kRSA,
175 SSL_aRSA,
176 SSL_RC4,
177 SSL_MD5,
178 SSL_HANDSHAKE_MAC_DEFAULT,
179 },
180
181 /* Cipher 05 */
182 {
183 SSL3_TXT_RSA_RC4_128_SHA,
184 SSL3_CK_RSA_RC4_128_SHA,
185 SSL_kRSA,
186 SSL_aRSA,
187 SSL_RC4,
188 SSL_SHA1,
189 SSL_HANDSHAKE_MAC_DEFAULT,
190 },
191
192 /* Cipher 0A */
193 {
194 SSL3_TXT_RSA_DES_192_CBC3_SHA,
195 SSL3_CK_RSA_DES_192_CBC3_SHA,
196 SSL_kRSA,
197 SSL_aRSA,
198 SSL_3DES,
199 SSL_SHA1,
200 SSL_HANDSHAKE_MAC_DEFAULT,
201 },
202
203
204 /* New AES ciphersuites */
205
206 /* Cipher 2F */
207 {
208 TLS1_TXT_RSA_WITH_AES_128_SHA,
209 TLS1_CK_RSA_WITH_AES_128_SHA,
210 SSL_kRSA,
211 SSL_aRSA,
212 SSL_AES128,
213 SSL_SHA1,
214 SSL_HANDSHAKE_MAC_DEFAULT,
215 },
216
217 /* Cipher 33 */
218 {
219 TLS1_TXT_DHE_RSA_WITH_AES_128_SHA,
220 TLS1_CK_DHE_RSA_WITH_AES_128_SHA,
221 SSL_kDHE,
222 SSL_aRSA,
223 SSL_AES128,
224 SSL_SHA1,
225 SSL_HANDSHAKE_MAC_DEFAULT,
226 },
227
228 /* Cipher 35 */
229 {
230 TLS1_TXT_RSA_WITH_AES_256_SHA,
231 TLS1_CK_RSA_WITH_AES_256_SHA,
232 SSL_kRSA,
233 SSL_aRSA,
234 SSL_AES256,
235 SSL_SHA1,
236 SSL_HANDSHAKE_MAC_DEFAULT,
237 },
238
239 /* Cipher 39 */
240 {
241 TLS1_TXT_DHE_RSA_WITH_AES_256_SHA,
242 TLS1_CK_DHE_RSA_WITH_AES_256_SHA,
243 SSL_kDHE,
244 SSL_aRSA,
245 SSL_AES256,
246 SSL_SHA1,
247 SSL_HANDSHAKE_MAC_DEFAULT,
248 },
249
250
251 /* TLS v1.2 ciphersuites */
252
253 /* Cipher 3C */
254 {
255 TLS1_TXT_RSA_WITH_AES_128_SHA256,
256 TLS1_CK_RSA_WITH_AES_128_SHA256,
257 SSL_kRSA,
258 SSL_aRSA,
259 SSL_AES128,
260 SSL_SHA256,
261 SSL_HANDSHAKE_MAC_SHA256,
262 },
263
264 /* Cipher 3D */
265 {
266 TLS1_TXT_RSA_WITH_AES_256_SHA256,
267 TLS1_CK_RSA_WITH_AES_256_SHA256,
268 SSL_kRSA,
269 SSL_aRSA,
270 SSL_AES256,
271 SSL_SHA256,
272 SSL_HANDSHAKE_MAC_SHA256,
273 },
274
275 /* Cipher 67 */
276 {
277 TLS1_TXT_DHE_RSA_WITH_AES_128_SHA256,
278 TLS1_CK_DHE_RSA_WITH_AES_128_SHA256,
279 SSL_kDHE,
280 SSL_aRSA,
281 SSL_AES128,
282 SSL_SHA256,
283 SSL_HANDSHAKE_MAC_SHA256,
284 },
285
286 /* Cipher 6B */
287 {
288 TLS1_TXT_DHE_RSA_WITH_AES_256_SHA256,
289 TLS1_CK_DHE_RSA_WITH_AES_256_SHA256,
290 SSL_kDHE,
291 SSL_aRSA,
292 SSL_AES256,
293 SSL_SHA256,
294 SSL_HANDSHAKE_MAC_SHA256,
295 },
296
297 /* PSK cipher suites. */
298
299 /* Cipher 8A */
300 {
301 TLS1_TXT_PSK_WITH_RC4_128_SHA,
302 TLS1_CK_PSK_WITH_RC4_128_SHA,
303 SSL_kPSK,
304 SSL_aPSK,
305 SSL_RC4,
306 SSL_SHA1,
307 SSL_HANDSHAKE_MAC_DEFAULT,
308 },
309
310 /* Cipher 8C */
311 {
312 TLS1_TXT_PSK_WITH_AES_128_CBC_SHA,
313 TLS1_CK_PSK_WITH_AES_128_CBC_SHA,
314 SSL_kPSK,
315 SSL_aPSK,
316 SSL_AES128,
317 SSL_SHA1,
318 SSL_HANDSHAKE_MAC_DEFAULT,
319 },
320
321 /* Cipher 8D */
322 {
323 TLS1_TXT_PSK_WITH_AES_256_CBC_SHA,
324 TLS1_CK_PSK_WITH_AES_256_CBC_SHA,
325 SSL_kPSK,
326 SSL_aPSK,
327 SSL_AES256,
328 SSL_SHA1,
329 SSL_HANDSHAKE_MAC_DEFAULT,
330 },
331
332 /* GCM ciphersuites from RFC5288 */
333
334 /* Cipher 9C */
335 {
336 TLS1_TXT_RSA_WITH_AES_128_GCM_SHA256,
337 TLS1_CK_RSA_WITH_AES_128_GCM_SHA256,
338 SSL_kRSA,
339 SSL_aRSA,
340 SSL_AES128GCM,
341 SSL_AEAD,
342 SSL_HANDSHAKE_MAC_SHA256,
343 },
344
345 /* Cipher 9D */
346 {
347 TLS1_TXT_RSA_WITH_AES_256_GCM_SHA384,
348 TLS1_CK_RSA_WITH_AES_256_GCM_SHA384,
349 SSL_kRSA,
350 SSL_aRSA,
351 SSL_AES256GCM,
352 SSL_AEAD,
353 SSL_HANDSHAKE_MAC_SHA384,
354 },
355
356 /* Cipher 9E */
357 {
358 TLS1_TXT_DHE_RSA_WITH_AES_128_GCM_SHA256,
359 TLS1_CK_DHE_RSA_WITH_AES_128_GCM_SHA256,
360 SSL_kDHE,
361 SSL_aRSA,
362 SSL_AES128GCM,
363 SSL_AEAD,
364 SSL_HANDSHAKE_MAC_SHA256,
365 },
366
367 /* Cipher 9F */
368 {
369 TLS1_TXT_DHE_RSA_WITH_AES_256_GCM_SHA384,
370 TLS1_CK_DHE_RSA_WITH_AES_256_GCM_SHA384,
371 SSL_kDHE,
372 SSL_aRSA,
373 SSL_AES256GCM,
374 SSL_AEAD,
375 SSL_HANDSHAKE_MAC_SHA384,
376 },
377
378 /* CECPQ1 (combined elliptic curve + post-quantum) suites. */
379
380 /* Cipher 16B7 */
381 {
382 TLS1_TXT_CECPQ1_RSA_WITH_CHACHA20_POLY1305_SHA256,
383 TLS1_CK_CECPQ1_RSA_WITH_CHACHA20_POLY1305_SHA256,
384 SSL_kCECPQ1,
385 SSL_aRSA,
386 SSL_CHACHA20POLY1305,
387 SSL_AEAD,
388 SSL_HANDSHAKE_MAC_SHA256,
389 },
390
391 /* Cipher 16B8 */
392 {
393 TLS1_TXT_CECPQ1_ECDSA_WITH_CHACHA20_POLY1305_SHA256,
394 TLS1_CK_CECPQ1_ECDSA_WITH_CHACHA20_POLY1305_SHA256,
395 SSL_kCECPQ1,
396 SSL_aECDSA,
397 SSL_CHACHA20POLY1305,
398 SSL_AEAD,
399 SSL_HANDSHAKE_MAC_SHA256,
400 },
401
402 /* Cipher 16B9 */
403 {
404 TLS1_TXT_CECPQ1_RSA_WITH_AES_256_GCM_SHA384,
405 TLS1_CK_CECPQ1_RSA_WITH_AES_256_GCM_SHA384,
406 SSL_kCECPQ1,
407 SSL_aRSA,
408 SSL_AES256GCM,
409 SSL_AEAD,
410 SSL_HANDSHAKE_MAC_SHA384,
411 },
412
413 /* Cipher 16BA */
414 {
415 TLS1_TXT_CECPQ1_ECDSA_WITH_AES_256_GCM_SHA384,
416 TLS1_CK_CECPQ1_ECDSA_WITH_AES_256_GCM_SHA384,
417 SSL_kCECPQ1,
418 SSL_aECDSA,
419 SSL_AES256GCM,
420 SSL_AEAD,
421 SSL_HANDSHAKE_MAC_SHA384,
422 },
423
424 /* Cipher C007 */
425 {
426 TLS1_TXT_ECDHE_ECDSA_WITH_RC4_128_SHA,
427 TLS1_CK_ECDHE_ECDSA_WITH_RC4_128_SHA,
428 SSL_kECDHE,
429 SSL_aECDSA,
430 SSL_RC4,
431 SSL_SHA1,
432 SSL_HANDSHAKE_MAC_DEFAULT,
433 },
434
435 /* Cipher C009 */
436 {
437 TLS1_TXT_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,
438 TLS1_CK_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,
439 SSL_kECDHE,
440 SSL_aECDSA,
441 SSL_AES128,
442 SSL_SHA1,
443 SSL_HANDSHAKE_MAC_DEFAULT,
444 },
445
446 /* Cipher C00A */
447 {
448 TLS1_TXT_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,
449 TLS1_CK_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,
450 SSL_kECDHE,
451 SSL_aECDSA,
452 SSL_AES256,
453 SSL_SHA1,
454 SSL_HANDSHAKE_MAC_DEFAULT,
455 },
456
457 /* Cipher C011 */
458 {
459 TLS1_TXT_ECDHE_RSA_WITH_RC4_128_SHA,
460 TLS1_CK_ECDHE_RSA_WITH_RC4_128_SHA,
461 SSL_kECDHE,
462 SSL_aRSA,
463 SSL_RC4,
464 SSL_SHA1,
465 SSL_HANDSHAKE_MAC_DEFAULT,
466 },
467
468 /* Cipher C013 */
469 {
470 TLS1_TXT_ECDHE_RSA_WITH_AES_128_CBC_SHA,
471 TLS1_CK_ECDHE_RSA_WITH_AES_128_CBC_SHA,
472 SSL_kECDHE,
473 SSL_aRSA,
474 SSL_AES128,
475 SSL_SHA1,
476 SSL_HANDSHAKE_MAC_DEFAULT,
477 },
478
479 /* Cipher C014 */
480 {
481 TLS1_TXT_ECDHE_RSA_WITH_AES_256_CBC_SHA,
482 TLS1_CK_ECDHE_RSA_WITH_AES_256_CBC_SHA,
483 SSL_kECDHE,
484 SSL_aRSA,
485 SSL_AES256,
486 SSL_SHA1,
487 SSL_HANDSHAKE_MAC_DEFAULT,
488 },
489
490
491 /* HMAC based TLS v1.2 ciphersuites from RFC5289 */
492
493 /* Cipher C023 */
494 {
495 TLS1_TXT_ECDHE_ECDSA_WITH_AES_128_SHA256,
496 TLS1_CK_ECDHE_ECDSA_WITH_AES_128_SHA256,
497 SSL_kECDHE,
498 SSL_aECDSA,
499 SSL_AES128,
500 SSL_SHA256,
501 SSL_HANDSHAKE_MAC_SHA256,
502 },
503
504 /* Cipher C024 */
505 {
506 TLS1_TXT_ECDHE_ECDSA_WITH_AES_256_SHA384,
507 TLS1_CK_ECDHE_ECDSA_WITH_AES_256_SHA384,
508 SSL_kECDHE,
509 SSL_aECDSA,
510 SSL_AES256,
511 SSL_SHA384,
512 SSL_HANDSHAKE_MAC_SHA384,
513 },
514
515 /* Cipher C027 */
516 {
517 TLS1_TXT_ECDHE_RSA_WITH_AES_128_SHA256,
518 TLS1_CK_ECDHE_RSA_WITH_AES_128_SHA256,
519 SSL_kECDHE,
520 SSL_aRSA,
521 SSL_AES128,
522 SSL_SHA256,
523 SSL_HANDSHAKE_MAC_SHA256,
524 },
525
526 /* Cipher C028 */
527 {
528 TLS1_TXT_ECDHE_RSA_WITH_AES_256_SHA384,
529 TLS1_CK_ECDHE_RSA_WITH_AES_256_SHA384,
530 SSL_kECDHE,
531 SSL_aRSA,
532 SSL_AES256,
533 SSL_SHA384,
534 SSL_HANDSHAKE_MAC_SHA384,
535 },
536
537
538 /* GCM based TLS v1.2 ciphersuites from RFC5289 */
539
540 /* Cipher C02B */
541 {
542 TLS1_TXT_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
543 TLS1_CK_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
544 SSL_kECDHE,
545 SSL_aECDSA,
546 SSL_AES128GCM,
547 SSL_AEAD,
548 SSL_HANDSHAKE_MAC_SHA256,
549 },
550
551 /* Cipher C02C */
552 {
553 TLS1_TXT_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
554 TLS1_CK_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
555 SSL_kECDHE,
556 SSL_aECDSA,
557 SSL_AES256GCM,
558 SSL_AEAD,
559 SSL_HANDSHAKE_MAC_SHA384,
560 },
561
562 /* Cipher C02F */
563 {
564 TLS1_TXT_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
565 TLS1_CK_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
566 SSL_kECDHE,
567 SSL_aRSA,
568 SSL_AES128GCM,
569 SSL_AEAD,
570 SSL_HANDSHAKE_MAC_SHA256,
571 },
572
573 /* Cipher C030 */
574 {
575 TLS1_TXT_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
576 TLS1_CK_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
577 SSL_kECDHE,
578 SSL_aRSA,
579 SSL_AES256GCM,
580 SSL_AEAD,
581 SSL_HANDSHAKE_MAC_SHA384,
582 },
583
584 /* ECDHE-PSK cipher suites. */
585
586 /* Cipher C035 */
587 {
588 TLS1_TXT_ECDHE_PSK_WITH_AES_128_CBC_SHA,
589 TLS1_CK_ECDHE_PSK_WITH_AES_128_CBC_SHA,
590 SSL_kECDHE,
591 SSL_aPSK,
592 SSL_AES128,
593 SSL_SHA1,
594 SSL_HANDSHAKE_MAC_DEFAULT,
595 },
596
597 /* Cipher C036 */
598 {
599 TLS1_TXT_ECDHE_PSK_WITH_AES_256_CBC_SHA,
600 TLS1_CK_ECDHE_PSK_WITH_AES_256_CBC_SHA,
601 SSL_kECDHE,
602 SSL_aPSK,
603 SSL_AES256,
604 SSL_SHA1,
605 SSL_HANDSHAKE_MAC_DEFAULT,
606 },
607
608 /* ChaCha20-Poly1305 cipher suites. */
609
610 #if !defined(BORINGSSL_ANDROID_SYSTEM)
611 {
612 TLS1_TXT_ECDHE_RSA_WITH_CHACHA20_POLY1305_OLD,
613 TLS1_CK_ECDHE_RSA_CHACHA20_POLY1305_OLD,
614 SSL_kECDHE,
615 SSL_aRSA,
616 SSL_CHACHA20POLY1305_OLD,
617 SSL_AEAD,
618 SSL_HANDSHAKE_MAC_SHA256,
619 },
620
621 {
622 TLS1_TXT_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_OLD,
623 TLS1_CK_ECDHE_ECDSA_CHACHA20_POLY1305_OLD,
624 SSL_kECDHE,
625 SSL_aECDSA,
626 SSL_CHACHA20POLY1305_OLD,
627 SSL_AEAD,
628 SSL_HANDSHAKE_MAC_SHA256,
629 },
630 #endif
631
632 /* Cipher CCA8 */
633 {
634 TLS1_TXT_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256,
635 TLS1_CK_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256,
636 SSL_kECDHE,
637 SSL_aRSA,
638 SSL_CHACHA20POLY1305,
639 SSL_AEAD,
640 SSL_HANDSHAKE_MAC_SHA256,
641 },
642
643 /* Cipher CCA9 */
644 {
645 TLS1_TXT_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256,
646 TLS1_CK_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256,
647 SSL_kECDHE,
648 SSL_aECDSA,
649 SSL_CHACHA20POLY1305,
650 SSL_AEAD,
651 SSL_HANDSHAKE_MAC_SHA256,
652 },
653
654 /* Cipher CCAB */
655 {
656 TLS1_TXT_ECDHE_PSK_WITH_CHACHA20_POLY1305_SHA256,
657 TLS1_CK_ECDHE_PSK_WITH_CHACHA20_POLY1305_SHA256,
658 SSL_kECDHE,
659 SSL_aPSK,
660 SSL_CHACHA20POLY1305,
661 SSL_AEAD,
662 SSL_HANDSHAKE_MAC_SHA256,
663 },
664
665 /* Cipher D001 */
666 {
667 TLS1_TXT_ECDHE_PSK_WITH_AES_128_GCM_SHA256,
668 TLS1_CK_ECDHE_PSK_WITH_AES_128_GCM_SHA256,
669 SSL_kECDHE,
670 SSL_aPSK,
671 SSL_AES128GCM,
672 SSL_SHA256,
673 SSL_HANDSHAKE_MAC_SHA256,
674 },
675
676 /* Cipher D002 */
677 {
678 TLS1_TXT_ECDHE_PSK_WITH_AES_256_GCM_SHA384,
679 TLS1_CK_ECDHE_PSK_WITH_AES_256_GCM_SHA384,
680 SSL_kECDHE,
681 SSL_aPSK,
682 SSL_AES256GCM,
683 SSL_SHA384,
684 SSL_HANDSHAKE_MAC_SHA384,
685 },
686
687 };
688
689 static const size_t kCiphersLen = sizeof(kCiphers) / sizeof(kCiphers[0]);
690
691 #define CIPHER_ADD 1
692 #define CIPHER_KILL 2
693 #define CIPHER_DEL 3
694 #define CIPHER_ORD 4
695 #define CIPHER_SPECIAL 5
696
697 typedef struct cipher_order_st {
698 const SSL_CIPHER *cipher;
699 int active;
700 int in_group;
701 struct cipher_order_st *next, *prev;
702 } CIPHER_ORDER;
703
704 typedef struct cipher_alias_st {
705 /* name is the name of the cipher alias. */
706 const char *name;
707
708 /* The following fields are bitmasks for the corresponding fields on
709 * |SSL_CIPHER|. A cipher matches a cipher alias iff, for each bitmask, the
710 * bit corresponding to the cipher's value is set to 1. If any bitmask is
711 * all zeroes, the alias matches nothing. Use |~0u| for the default value. */
712 uint32_t algorithm_mkey;
713 uint32_t algorithm_auth;
714 uint32_t algorithm_enc;
715 uint32_t algorithm_mac;
716
717 /* min_version, if non-zero, matches all ciphers which were added in that
718 * particular protocol version. */
719 uint16_t min_version;
720 } CIPHER_ALIAS;
721
722 static const CIPHER_ALIAS kCipherAliases[] = {
723 /* "ALL" doesn't include eNULL nor kCECPQ1. These must be explicitly
724 * enabled. */
725 {"ALL", ~SSL_kCECPQ1, ~0u, ~SSL_eNULL, ~0u, 0},
726
727 /* The "COMPLEMENTOFDEFAULT" rule is omitted. It matches nothing. */
728
729 /* key exchange aliases
730 * (some of those using only a single bit here combine
731 * multiple key exchange algs according to the RFCs,
732 * e.g. kEDH combines DHE_DSS and DHE_RSA) */
733 {"kRSA", SSL_kRSA, ~0u, ~0u, ~0u, 0},
734
735 {"kDHE", SSL_kDHE, ~0u, ~0u, ~0u, 0},
736 {"kEDH", SSL_kDHE, ~0u, ~0u, ~0u, 0},
737 {"DH", SSL_kDHE, ~0u, ~0u, ~0u, 0},
738
739 {"kECDHE", SSL_kECDHE, ~0u, ~0u, ~0u, 0},
740 {"kCECPQ1", SSL_kCECPQ1, ~0u, ~0u, ~0u, 0},
741 {"kEECDH", SSL_kECDHE, ~0u, ~0u, ~0u, 0},
742 {"ECDH", SSL_kECDHE, ~0u, ~0u, ~0u, 0},
743
744 {"kPSK", SSL_kPSK, ~0u, ~0u, ~0u, 0},
745
746 /* server authentication aliases */
747 {"aRSA", ~SSL_kCECPQ1, SSL_aRSA, ~SSL_eNULL, ~0u, 0},
748 {"aECDSA", ~SSL_kCECPQ1, SSL_aECDSA, ~0u, ~0u, 0},
749 {"ECDSA", ~SSL_kCECPQ1, SSL_aECDSA, ~0u, ~0u, 0},
750 {"aPSK", ~0u, SSL_aPSK, ~0u, ~0u, 0},
751
752 /* aliases combining key exchange and server authentication */
753 {"DHE", SSL_kDHE, ~0u, ~0u, ~0u, 0},
754 {"EDH", SSL_kDHE, ~0u, ~0u, ~0u, 0},
755 {"ECDHE", SSL_kECDHE, ~0u, ~0u, ~0u, 0},
756 {"EECDH", SSL_kECDHE, ~0u, ~0u, ~0u, 0},
757 {"RSA", SSL_kRSA, SSL_aRSA, ~SSL_eNULL, ~0u, 0},
758 {"PSK", SSL_kPSK, SSL_aPSK, ~0u, ~0u, 0},
759
760 /* symmetric encryption aliases */
761 {"3DES", ~0u, ~0u, SSL_3DES, ~0u, 0},
762 {"RC4", ~0u, ~0u, SSL_RC4, ~0u, 0},
763 {"AES128", ~0u, ~0u, SSL_AES128 | SSL_AES128GCM, ~0u, 0},
764 {"AES256", ~SSL_kCECPQ1, ~0u, SSL_AES256 | SSL_AES256GCM, ~0u, 0},
765 {"AES", ~SSL_kCECPQ1, ~0u, SSL_AES, ~0u, 0},
766 {"AESGCM", ~SSL_kCECPQ1, ~0u, SSL_AES128GCM | SSL_AES256GCM, ~0u, 0},
767 {"CHACHA20", ~SSL_kCECPQ1, ~0u, SSL_CHACHA20POLY1305 | SSL_CHACHA20POLY1305_OLD, ~0u,
768 0},
769
770 /* MAC aliases */
771 {"MD5", ~0u, ~0u, ~0u, SSL_MD5, 0},
772 {"SHA1", ~0u, ~0u, ~SSL_eNULL, SSL_SHA1, 0},
773 {"SHA", ~0u, ~0u, ~SSL_eNULL, SSL_SHA1, 0},
774 {"SHA256", ~SSL_kCECPQ1, ~0u, ~0u, SSL_SHA256, 0},
775 {"SHA384", ~SSL_kCECPQ1, ~0u, ~0u, SSL_SHA384, 0},
776
777 /* Legacy protocol minimum version aliases. "TLSv1" is intentionally the
778 * same as "SSLv3". */
779 {"SSLv3", ~SSL_kCECPQ1, ~0u, ~SSL_eNULL, ~0u, SSL3_VERSION},
780 {"TLSv1", ~SSL_kCECPQ1, ~0u, ~SSL_eNULL, ~0u, SSL3_VERSION},
781 {"TLSv1.2", ~SSL_kCECPQ1, ~0u, ~SSL_eNULL, ~0u, TLS1_2_VERSION},
782
783 /* Legacy strength classes. */
784 {"MEDIUM", ~0u, ~0u, SSL_RC4, ~0u, 0},
785 {"HIGH", ~SSL_kCECPQ1, ~0u, ~(SSL_eNULL|SSL_RC4), ~0u, 0},
786 {"FIPS", ~SSL_kCECPQ1, ~0u, ~(SSL_eNULL|SSL_RC4), ~0u, 0},
787 };
788
789 static const size_t kCipherAliasesLen =
790 sizeof(kCipherAliases) / sizeof(kCipherAliases[0]);
791
ssl_cipher_id_cmp(const void * in_a,const void * in_b)792 static int ssl_cipher_id_cmp(const void *in_a, const void *in_b) {
793 const SSL_CIPHER *a = in_a;
794 const SSL_CIPHER *b = in_b;
795
796 if (a->id > b->id) {
797 return 1;
798 } else if (a->id < b->id) {
799 return -1;
800 } else {
801 return 0;
802 }
803 }
804
ssl_cipher_ptr_id_cmp(const SSL_CIPHER ** a,const SSL_CIPHER ** b)805 static int ssl_cipher_ptr_id_cmp(const SSL_CIPHER **a, const SSL_CIPHER **b) {
806 return ssl_cipher_id_cmp(*a, *b);
807 }
808
SSL_get_cipher_by_value(uint16_t value)809 const SSL_CIPHER *SSL_get_cipher_by_value(uint16_t value) {
810 SSL_CIPHER c;
811
812 c.id = 0x03000000L | value;
813 return bsearch(&c, kCiphers, kCiphersLen, sizeof(SSL_CIPHER),
814 ssl_cipher_id_cmp);
815 }
816
ssl_cipher_get_evp_aead(const EVP_AEAD ** out_aead,size_t * out_mac_secret_len,size_t * out_fixed_iv_len,const SSL_CIPHER * cipher,uint16_t version)817 int ssl_cipher_get_evp_aead(const EVP_AEAD **out_aead,
818 size_t *out_mac_secret_len,
819 size_t *out_fixed_iv_len,
820 const SSL_CIPHER *cipher, uint16_t version) {
821 *out_aead = NULL;
822 *out_mac_secret_len = 0;
823 *out_fixed_iv_len = 0;
824
825 switch (cipher->algorithm_enc) {
826 case SSL_AES128GCM:
827 *out_aead = EVP_aead_aes_128_gcm();
828 *out_fixed_iv_len = 4;
829 break;
830
831 case SSL_AES256GCM:
832 *out_aead = EVP_aead_aes_256_gcm();
833 *out_fixed_iv_len = 4;
834 break;
835
836 #if !defined(BORINGSSL_ANDROID_SYSTEM)
837 case SSL_CHACHA20POLY1305_OLD:
838 *out_aead = EVP_aead_chacha20_poly1305_old();
839 *out_fixed_iv_len = 0;
840 break;
841 #endif
842
843 case SSL_CHACHA20POLY1305:
844 *out_aead = EVP_aead_chacha20_poly1305();
845 *out_fixed_iv_len = 12;
846 break;
847
848 case SSL_RC4:
849 switch (cipher->algorithm_mac) {
850 case SSL_MD5:
851 if (version == SSL3_VERSION) {
852 *out_aead = EVP_aead_rc4_md5_ssl3();
853 } else {
854 *out_aead = EVP_aead_rc4_md5_tls();
855 }
856 *out_mac_secret_len = MD5_DIGEST_LENGTH;
857 break;
858 case SSL_SHA1:
859 if (version == SSL3_VERSION) {
860 *out_aead = EVP_aead_rc4_sha1_ssl3();
861 } else {
862 *out_aead = EVP_aead_rc4_sha1_tls();
863 }
864 *out_mac_secret_len = SHA_DIGEST_LENGTH;
865 break;
866 default:
867 return 0;
868 }
869 break;
870
871 case SSL_AES128:
872 switch (cipher->algorithm_mac) {
873 case SSL_SHA1:
874 if (version == SSL3_VERSION) {
875 *out_aead = EVP_aead_aes_128_cbc_sha1_ssl3();
876 *out_fixed_iv_len = 16;
877 } else if (version == TLS1_VERSION) {
878 *out_aead = EVP_aead_aes_128_cbc_sha1_tls_implicit_iv();
879 *out_fixed_iv_len = 16;
880 } else {
881 *out_aead = EVP_aead_aes_128_cbc_sha1_tls();
882 }
883 *out_mac_secret_len = SHA_DIGEST_LENGTH;
884 break;
885 case SSL_SHA256:
886 *out_aead = EVP_aead_aes_128_cbc_sha256_tls();
887 *out_mac_secret_len = SHA256_DIGEST_LENGTH;
888 break;
889 default:
890 return 0;
891 }
892 break;
893
894 case SSL_AES256:
895 switch (cipher->algorithm_mac) {
896 case SSL_SHA1:
897 if (version == SSL3_VERSION) {
898 *out_aead = EVP_aead_aes_256_cbc_sha1_ssl3();
899 *out_fixed_iv_len = 16;
900 } else if (version == TLS1_VERSION) {
901 *out_aead = EVP_aead_aes_256_cbc_sha1_tls_implicit_iv();
902 *out_fixed_iv_len = 16;
903 } else {
904 *out_aead = EVP_aead_aes_256_cbc_sha1_tls();
905 }
906 *out_mac_secret_len = SHA_DIGEST_LENGTH;
907 break;
908 case SSL_SHA256:
909 *out_aead = EVP_aead_aes_256_cbc_sha256_tls();
910 *out_mac_secret_len = SHA256_DIGEST_LENGTH;
911 break;
912 case SSL_SHA384:
913 *out_aead = EVP_aead_aes_256_cbc_sha384_tls();
914 *out_mac_secret_len = SHA384_DIGEST_LENGTH;
915 break;
916 default:
917 return 0;
918 }
919 break;
920
921 case SSL_3DES:
922 switch (cipher->algorithm_mac) {
923 case SSL_SHA1:
924 if (version == SSL3_VERSION) {
925 *out_aead = EVP_aead_des_ede3_cbc_sha1_ssl3();
926 *out_fixed_iv_len = 8;
927 } else if (version == TLS1_VERSION) {
928 *out_aead = EVP_aead_des_ede3_cbc_sha1_tls_implicit_iv();
929 *out_fixed_iv_len = 8;
930 } else {
931 *out_aead = EVP_aead_des_ede3_cbc_sha1_tls();
932 }
933 *out_mac_secret_len = SHA_DIGEST_LENGTH;
934 break;
935 default:
936 return 0;
937 }
938 break;
939
940 case SSL_eNULL:
941 switch (cipher->algorithm_mac) {
942 case SSL_SHA1:
943 if (version == SSL3_VERSION) {
944 *out_aead = EVP_aead_null_sha1_ssl3();
945 } else {
946 *out_aead = EVP_aead_null_sha1_tls();
947 }
948 *out_mac_secret_len = SHA_DIGEST_LENGTH;
949 break;
950 default:
951 return 0;
952 }
953 break;
954
955 default:
956 return 0;
957 }
958
959 /* In TLS 1.3, the iv_len is equal to the AEAD nonce length whereas the code
960 * above computes the TLS 1.2 construction.
961 *
962 * TODO(davidben,svaldez): Avoid computing the wrong value and fixing it. */
963 if (version >= TLS1_3_VERSION) {
964 *out_fixed_iv_len = EVP_AEAD_nonce_length(*out_aead);
965 assert(*out_fixed_iv_len >= 8);
966 }
967 return 1;
968 }
969
ssl_get_handshake_digest(uint32_t algorithm_prf)970 const EVP_MD *ssl_get_handshake_digest(uint32_t algorithm_prf) {
971 switch (algorithm_prf) {
972 case SSL_HANDSHAKE_MAC_DEFAULT:
973 return EVP_sha1();
974 case SSL_HANDSHAKE_MAC_SHA256:
975 return EVP_sha256();
976 case SSL_HANDSHAKE_MAC_SHA384:
977 return EVP_sha384();
978 default:
979 return NULL;
980 }
981 }
982
983 #define ITEM_SEP(a) \
984 (((a) == ':') || ((a) == ' ') || ((a) == ';') || ((a) == ','))
985
986 /* rule_equals returns one iff the NUL-terminated string |rule| is equal to the
987 * |buf_len| bytes at |buf|. */
rule_equals(const char * rule,const char * buf,size_t buf_len)988 static int rule_equals(const char *rule, const char *buf, size_t buf_len) {
989 /* |strncmp| alone only checks that |buf| is a prefix of |rule|. */
990 return strncmp(rule, buf, buf_len) == 0 && rule[buf_len] == '\0';
991 }
992
ll_append_tail(CIPHER_ORDER ** head,CIPHER_ORDER * curr,CIPHER_ORDER ** tail)993 static void ll_append_tail(CIPHER_ORDER **head, CIPHER_ORDER *curr,
994 CIPHER_ORDER **tail) {
995 if (curr == *tail) {
996 return;
997 }
998 if (curr == *head) {
999 *head = curr->next;
1000 }
1001 if (curr->prev != NULL) {
1002 curr->prev->next = curr->next;
1003 }
1004 if (curr->next != NULL) {
1005 curr->next->prev = curr->prev;
1006 }
1007 (*tail)->next = curr;
1008 curr->prev = *tail;
1009 curr->next = NULL;
1010 *tail = curr;
1011 }
1012
ll_append_head(CIPHER_ORDER ** head,CIPHER_ORDER * curr,CIPHER_ORDER ** tail)1013 static void ll_append_head(CIPHER_ORDER **head, CIPHER_ORDER *curr,
1014 CIPHER_ORDER **tail) {
1015 if (curr == *head) {
1016 return;
1017 }
1018 if (curr == *tail) {
1019 *tail = curr->prev;
1020 }
1021 if (curr->next != NULL) {
1022 curr->next->prev = curr->prev;
1023 }
1024 if (curr->prev != NULL) {
1025 curr->prev->next = curr->next;
1026 }
1027 (*head)->prev = curr;
1028 curr->next = *head;
1029 curr->prev = NULL;
1030 *head = curr;
1031 }
1032
ssl_cipher_collect_ciphers(const SSL_PROTOCOL_METHOD * ssl_method,CIPHER_ORDER * co_list,CIPHER_ORDER ** head_p,CIPHER_ORDER ** tail_p)1033 static void ssl_cipher_collect_ciphers(const SSL_PROTOCOL_METHOD *ssl_method,
1034 CIPHER_ORDER *co_list,
1035 CIPHER_ORDER **head_p,
1036 CIPHER_ORDER **tail_p) {
1037 /* The set of ciphers is static, but some subset may be unsupported by
1038 * |ssl_method|, so the list may be smaller. */
1039 size_t co_list_num = 0;
1040 size_t i;
1041 for (i = 0; i < kCiphersLen; i++) {
1042 const SSL_CIPHER *cipher = &kCiphers[i];
1043 if (ssl_method->supports_cipher(cipher)) {
1044 co_list[co_list_num].cipher = cipher;
1045 co_list[co_list_num].next = NULL;
1046 co_list[co_list_num].prev = NULL;
1047 co_list[co_list_num].active = 0;
1048 co_list[co_list_num].in_group = 0;
1049 co_list_num++;
1050 }
1051 }
1052
1053 /* Prepare linked list from list entries. */
1054 if (co_list_num > 0) {
1055 co_list[0].prev = NULL;
1056
1057 if (co_list_num > 1) {
1058 co_list[0].next = &co_list[1];
1059
1060 for (i = 1; i < co_list_num - 1; i++) {
1061 co_list[i].prev = &co_list[i - 1];
1062 co_list[i].next = &co_list[i + 1];
1063 }
1064
1065 co_list[co_list_num - 1].prev = &co_list[co_list_num - 2];
1066 }
1067
1068 co_list[co_list_num - 1].next = NULL;
1069
1070 *head_p = &co_list[0];
1071 *tail_p = &co_list[co_list_num - 1];
1072 }
1073 }
1074
1075 /* ssl_cipher_apply_rule applies the rule type |rule| to ciphers matching its
1076 * parameters in the linked list from |*head_p| to |*tail_p|. It writes the new
1077 * head and tail of the list to |*head_p| and |*tail_p|, respectively.
1078 *
1079 * - If |cipher_id| is non-zero, only that cipher is selected.
1080 * - Otherwise, if |strength_bits| is non-negative, it selects ciphers
1081 * of that strength.
1082 * - Otherwise, it selects ciphers that match each bitmasks in |alg_*| and
1083 * |min_version|. */
ssl_cipher_apply_rule(uint32_t cipher_id,uint32_t alg_mkey,uint32_t alg_auth,uint32_t alg_enc,uint32_t alg_mac,uint16_t min_version,int rule,int strength_bits,int in_group,CIPHER_ORDER ** head_p,CIPHER_ORDER ** tail_p)1084 static void ssl_cipher_apply_rule(
1085 uint32_t cipher_id, uint32_t alg_mkey, uint32_t alg_auth,
1086 uint32_t alg_enc, uint32_t alg_mac, uint16_t min_version, int rule,
1087 int strength_bits, int in_group, CIPHER_ORDER **head_p,
1088 CIPHER_ORDER **tail_p) {
1089 CIPHER_ORDER *head, *tail, *curr, *next, *last;
1090 const SSL_CIPHER *cp;
1091 int reverse = 0;
1092
1093 if (cipher_id == 0 && strength_bits == -1 && min_version == 0 &&
1094 (alg_mkey == 0 || alg_auth == 0 || alg_enc == 0 || alg_mac == 0)) {
1095 /* The rule matches nothing, so bail early. */
1096 return;
1097 }
1098
1099 if (rule == CIPHER_DEL) {
1100 /* needed to maintain sorting between currently deleted ciphers */
1101 reverse = 1;
1102 }
1103
1104 head = *head_p;
1105 tail = *tail_p;
1106
1107 if (reverse) {
1108 next = tail;
1109 last = head;
1110 } else {
1111 next = head;
1112 last = tail;
1113 }
1114
1115 curr = NULL;
1116 for (;;) {
1117 if (curr == last) {
1118 break;
1119 }
1120
1121 curr = next;
1122 if (curr == NULL) {
1123 break;
1124 }
1125
1126 next = reverse ? curr->prev : curr->next;
1127 cp = curr->cipher;
1128
1129 /* Selection criteria is either a specific cipher, the value of
1130 * |strength_bits|, or the algorithms used. */
1131 if (cipher_id != 0) {
1132 if (cipher_id != cp->id) {
1133 continue;
1134 }
1135 } else if (strength_bits >= 0) {
1136 if (strength_bits != SSL_CIPHER_get_bits(cp, NULL)) {
1137 continue;
1138 }
1139 } else if (!(alg_mkey & cp->algorithm_mkey) ||
1140 !(alg_auth & cp->algorithm_auth) ||
1141 !(alg_enc & cp->algorithm_enc) ||
1142 !(alg_mac & cp->algorithm_mac) ||
1143 (min_version != 0 &&
1144 SSL_CIPHER_get_min_version(cp) != min_version)) {
1145 continue;
1146 }
1147
1148 /* add the cipher if it has not been added yet. */
1149 if (rule == CIPHER_ADD) {
1150 /* reverse == 0 */
1151 if (!curr->active) {
1152 ll_append_tail(&head, curr, &tail);
1153 curr->active = 1;
1154 curr->in_group = in_group;
1155 }
1156 }
1157
1158 /* Move the added cipher to this location */
1159 else if (rule == CIPHER_ORD) {
1160 /* reverse == 0 */
1161 if (curr->active) {
1162 ll_append_tail(&head, curr, &tail);
1163 curr->in_group = 0;
1164 }
1165 } else if (rule == CIPHER_DEL) {
1166 /* reverse == 1 */
1167 if (curr->active) {
1168 /* most recently deleted ciphersuites get best positions
1169 * for any future CIPHER_ADD (note that the CIPHER_DEL loop
1170 * works in reverse to maintain the order) */
1171 ll_append_head(&head, curr, &tail);
1172 curr->active = 0;
1173 curr->in_group = 0;
1174 }
1175 } else if (rule == CIPHER_KILL) {
1176 /* reverse == 0 */
1177 if (head == curr) {
1178 head = curr->next;
1179 } else {
1180 curr->prev->next = curr->next;
1181 }
1182
1183 if (tail == curr) {
1184 tail = curr->prev;
1185 }
1186 curr->active = 0;
1187 if (curr->next != NULL) {
1188 curr->next->prev = curr->prev;
1189 }
1190 if (curr->prev != NULL) {
1191 curr->prev->next = curr->next;
1192 }
1193 curr->next = NULL;
1194 curr->prev = NULL;
1195 }
1196 }
1197
1198 *head_p = head;
1199 *tail_p = tail;
1200 }
1201
ssl_cipher_strength_sort(CIPHER_ORDER ** head_p,CIPHER_ORDER ** tail_p)1202 static int ssl_cipher_strength_sort(CIPHER_ORDER **head_p,
1203 CIPHER_ORDER **tail_p) {
1204 int max_strength_bits, i, *number_uses;
1205 CIPHER_ORDER *curr;
1206
1207 /* This routine sorts the ciphers with descending strength. The sorting must
1208 * keep the pre-sorted sequence, so we apply the normal sorting routine as
1209 * '+' movement to the end of the list. */
1210 max_strength_bits = 0;
1211 curr = *head_p;
1212 while (curr != NULL) {
1213 if (curr->active &&
1214 SSL_CIPHER_get_bits(curr->cipher, NULL) > max_strength_bits) {
1215 max_strength_bits = SSL_CIPHER_get_bits(curr->cipher, NULL);
1216 }
1217 curr = curr->next;
1218 }
1219
1220 number_uses = OPENSSL_malloc((max_strength_bits + 1) * sizeof(int));
1221 if (!number_uses) {
1222 OPENSSL_PUT_ERROR(SSL, ERR_R_MALLOC_FAILURE);
1223 return 0;
1224 }
1225 memset(number_uses, 0, (max_strength_bits + 1) * sizeof(int));
1226
1227 /* Now find the strength_bits values actually used. */
1228 curr = *head_p;
1229 while (curr != NULL) {
1230 if (curr->active) {
1231 number_uses[SSL_CIPHER_get_bits(curr->cipher, NULL)]++;
1232 }
1233 curr = curr->next;
1234 }
1235
1236 /* Go through the list of used strength_bits values in descending order. */
1237 for (i = max_strength_bits; i >= 0; i--) {
1238 if (number_uses[i] > 0) {
1239 ssl_cipher_apply_rule(0, 0, 0, 0, 0, 0, CIPHER_ORD, i, 0, head_p, tail_p);
1240 }
1241 }
1242
1243 OPENSSL_free(number_uses);
1244 return 1;
1245 }
1246
ssl_cipher_process_rulestr(const SSL_PROTOCOL_METHOD * ssl_method,const char * rule_str,CIPHER_ORDER ** head_p,CIPHER_ORDER ** tail_p)1247 static int ssl_cipher_process_rulestr(const SSL_PROTOCOL_METHOD *ssl_method,
1248 const char *rule_str,
1249 CIPHER_ORDER **head_p,
1250 CIPHER_ORDER **tail_p) {
1251 uint32_t alg_mkey, alg_auth, alg_enc, alg_mac;
1252 uint16_t min_version;
1253 const char *l, *buf;
1254 int multi, skip_rule, rule, retval, ok, in_group = 0, has_group = 0;
1255 size_t j, buf_len;
1256 uint32_t cipher_id;
1257 char ch;
1258
1259 retval = 1;
1260 l = rule_str;
1261 for (;;) {
1262 ch = *l;
1263
1264 if (ch == '\0') {
1265 break; /* done */
1266 }
1267
1268 if (in_group) {
1269 if (ch == ']') {
1270 if (*tail_p) {
1271 (*tail_p)->in_group = 0;
1272 }
1273 in_group = 0;
1274 l++;
1275 continue;
1276 }
1277
1278 if (ch == '|') {
1279 rule = CIPHER_ADD;
1280 l++;
1281 continue;
1282 } else if (!(ch >= 'a' && ch <= 'z') && !(ch >= 'A' && ch <= 'Z') &&
1283 !(ch >= '0' && ch <= '9')) {
1284 OPENSSL_PUT_ERROR(SSL, SSL_R_UNEXPECTED_OPERATOR_IN_GROUP);
1285 retval = in_group = 0;
1286 break;
1287 } else {
1288 rule = CIPHER_ADD;
1289 }
1290 } else if (ch == '-') {
1291 rule = CIPHER_DEL;
1292 l++;
1293 } else if (ch == '+') {
1294 rule = CIPHER_ORD;
1295 l++;
1296 } else if (ch == '!') {
1297 rule = CIPHER_KILL;
1298 l++;
1299 } else if (ch == '@') {
1300 rule = CIPHER_SPECIAL;
1301 l++;
1302 } else if (ch == '[') {
1303 if (in_group) {
1304 OPENSSL_PUT_ERROR(SSL, SSL_R_NESTED_GROUP);
1305 retval = in_group = 0;
1306 break;
1307 }
1308 in_group = 1;
1309 has_group = 1;
1310 l++;
1311 continue;
1312 } else {
1313 rule = CIPHER_ADD;
1314 }
1315
1316 /* If preference groups are enabled, the only legal operator is +.
1317 * Otherwise the in_group bits will get mixed up. */
1318 if (has_group && rule != CIPHER_ADD) {
1319 OPENSSL_PUT_ERROR(SSL, SSL_R_MIXED_SPECIAL_OPERATOR_WITH_GROUPS);
1320 retval = in_group = 0;
1321 break;
1322 }
1323
1324 if (ITEM_SEP(ch)) {
1325 l++;
1326 continue;
1327 }
1328
1329 multi = 0;
1330 cipher_id = 0;
1331 alg_mkey = ~0u;
1332 alg_auth = ~0u;
1333 alg_enc = ~0u;
1334 alg_mac = ~0u;
1335 min_version = 0;
1336 skip_rule = 0;
1337
1338 for (;;) {
1339 ch = *l;
1340 buf = l;
1341 buf_len = 0;
1342 while (((ch >= 'A') && (ch <= 'Z')) || ((ch >= '0') && (ch <= '9')) ||
1343 ((ch >= 'a') && (ch <= 'z')) || (ch == '-') || (ch == '.')) {
1344 ch = *(++l);
1345 buf_len++;
1346 }
1347
1348 if (buf_len == 0) {
1349 /* We hit something we cannot deal with, it is no command or separator
1350 * nor alphanumeric, so we call this an error. */
1351 OPENSSL_PUT_ERROR(SSL, SSL_R_INVALID_COMMAND);
1352 retval = in_group = 0;
1353 l++;
1354 break;
1355 }
1356
1357 if (rule == CIPHER_SPECIAL) {
1358 break;
1359 }
1360
1361 /* Look for a matching exact cipher. These aren't allowed in multipart
1362 * rules. */
1363 if (!multi && ch != '+') {
1364 for (j = 0; j < kCiphersLen; j++) {
1365 const SSL_CIPHER *cipher = &kCiphers[j];
1366 if (rule_equals(cipher->name, buf, buf_len)) {
1367 cipher_id = cipher->id;
1368 break;
1369 }
1370 }
1371 }
1372 if (cipher_id == 0) {
1373 /* If not an exact cipher, look for a matching cipher alias. */
1374 for (j = 0; j < kCipherAliasesLen; j++) {
1375 if (rule_equals(kCipherAliases[j].name, buf, buf_len)) {
1376 alg_mkey &= kCipherAliases[j].algorithm_mkey;
1377 alg_auth &= kCipherAliases[j].algorithm_auth;
1378 alg_enc &= kCipherAliases[j].algorithm_enc;
1379 alg_mac &= kCipherAliases[j].algorithm_mac;
1380
1381 if (min_version != 0 &&
1382 min_version != kCipherAliases[j].min_version) {
1383 skip_rule = 1;
1384 } else {
1385 min_version = kCipherAliases[j].min_version;
1386 }
1387 break;
1388 }
1389 }
1390 if (j == kCipherAliasesLen) {
1391 skip_rule = 1;
1392 }
1393 }
1394
1395 /* Check for a multipart rule. */
1396 if (ch != '+') {
1397 break;
1398 }
1399 l++;
1400 multi = 1;
1401 }
1402
1403 /* If one of the CHACHA20_POLY1305 variants is selected, include the other
1404 * as well. They have the same name to avoid requiring changes in
1405 * configuration. Apply this transformation late so that the cipher name
1406 * still behaves as an exact name and not an alias in multipart rules.
1407 *
1408 * This is temporary and will be removed when the pre-standard construction
1409 * is removed. */
1410 if (cipher_id == TLS1_CK_ECDHE_RSA_CHACHA20_POLY1305_OLD ||
1411 cipher_id == TLS1_CK_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256) {
1412 cipher_id = 0;
1413 alg_mkey = SSL_kECDHE;
1414 alg_auth = SSL_aRSA;
1415 alg_enc = SSL_CHACHA20POLY1305|SSL_CHACHA20POLY1305_OLD;
1416 alg_mac = SSL_AEAD;
1417 } else if (cipher_id == TLS1_CK_ECDHE_ECDSA_CHACHA20_POLY1305_OLD ||
1418 cipher_id == TLS1_CK_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256) {
1419 cipher_id = 0;
1420 alg_mkey = SSL_kECDHE;
1421 alg_auth = SSL_aECDSA;
1422 alg_enc = SSL_CHACHA20POLY1305|SSL_CHACHA20POLY1305_OLD;
1423 alg_mac = SSL_AEAD;
1424 }
1425
1426 /* Ok, we have the rule, now apply it. */
1427 if (rule == CIPHER_SPECIAL) {
1428 /* special command */
1429 ok = 0;
1430 if (buf_len == 8 && !strncmp(buf, "STRENGTH", 8)) {
1431 ok = ssl_cipher_strength_sort(head_p, tail_p);
1432 } else {
1433 OPENSSL_PUT_ERROR(SSL, SSL_R_INVALID_COMMAND);
1434 }
1435
1436 if (ok == 0) {
1437 retval = 0;
1438 }
1439
1440 /* We do not support any "multi" options together with "@", so throw away
1441 * the rest of the command, if any left, until end or ':' is found. */
1442 while (*l != '\0' && !ITEM_SEP(*l)) {
1443 l++;
1444 }
1445 } else if (!skip_rule) {
1446 ssl_cipher_apply_rule(cipher_id, alg_mkey, alg_auth, alg_enc, alg_mac,
1447 min_version, rule, -1, in_group, head_p, tail_p);
1448 }
1449 }
1450
1451 if (in_group) {
1452 OPENSSL_PUT_ERROR(SSL, SSL_R_INVALID_COMMAND);
1453 retval = 0;
1454 }
1455
1456 return retval;
1457 }
1458
STACK_OF(SSL_CIPHER)1459 STACK_OF(SSL_CIPHER) *
1460 ssl_create_cipher_list(const SSL_PROTOCOL_METHOD *ssl_method,
1461 struct ssl_cipher_preference_list_st **out_cipher_list,
1462 STACK_OF(SSL_CIPHER) **out_cipher_list_by_id,
1463 const char *rule_str) {
1464 int ok;
1465 STACK_OF(SSL_CIPHER) *cipherstack = NULL, *tmp_cipher_list = NULL;
1466 const char *rule_p;
1467 CIPHER_ORDER *co_list = NULL, *head = NULL, *tail = NULL, *curr;
1468 uint8_t *in_group_flags = NULL;
1469 unsigned int num_in_group_flags = 0;
1470 struct ssl_cipher_preference_list_st *pref_list = NULL;
1471
1472 /* Return with error if nothing to do. */
1473 if (rule_str == NULL || out_cipher_list == NULL) {
1474 return NULL;
1475 }
1476
1477 /* Now we have to collect the available ciphers from the compiled in ciphers.
1478 * We cannot get more than the number compiled in, so it is used for
1479 * allocation. */
1480 co_list = OPENSSL_malloc(sizeof(CIPHER_ORDER) * kCiphersLen);
1481 if (co_list == NULL) {
1482 OPENSSL_PUT_ERROR(SSL, ERR_R_MALLOC_FAILURE);
1483 return NULL;
1484 }
1485
1486 ssl_cipher_collect_ciphers(ssl_method, co_list, &head, &tail);
1487
1488 /* Now arrange all ciphers by preference:
1489 * TODO(davidben): Compute this order once and copy it. */
1490
1491 /* Everything else being equal, prefer ECDHE_ECDSA then ECDHE_RSA over other
1492 * key exchange mechanisms */
1493
1494 ssl_cipher_apply_rule(0, SSL_kECDHE, SSL_aECDSA, ~0u, ~0u, 0, CIPHER_ADD, -1,
1495 0, &head, &tail);
1496 ssl_cipher_apply_rule(0, SSL_kECDHE, ~0u, ~0u, ~0u, 0, CIPHER_ADD, -1, 0,
1497 &head, &tail);
1498 ssl_cipher_apply_rule(0, SSL_kECDHE, ~0u, ~0u, ~0u, 0, CIPHER_DEL, -1, 0,
1499 &head, &tail);
1500
1501 /* Order the bulk ciphers. First the preferred AEAD ciphers. We prefer
1502 * CHACHA20 unless there is hardware support for fast and constant-time
1503 * AES_GCM. Of the two CHACHA20 variants, the new one is preferred over the
1504 * old one. */
1505 if (EVP_has_aes_hardware()) {
1506 ssl_cipher_apply_rule(0, ~0u, ~0u, SSL_AES128GCM, ~0u, 0, CIPHER_ADD, -1, 0,
1507 &head, &tail);
1508 ssl_cipher_apply_rule(0, ~0u, ~0u, SSL_AES256GCM, ~0u, 0, CIPHER_ADD, -1, 0,
1509 &head, &tail);
1510 ssl_cipher_apply_rule(0, ~0u, ~0u, SSL_CHACHA20POLY1305, ~0u, 0, CIPHER_ADD,
1511 -1, 0, &head, &tail);
1512 ssl_cipher_apply_rule(0, ~0u, ~0u, SSL_CHACHA20POLY1305_OLD, ~0u, 0,
1513 CIPHER_ADD, -1, 0, &head, &tail);
1514 } else {
1515 ssl_cipher_apply_rule(0, ~0u, ~0u, SSL_CHACHA20POLY1305, ~0u, 0, CIPHER_ADD,
1516 -1, 0, &head, &tail);
1517 ssl_cipher_apply_rule(0, ~0u, ~0u, SSL_CHACHA20POLY1305_OLD, ~0u, 0,
1518 CIPHER_ADD, -1, 0, &head, &tail);
1519 ssl_cipher_apply_rule(0, ~0u, ~0u, SSL_AES128GCM, ~0u, 0, CIPHER_ADD, -1, 0,
1520 &head, &tail);
1521 ssl_cipher_apply_rule(0, ~0u, ~0u, SSL_AES256GCM, ~0u, 0, CIPHER_ADD, -1, 0,
1522 &head, &tail);
1523 }
1524
1525 /* Then the legacy non-AEAD ciphers: AES_128_CBC, AES_256_CBC,
1526 * 3DES_EDE_CBC_SHA, RC4_128_SHA, RC4_128_MD5. */
1527 ssl_cipher_apply_rule(0, ~0u, ~0u, SSL_AES128, ~0u, 0, CIPHER_ADD, -1, 0,
1528 &head, &tail);
1529 ssl_cipher_apply_rule(0, ~0u, ~0u, SSL_AES256, ~0u, 0, CIPHER_ADD, -1, 0,
1530 &head, &tail);
1531 ssl_cipher_apply_rule(0, ~0u, ~0u, SSL_3DES, ~0u, 0, CIPHER_ADD, -1, 0, &head,
1532 &tail);
1533 ssl_cipher_apply_rule(0, ~0u, ~0u, SSL_RC4, ~SSL_MD5, 0, CIPHER_ADD, -1, 0,
1534 &head, &tail);
1535 ssl_cipher_apply_rule(0, ~0u, ~0u, SSL_RC4, SSL_MD5, 0, CIPHER_ADD, -1, 0,
1536 &head, &tail);
1537
1538 /* Temporarily enable everything else for sorting */
1539 ssl_cipher_apply_rule(0, ~0u, ~0u, ~0u, ~0u, 0, CIPHER_ADD, -1, 0, &head,
1540 &tail);
1541
1542 /* Move ciphers without forward secrecy to the end. */
1543 ssl_cipher_apply_rule(0, ~(SSL_kDHE | SSL_kECDHE), ~0u, ~0u, ~0u, 0,
1544 CIPHER_ORD, -1, 0, &head, &tail);
1545
1546 /* Now disable everything (maintaining the ordering!) */
1547 ssl_cipher_apply_rule(0, ~0u, ~0u, ~0u, ~0u, 0, CIPHER_DEL, -1, 0, &head,
1548 &tail);
1549
1550 /* If the rule_string begins with DEFAULT, apply the default rule before
1551 * using the (possibly available) additional rules. */
1552 ok = 1;
1553 rule_p = rule_str;
1554 if (strncmp(rule_str, "DEFAULT", 7) == 0) {
1555 ok = ssl_cipher_process_rulestr(ssl_method, SSL_DEFAULT_CIPHER_LIST, &head,
1556 &tail);
1557 rule_p += 7;
1558 if (*rule_p == ':') {
1559 rule_p++;
1560 }
1561 }
1562
1563 if (ok && strlen(rule_p) > 0) {
1564 ok = ssl_cipher_process_rulestr(ssl_method, rule_p, &head, &tail);
1565 }
1566
1567 if (!ok) {
1568 goto err;
1569 }
1570
1571 /* Allocate new "cipherstack" for the result, return with error
1572 * if we cannot get one. */
1573 cipherstack = sk_SSL_CIPHER_new_null();
1574 if (cipherstack == NULL) {
1575 goto err;
1576 }
1577
1578 in_group_flags = OPENSSL_malloc(kCiphersLen);
1579 if (!in_group_flags) {
1580 goto err;
1581 }
1582
1583 /* The cipher selection for the list is done. The ciphers are added
1584 * to the resulting precedence to the STACK_OF(SSL_CIPHER). */
1585 for (curr = head; curr != NULL; curr = curr->next) {
1586 if (curr->active) {
1587 if (!sk_SSL_CIPHER_push(cipherstack, curr->cipher)) {
1588 goto err;
1589 }
1590 in_group_flags[num_in_group_flags++] = curr->in_group;
1591 }
1592 }
1593 OPENSSL_free(co_list); /* Not needed any longer */
1594 co_list = NULL;
1595
1596 tmp_cipher_list = sk_SSL_CIPHER_dup(cipherstack);
1597 if (tmp_cipher_list == NULL) {
1598 goto err;
1599 }
1600 pref_list = OPENSSL_malloc(sizeof(struct ssl_cipher_preference_list_st));
1601 if (!pref_list) {
1602 goto err;
1603 }
1604 pref_list->ciphers = cipherstack;
1605 pref_list->in_group_flags = OPENSSL_malloc(num_in_group_flags);
1606 if (!pref_list->in_group_flags) {
1607 goto err;
1608 }
1609 memcpy(pref_list->in_group_flags, in_group_flags, num_in_group_flags);
1610 OPENSSL_free(in_group_flags);
1611 in_group_flags = NULL;
1612 if (*out_cipher_list != NULL) {
1613 ssl_cipher_preference_list_free(*out_cipher_list);
1614 }
1615 *out_cipher_list = pref_list;
1616 pref_list = NULL;
1617
1618 if (out_cipher_list_by_id != NULL) {
1619 sk_SSL_CIPHER_free(*out_cipher_list_by_id);
1620 *out_cipher_list_by_id = tmp_cipher_list;
1621 tmp_cipher_list = NULL;
1622 (void) sk_SSL_CIPHER_set_cmp_func(*out_cipher_list_by_id,
1623 ssl_cipher_ptr_id_cmp);
1624
1625 sk_SSL_CIPHER_sort(*out_cipher_list_by_id);
1626 } else {
1627 sk_SSL_CIPHER_free(tmp_cipher_list);
1628 tmp_cipher_list = NULL;
1629 }
1630
1631 return cipherstack;
1632
1633 err:
1634 OPENSSL_free(co_list);
1635 OPENSSL_free(in_group_flags);
1636 sk_SSL_CIPHER_free(cipherstack);
1637 sk_SSL_CIPHER_free(tmp_cipher_list);
1638 if (pref_list) {
1639 OPENSSL_free(pref_list->in_group_flags);
1640 }
1641 OPENSSL_free(pref_list);
1642 return NULL;
1643 }
1644
SSL_CIPHER_get_id(const SSL_CIPHER * cipher)1645 uint32_t SSL_CIPHER_get_id(const SSL_CIPHER *cipher) { return cipher->id; }
1646
ssl_cipher_get_value(const SSL_CIPHER * cipher)1647 uint16_t ssl_cipher_get_value(const SSL_CIPHER *cipher) {
1648 uint32_t id = cipher->id;
1649 /* All ciphers are SSLv3. */
1650 assert((id & 0xff000000) == 0x03000000);
1651 return id & 0xffff;
1652 }
1653
SSL_CIPHER_is_AES(const SSL_CIPHER * cipher)1654 int SSL_CIPHER_is_AES(const SSL_CIPHER *cipher) {
1655 return (cipher->algorithm_enc & SSL_AES) != 0;
1656 }
1657
SSL_CIPHER_has_MD5_HMAC(const SSL_CIPHER * cipher)1658 int SSL_CIPHER_has_MD5_HMAC(const SSL_CIPHER *cipher) {
1659 return (cipher->algorithm_mac & SSL_MD5) != 0;
1660 }
1661
SSL_CIPHER_has_SHA1_HMAC(const SSL_CIPHER * cipher)1662 int SSL_CIPHER_has_SHA1_HMAC(const SSL_CIPHER *cipher) {
1663 return (cipher->algorithm_mac & SSL_SHA1) != 0;
1664 }
1665
SSL_CIPHER_has_SHA256_HMAC(const SSL_CIPHER * cipher)1666 int SSL_CIPHER_has_SHA256_HMAC(const SSL_CIPHER *cipher) {
1667 return (cipher->algorithm_mac & SSL_SHA256) != 0;
1668 }
1669
SSL_CIPHER_is_AESGCM(const SSL_CIPHER * cipher)1670 int SSL_CIPHER_is_AESGCM(const SSL_CIPHER *cipher) {
1671 return (cipher->algorithm_enc & (SSL_AES128GCM | SSL_AES256GCM)) != 0;
1672 }
1673
SSL_CIPHER_is_AES128GCM(const SSL_CIPHER * cipher)1674 int SSL_CIPHER_is_AES128GCM(const SSL_CIPHER *cipher) {
1675 return (cipher->algorithm_enc & SSL_AES128GCM) != 0;
1676 }
1677
SSL_CIPHER_is_AES128CBC(const SSL_CIPHER * cipher)1678 int SSL_CIPHER_is_AES128CBC(const SSL_CIPHER *cipher) {
1679 return (cipher->algorithm_enc & SSL_AES128) != 0;
1680 }
1681
SSL_CIPHER_is_AES256CBC(const SSL_CIPHER * cipher)1682 int SSL_CIPHER_is_AES256CBC(const SSL_CIPHER *cipher) {
1683 return (cipher->algorithm_enc & SSL_AES256) != 0;
1684 }
1685
SSL_CIPHER_is_CHACHA20POLY1305(const SSL_CIPHER * cipher)1686 int SSL_CIPHER_is_CHACHA20POLY1305(const SSL_CIPHER *cipher) {
1687 return (cipher->algorithm_enc &
1688 (SSL_CHACHA20POLY1305 | SSL_CHACHA20POLY1305_OLD)) != 0;
1689 }
1690
SSL_CIPHER_is_NULL(const SSL_CIPHER * cipher)1691 int SSL_CIPHER_is_NULL(const SSL_CIPHER *cipher) {
1692 return (cipher->algorithm_enc & SSL_eNULL) != 0;
1693 }
1694
SSL_CIPHER_is_RC4(const SSL_CIPHER * cipher)1695 int SSL_CIPHER_is_RC4(const SSL_CIPHER *cipher) {
1696 return (cipher->algorithm_enc & SSL_RC4) != 0;
1697 }
1698
SSL_CIPHER_is_block_cipher(const SSL_CIPHER * cipher)1699 int SSL_CIPHER_is_block_cipher(const SSL_CIPHER *cipher) {
1700 /* Neither stream cipher nor AEAD. */
1701 return (cipher->algorithm_enc & (SSL_RC4 | SSL_eNULL)) == 0 &&
1702 cipher->algorithm_mac != SSL_AEAD;
1703 }
1704
SSL_CIPHER_is_ECDSA(const SSL_CIPHER * cipher)1705 int SSL_CIPHER_is_ECDSA(const SSL_CIPHER *cipher) {
1706 return (cipher->algorithm_auth & SSL_aECDSA) != 0;
1707 }
1708
SSL_CIPHER_is_DHE(const SSL_CIPHER * cipher)1709 int SSL_CIPHER_is_DHE(const SSL_CIPHER *cipher) {
1710 return (cipher->algorithm_mkey & SSL_kDHE) != 0;
1711 }
1712
SSL_CIPHER_is_ECDHE(const SSL_CIPHER * cipher)1713 int SSL_CIPHER_is_ECDHE(const SSL_CIPHER *cipher) {
1714 return (cipher->algorithm_mkey & SSL_kECDHE) != 0;
1715 }
1716
SSL_CIPHER_is_CECPQ1(const SSL_CIPHER * cipher)1717 int SSL_CIPHER_is_CECPQ1(const SSL_CIPHER *cipher) {
1718 return (cipher->algorithm_mkey & SSL_kCECPQ1) != 0;
1719 }
1720
SSL_CIPHER_get_min_version(const SSL_CIPHER * cipher)1721 uint16_t SSL_CIPHER_get_min_version(const SSL_CIPHER *cipher) {
1722 if (cipher->algorithm_prf != SSL_HANDSHAKE_MAC_DEFAULT) {
1723 /* Cipher suites before TLS 1.2 use the default PRF, while all those added
1724 * afterwards specify a particular hash. */
1725 return TLS1_2_VERSION;
1726 }
1727 return SSL3_VERSION;
1728 }
1729
1730 /* return the actual cipher being used */
SSL_CIPHER_get_name(const SSL_CIPHER * cipher)1731 const char *SSL_CIPHER_get_name(const SSL_CIPHER *cipher) {
1732 if (cipher != NULL) {
1733 return cipher->name;
1734 }
1735
1736 return "(NONE)";
1737 }
1738
SSL_CIPHER_get_kx_name(const SSL_CIPHER * cipher)1739 const char *SSL_CIPHER_get_kx_name(const SSL_CIPHER *cipher) {
1740 if (cipher == NULL) {
1741 return "";
1742 }
1743
1744 switch (cipher->algorithm_mkey) {
1745 case SSL_kRSA:
1746 return "RSA";
1747
1748 case SSL_kDHE:
1749 switch (cipher->algorithm_auth) {
1750 case SSL_aRSA:
1751 return "DHE_RSA";
1752 default:
1753 assert(0);
1754 return "UNKNOWN";
1755 }
1756
1757 case SSL_kECDHE:
1758 switch (cipher->algorithm_auth) {
1759 case SSL_aECDSA:
1760 return "ECDHE_ECDSA";
1761 case SSL_aRSA:
1762 return "ECDHE_RSA";
1763 case SSL_aPSK:
1764 return "ECDHE_PSK";
1765 default:
1766 assert(0);
1767 return "UNKNOWN";
1768 }
1769
1770 case SSL_kCECPQ1:
1771 switch (cipher->algorithm_auth) {
1772 case SSL_aECDSA:
1773 return "CECPQ1_ECDSA";
1774 case SSL_aRSA:
1775 return "CECPQ1_RSA";
1776 default:
1777 assert(0);
1778 return "UNKNOWN";
1779 }
1780
1781 case SSL_kPSK:
1782 assert(cipher->algorithm_auth == SSL_aPSK);
1783 return "PSK";
1784
1785 default:
1786 assert(0);
1787 return "UNKNOWN";
1788 }
1789 }
1790
ssl_cipher_get_enc_name(const SSL_CIPHER * cipher)1791 static const char *ssl_cipher_get_enc_name(const SSL_CIPHER *cipher) {
1792 switch (cipher->algorithm_enc) {
1793 case SSL_3DES:
1794 return "3DES_EDE_CBC";
1795 case SSL_RC4:
1796 return "RC4";
1797 case SSL_AES128:
1798 return "AES_128_CBC";
1799 case SSL_AES256:
1800 return "AES_256_CBC";
1801 case SSL_AES128GCM:
1802 return "AES_128_GCM";
1803 case SSL_AES256GCM:
1804 return "AES_256_GCM";
1805 case SSL_CHACHA20POLY1305:
1806 case SSL_CHACHA20POLY1305_OLD:
1807 return "CHACHA20_POLY1305";
1808 break;
1809 default:
1810 assert(0);
1811 return "UNKNOWN";
1812 }
1813 }
1814
ssl_cipher_get_prf_name(const SSL_CIPHER * cipher)1815 static const char *ssl_cipher_get_prf_name(const SSL_CIPHER *cipher) {
1816 switch (cipher->algorithm_prf) {
1817 case SSL_HANDSHAKE_MAC_DEFAULT:
1818 /* Before TLS 1.2, the PRF component is the hash used in the HMAC, which is
1819 * only ever MD5 or SHA-1. */
1820 switch (cipher->algorithm_mac) {
1821 case SSL_MD5:
1822 return "MD5";
1823 case SSL_SHA1:
1824 return "SHA";
1825 }
1826 break;
1827 case SSL_HANDSHAKE_MAC_SHA256:
1828 return "SHA256";
1829 case SSL_HANDSHAKE_MAC_SHA384:
1830 return "SHA384";
1831 }
1832 assert(0);
1833 return "UNKNOWN";
1834 }
1835
SSL_CIPHER_get_rfc_name(const SSL_CIPHER * cipher)1836 char *SSL_CIPHER_get_rfc_name(const SSL_CIPHER *cipher) {
1837 if (cipher == NULL) {
1838 return NULL;
1839 }
1840
1841 const char *kx_name = SSL_CIPHER_get_kx_name(cipher);
1842 const char *enc_name = ssl_cipher_get_enc_name(cipher);
1843 const char *prf_name = ssl_cipher_get_prf_name(cipher);
1844
1845 /* The final name is TLS_{kx_name}_WITH_{enc_name}_{prf_name}. */
1846 size_t len = 4 + strlen(kx_name) + 6 + strlen(enc_name) + 1 +
1847 strlen(prf_name) + 1;
1848 char *ret = OPENSSL_malloc(len);
1849 if (ret == NULL) {
1850 return NULL;
1851 }
1852 if (BUF_strlcpy(ret, "TLS_", len) >= len ||
1853 BUF_strlcat(ret, kx_name, len) >= len ||
1854 BUF_strlcat(ret, "_WITH_", len) >= len ||
1855 BUF_strlcat(ret, enc_name, len) >= len ||
1856 BUF_strlcat(ret, "_", len) >= len ||
1857 BUF_strlcat(ret, prf_name, len) >= len) {
1858 assert(0);
1859 OPENSSL_free(ret);
1860 return NULL;
1861 }
1862 assert(strlen(ret) + 1 == len);
1863 return ret;
1864 }
1865
SSL_CIPHER_get_bits(const SSL_CIPHER * cipher,int * out_alg_bits)1866 int SSL_CIPHER_get_bits(const SSL_CIPHER *cipher, int *out_alg_bits) {
1867 if (cipher == NULL) {
1868 return 0;
1869 }
1870
1871 int alg_bits, strength_bits;
1872 switch (cipher->algorithm_enc) {
1873 case SSL_AES128:
1874 case SSL_AES128GCM:
1875 case SSL_RC4:
1876 alg_bits = 128;
1877 strength_bits = 128;
1878 break;
1879
1880 case SSL_AES256:
1881 case SSL_AES256GCM:
1882 #if !defined(BORINGSSL_ANDROID_SYSTEM)
1883 case SSL_CHACHA20POLY1305_OLD:
1884 #endif
1885 case SSL_CHACHA20POLY1305:
1886 alg_bits = 256;
1887 strength_bits = 256;
1888 break;
1889
1890 case SSL_3DES:
1891 alg_bits = 168;
1892 strength_bits = 112;
1893 break;
1894
1895 case SSL_eNULL:
1896 alg_bits = 0;
1897 strength_bits = 0;
1898 break;
1899
1900 default:
1901 assert(0);
1902 alg_bits = 0;
1903 strength_bits = 0;
1904 }
1905
1906 if (out_alg_bits != NULL) {
1907 *out_alg_bits = alg_bits;
1908 }
1909 return strength_bits;
1910 }
1911
SSL_CIPHER_description(const SSL_CIPHER * cipher,char * buf,int len)1912 const char *SSL_CIPHER_description(const SSL_CIPHER *cipher, char *buf,
1913 int len) {
1914 const char *kx, *au, *enc, *mac;
1915 uint32_t alg_mkey, alg_auth, alg_enc, alg_mac;
1916
1917 alg_mkey = cipher->algorithm_mkey;
1918 alg_auth = cipher->algorithm_auth;
1919 alg_enc = cipher->algorithm_enc;
1920 alg_mac = cipher->algorithm_mac;
1921
1922 switch (alg_mkey) {
1923 case SSL_kRSA:
1924 kx = "RSA";
1925 break;
1926
1927 case SSL_kDHE:
1928 kx = "DH";
1929 break;
1930
1931 case SSL_kECDHE:
1932 kx = "ECDH";
1933 break;
1934
1935 case SSL_kCECPQ1:
1936 kx = "CECPQ1";
1937 break;
1938
1939 case SSL_kPSK:
1940 kx = "PSK";
1941 break;
1942
1943 default:
1944 kx = "unknown";
1945 }
1946
1947 switch (alg_auth) {
1948 case SSL_aRSA:
1949 au = "RSA";
1950 break;
1951
1952 case SSL_aECDSA:
1953 au = "ECDSA";
1954 break;
1955
1956 case SSL_aPSK:
1957 au = "PSK";
1958 break;
1959
1960 default:
1961 au = "unknown";
1962 break;
1963 }
1964
1965 switch (alg_enc) {
1966 case SSL_3DES:
1967 enc = "3DES(168)";
1968 break;
1969
1970 case SSL_RC4:
1971 enc = "RC4(128)";
1972 break;
1973
1974 case SSL_AES128:
1975 enc = "AES(128)";
1976 break;
1977
1978 case SSL_AES256:
1979 enc = "AES(256)";
1980 break;
1981
1982 case SSL_AES128GCM:
1983 enc = "AESGCM(128)";
1984 break;
1985
1986 case SSL_AES256GCM:
1987 enc = "AESGCM(256)";
1988 break;
1989
1990 case SSL_CHACHA20POLY1305_OLD:
1991 enc = "ChaCha20-Poly1305-Old";
1992 break;
1993
1994 case SSL_CHACHA20POLY1305:
1995 enc = "ChaCha20-Poly1305";
1996 break;
1997
1998 case SSL_eNULL:
1999 enc="None";
2000 break;
2001
2002 default:
2003 enc = "unknown";
2004 break;
2005 }
2006
2007 switch (alg_mac) {
2008 case SSL_MD5:
2009 mac = "MD5";
2010 break;
2011
2012 case SSL_SHA1:
2013 mac = "SHA1";
2014 break;
2015
2016 case SSL_SHA256:
2017 mac = "SHA256";
2018 break;
2019
2020 case SSL_SHA384:
2021 mac = "SHA384";
2022 break;
2023
2024 case SSL_AEAD:
2025 mac = "AEAD";
2026 break;
2027
2028 default:
2029 mac = "unknown";
2030 break;
2031 }
2032
2033 if (buf == NULL) {
2034 len = 128;
2035 buf = OPENSSL_malloc(len);
2036 if (buf == NULL) {
2037 return NULL;
2038 }
2039 } else if (len < 128) {
2040 return "Buffer too small";
2041 }
2042
2043 BIO_snprintf(buf, len, "%-23s Kx=%-8s Au=%-4s Enc=%-9s Mac=%-4s\n",
2044 cipher->name, kx, au, enc, mac);
2045 return buf;
2046 }
2047
SSL_CIPHER_get_version(const SSL_CIPHER * cipher)2048 const char *SSL_CIPHER_get_version(const SSL_CIPHER *cipher) {
2049 return "TLSv1/SSLv3";
2050 }
2051
SSL_COMP_get_compression_methods(void)2052 COMP_METHOD *SSL_COMP_get_compression_methods(void) { return NULL; }
2053
SSL_COMP_add_compression_method(int id,COMP_METHOD * cm)2054 int SSL_COMP_add_compression_method(int id, COMP_METHOD *cm) { return 1; }
2055
SSL_COMP_get_name(const COMP_METHOD * comp)2056 const char *SSL_COMP_get_name(const COMP_METHOD *comp) { return NULL; }
2057
ssl_cipher_get_key_type(const SSL_CIPHER * cipher)2058 int ssl_cipher_get_key_type(const SSL_CIPHER *cipher) {
2059 uint32_t alg_a = cipher->algorithm_auth;
2060
2061 if (alg_a & SSL_aECDSA) {
2062 return EVP_PKEY_EC;
2063 } else if (alg_a & SSL_aRSA) {
2064 return EVP_PKEY_RSA;
2065 }
2066
2067 return EVP_PKEY_NONE;
2068 }
2069
ssl_cipher_uses_certificate_auth(const SSL_CIPHER * cipher)2070 int ssl_cipher_uses_certificate_auth(const SSL_CIPHER *cipher) {
2071 return (cipher->algorithm_auth & SSL_aCERT) != 0;
2072 }
2073
ssl_cipher_requires_server_key_exchange(const SSL_CIPHER * cipher)2074 int ssl_cipher_requires_server_key_exchange(const SSL_CIPHER *cipher) {
2075 /* Ephemeral Diffie-Hellman key exchanges require a ServerKeyExchange. */
2076 if (cipher->algorithm_mkey & SSL_kDHE ||
2077 cipher->algorithm_mkey & SSL_kECDHE ||
2078 cipher->algorithm_mkey & SSL_kCECPQ1) {
2079 return 1;
2080 }
2081
2082 /* It is optional in all others. */
2083 return 0;
2084 }
2085
ssl_cipher_get_record_split_len(const SSL_CIPHER * cipher)2086 size_t ssl_cipher_get_record_split_len(const SSL_CIPHER *cipher) {
2087 size_t block_size;
2088 switch (cipher->algorithm_enc) {
2089 case SSL_3DES:
2090 block_size = 8;
2091 break;
2092 case SSL_AES128:
2093 case SSL_AES256:
2094 block_size = 16;
2095 break;
2096 default:
2097 return 0;
2098 }
2099
2100 size_t mac_len;
2101 switch (cipher->algorithm_mac) {
2102 case SSL_MD5:
2103 mac_len = MD5_DIGEST_LENGTH;
2104 break;
2105 case SSL_SHA1:
2106 mac_len = SHA_DIGEST_LENGTH;
2107 break;
2108 default:
2109 return 0;
2110 }
2111
2112 size_t ret = 1 + mac_len;
2113 ret += block_size - (ret % block_size);
2114 return ret;
2115 }
2116